* Tore Anderson > What issue is there that needs to be solved, exactly?
* Marc Haber > A potentially dangerous security issue. The code path from accepting to closing a connection according to the cidr_deny/deny configuration statements is fairly short and obvious so I'm sceptic as to whether this is a real concern or merely an academic one. If such a bug does exist, however, the issue would be critical regardless of the default configuration, as it could still be exploited by a user capable of connecting to 127.0.0.1, and in very many setups the node would be reconfigured to listen on all interfaces anyway (after all, it's what it's made for). I also note that packages such as Apache and others appear to employ a similar strategy as munin-node - listen on all interfaces, but restrict access to potentially sensitive data or functionality by way of application-specific access control lists. Listening on all interfaces was recently made the documented default (see <http://munin.projects.linpro.no/changeset/1186>), too.. It's of course possible to change this (at least in the developement trunk), so I'll have a talk to Nicolai and point him to this bug log, and let him decide if the default should be changed or not - I'll respect his choice, and consider merging any eventual change in trunk to the 1.2.x branch. (Oh and by the way, I fully agree that not having the loopback interface available inside a vserver sucks...) Regards -- Tore Anderson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
