On Thu, 2011-02-24 at 15:31 +, Julien Reveret wrote:
> [snip]
>
> It seems that mandriva already released an update for avahi :
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-February/079525.html
>
> I guess you're facing the same issue.
0.6.28-4 has been accepted to unstable
> Package: avahi-daemon
> Version: 0.6.27-2
> Tags: security
> Severity: critical
> Justification: Introduces possible denial-of-service scenario.
>
> Hi,
>
> when I scan my server from another machine on the network using nmap, I
> get this:
[snip]
It seems that mandriva already released an upda
I can confirm this.
Am 23.02.2011 um 13:36 schrieb Alexander Kurtz:
> Package: avahi-daemon
> Version: 0.6.27-2
> Tags: security
> Severity: critical
> Justification: Introduces possible denial-of-service scenario.
>
> Hi,
>
> when I scan my server from another machine on the network using nmap
On Sat, Mar 04, 2006 at 10:12:56AM +0100, Loïc Minier wrote:
> But you're still way more secure while sitting behind a NAT with
> responsible coworkers than connected to the Internet directly, without
> any firewall, and that's where desktops sit most of the time.
Well, a NATed gateway is not t
On Sat, Mar 04, 2006 at 01:41:14PM -0500, Joey Hess wrote:
> > - a default GNOME install should *not* install a network service, even if
> > that
> > enabled new features to the users. Consequently, if rhythmbox is part of
> > the GNOME task, it should not pull in ahavi-daemon automatically
>
On Sat, Mar 04, 2006 at 11:32:20AM +0100, Loïc Minier wrote:
> On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
> > Rhythmbox is a very easy to use music playing and management program
> > which supports a wide range of audio formats (including mp3 and ogg).
> > The current version al
On Sat, Mar 04, 2006 at 01:26:24PM -0500, Joey Hess wrote:
> If avahi is not running, rhythmbox prints this to std(something) on
> startup and/or when you enble sharing in its prefs:
Notice that *most* users will not see this as they will start up rhythmbox
from a GNOME application menu and not t
Loïc Minier wrote:
> I completely agree there are a number of broken recommends, but
> shouldn't we fix these? Yes, it's painful. :(
I'd prefer not to break new installations in order to find them. This
thread shows that pulling in recommends by default in aptitude is enough
to expose problima
On Sat, Mar 04, 2006, Joey Hess wrote:
> If you mean a bug, no, I go out of my way to not install recommends,
> because Debian is still rife with long and useless recommends chains.
I completely agree there are a number of broken recommends, but
shouldn't we fix these? Yes, it's painful. :(
-
Javier Fernández-Sanguino Peña wrote:
> - rhythmbox does not mention music sharing *at*all* in the package
> description. Even the GUI doesn't mention this (when starting it up
> for the first time) nor the documentation (in it's 'Introduction')
Rhythmbox doesn't go broadcasting files over the
Philipp A. Hartmann wrote:
> But still it's only a Recommends. Therefore, rhythmbox needs to handle
> the absence og avahi-daemon gracefully, since you cannot rely on it's
> installation. For sake of plug-and-play and comfort, this might be even
> done in some kind of GUI message, which tells the u
Loïc Minier wrote:
> On Fri, Mar 03, 2006, Joey Hess wrote:
> > Standard Desktop task installs do not install Recommends anyway, so
> > rhythmbox does not pull in avahi-daemon in those situations and you need
> > to deal with that somehow.
>
> It's a but in task installation then.
If you mean a
On Sat, Mar 04, 2006 at 11:16:08AM +0100, Loïc Minier wrote:
I must add people on this list are obviously biased towards security.
I guess you can stake out the ground of "biased against security", but
that's kind of a bad place to be for a software distributor in the 21st
century.
--
Micha
On Sat, Mar 04, 2006 at 10:26:31AM +0100, Loïc Minier wrote:
My point of view is that installing the application gets them the
functionalities they'd expect to find in the default setup.
And I agreed that perhaps the rhythmbox community would expect that,
which is why I reconsidered and asked
On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
> Rhythmbox is a very easy to use music playing and management program
> which supports a wide range of audio formats (including mp3 and ogg).
> The current version also supports Internet Radio, iPod integration,
> Audio CD burning, an
On Sat, Mar 04, 2006 at 11:07:25AM +0100, Loïc Minier wrote:
> I'm doing my final pass on the deb-sec part of this discussion, I don't
> intend to participate much further, no new arguments are popping up.
Quite sincerily, this discussion is getting nowhere. There are sufficient
arguments in thi
Hi,
On Sat, Mar 04, 2006, Philipp A. Hartmann wrote:
> Well, since the gnome meta-package is part of the gnome task, which I
> consider a common default to setup a desktop machine, it get's pulled in
> in an environment where Recommends are installed automatically.
Yup, so the GNOME task
On Sat, Mar 04, 2006 at 09:51:31AM +0100, Loïc Minier wrote:
> On Fri, Mar 03, 2006, Joey Hess wrote:
> > Standard Desktop task installs do not install Recommends anyway, so
> > rhythmbox does not pull in avahi-daemon in those situations and you need
> > to deal with that somehow.
>
> It's a but
On Sat, Mar 04, 2006 at 10:31:02AM +0100, Loïc Minier wrote:
> > And for the same thing, why would a typical desktop machine provide users
> > to share even files! My desktop system at home (and my parent's and my
> > uncle's and whatnot) are completely stand-alone desktop systems, connected
> > t
On Fri, Mar 03, 2006, Javier Fernández-Sanguino Peña wrote:
> (IMHO this dicussion is reaching to a point in which it should move to
> d-devel instead, but I'll keep it here)
Uh, please don't move it there, in the contrary, this discussion
already reached flame-level, and no arguments are coming
Hi,
On Sat, 2006-03-04 at 10:26 +0100, Loïc Minier wrote:
> Concerning your dependencies remarks, I think I've answered to them
> enough already: this is a Recommends, nothing pulls in rhythmbox from
> a standard install up to a gnome-desktop-environment install, I
> proposed dependencies wor
On Fri, Mar 03, 2006, Javier Fernández-Sanguino Peña wrote:
> On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
> > This is a desktop machine, it should permit sharing of files on your
> > local network. DNS servers have their port 53 open to respond to name
> > resolution queries, j
On Fri, Mar 03, 2006, Michael Stone wrote:
> On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
> >Do you have any other solution permitting the same functionalities, but
> >without the listening port?
> No. If someone wants that functionality than that's how they need to get
> it. The
Hi,
On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
> > I thought security people would recommend havin a per-port ACL for
> > allowed traffic, and port visibility set to limit the view to only the
> > router when not otherwise required.
> I don't think you have seen many co
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> On Fri, 03 Mar 2006, Loïc Minier wrote:
> > On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > > True. But that requires a broken kernel, which we patch regularly as a
> > > security procedure anyway. Mounting removable filesyst
On Fri, Mar 03, 2006, Joey Hess wrote:
> Standard Desktop task installs do not install Recommends anyway, so
> rhythmbox does not pull in avahi-daemon in those situations and you need
> to deal with that somehow.
It's a but in task installation then.
--
Loïc Minier <[EMAIL PROTECTED]>
--
To
On Fri, Mar 03, 2006 at 06:47:34PM +0100, Loïc Minier wrote:
> Hi,
>
> On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > Inside the network? Most managed networks have filtering at the borders, at
> > key router nodes, and if it has a more advanced distributed-firewall
> > ment
Loïc Minier wrote:
> It would be overly complicated to handle the case of a Suggests instead
> of a Recommends correctly: even if the code was updated to handle both
> cases at run time, and would hide the relevant options when these are
> not available, the documentation would still point at u
On Fri, 03 Mar 2006, Loïc Minier wrote:
> proposed multiple options in other posts, all of them ignored. People
> *not* trying for a middle-ground solution are those claiming an open
> port by default is unacceptable, no matter what.
You will notice I didn't propose you disable open ports by d
On Fri, 03 Mar 2006, Loïc Minier wrote:
> On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > > Well, no: that's the opposite of plug'n'play. See, if you're USB stick
> > > contains a malicious vfat file system, it gets automatically mounted
> > > nevertheless. It's a feature.
> > Not
On Fri, 03 Mar 2006, Loïc Minier wrote:
> On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > True. But that requires a broken kernel, which we patch regularly as a
> > security procedure anyway. Mounting removable filesystems suid,dev allow a
> > lot more damage *by design* in the stand
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> True. But that requires a broken kernel, which we patch regularly as a
> security procedure anyway. Mounting removable filesystems suid,dev allow a
> lot more damage *by design* in the standard Linux security-model.
And we also support
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > Well, no: that's the opposite of plug'n'play. See, if you're USB stick
> > contains a malicious vfat file system, it gets automatically mounted
> > nevertheless. It's a feature.
> Not in my servers, it doesn't. And I should add, not
Hi,
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> On Fri, 03 Mar 2006, Loïc Minier wrote:
> > If music sharing is a questionable feature to you, you don't need to
> > discuss this further, you're obviously the security guy, talking in
> > debian-security@ of stuff he doesn'
(IMHO this dicussion is reaching to a point in which it should move to
d-devel instead, but I'll keep it here)
On Thu, Mar 02, 2006 at 09:06:27PM +0100, Loïc Minier wrote:
> On Thu, Feb 23, 2006, Javier Fernández-Sanguino Peña wrote:
> > IMHO the problem here is having a music program (as rhythmbo
On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
> This is a desktop machine, it should permit sharing of files on your
> local network. DNS servers have their port 53 open to respond to name
> resolution queries, just consider your desktop installation to be a
> name server respon
On Fri, 03 Mar 2006, Loïc Minier wrote:
> If music sharing is a questionable feature to you, you don't need to
> discuss this further, you're obviously the security guy, talking in
> debian-security@ of stuff he doesn't want to support security-wise, and
You are *not allowed* to support securit
On Fri, Mar 03, 2006 at 11:20:56AM -0300, Henrique de Moraes Holschuh wrote:
So, I repeat my question: should we hunt down and file bugs (grave or worse)
on packages automounting removable media without nosid, nodev ?
Here's what I'd suggest:
Write a policy that covers best practices and see h
On Fri, 03 Mar 2006, Michael Stone wrote:
> On Fri, Mar 03, 2006 at 10:47:56AM -0300, Henrique de Moraes Holschuh wrote:
> >Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
> >it won't bork if you tell it to be nosuid, nodev either) is never a
> >feature,
> >it is a secur
On Fri, Mar 03, 2006 at 10:47:56AM -0300, Henrique de Moraes Holschuh wrote:
Not in my servers, it doesn't. And I should add, not even in my desktops:
all removable filesystems are mounted nodev, nosuid.
Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
it won't bork if
On Fri, Mar 03, 2006 at 02:45:28PM +0100, Loïc Minier wrote:
Indeed, but it's even worse! avahi-daemon recommends libnss-mdns which
recommends zeroconf. However, both Recommends are bogus. There's a
bug against the second one, and I talked a little with Sjoerd on the
first one, and it seems it'
On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
Do you have any other solution permitting the same functionalities, but
without the listening port?
No. If someone wants that functionality than that's how they need to get
it. The question has always been about what level of effor
On Fri, 03 Mar 2006, Loïc Minier wrote:
> This is a desktop machine, it should permit sharing of files on your
> local network. DNS servers have their port 53 open to respond to name
In what planet do you live? Desktop machines are plugged to extremely
hostile networks all the time (think cabl
Hi there,
For people on the list interested in the discussion, Michael Stone has
filed #355064, where the "discussion" went on.
Bye,
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscri
(This reply was started some days ago, but I thought it might be best
to wait a little before responding to you. Besides, I took some time
to document myself on some of the issues you mentionned.)
Hi,
On Wed, Feb 22, 2006, Michael Stone wrote:
> >(nss-mdns does mdns too, but it's no
Hi,
On Fri, Mar 03, 2006, aliban wrote:
> Can you please count the open ports on your system? Are there still
> telnet, timeserver, sunrpc ... waiting for connections?
On my system? nmap reports:
53/tcp open domain
Some netstat digging shows:
tcp0 0 0.0.0.0:53
Hello,
>>Maintainers remember: it's much better to *not* install/activate a network
>>service than to have a service, even if it's chrooted, or running under lower
>>privileges (like the ahavi maintainers describe in
>>https://wiki.ubuntu.com/MainInclusionReportAvahi) which, BTW, is not that
>>co
Hi,
On Thu, Feb 23, 2006, Javier Fernández-Sanguino Peña wrote:
> IMHO the problem here is having a music program (as rhythmbox) Recommends:
> avahi-daemon, when IMHO it should be Suggests: . The functionality
> provided by avahi-daemon (a network service for sharing music) is not
> somet
Quoting Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]):
> You are confusing worms, Blaster exploited the DCOM RPC vulnerability
> (CAN-2003-0352). The one that exploited CAN-2002-0649 and
> CAN-2002-1145 in both SQL Server and MSDE was SQLExp / Slammer.
True. Thank you, and apologies for my
On Thu, Feb 23, 2006 at 12:47:44PM +0100, aliban wrote:
> >
> I am sorry, but I am quite new linux and debian at all and you may excuse
> my question:
>
> why is there no rule to "prompt the user" for all applications that open
> ports on non-localhost?
The default policy is a compromise between
Javier Fernández-Sanguino Peña schrieb:
>If I were you (aliban) I would bug rhythmbox. It seems that Bug #349478 got
>it to reduce the Depends: on that daemon to a Recommends:, I think it would
>be better to have that as Suggests:
>Disclaimer: I don't know much about rhythmbox and the relationship
On Thu, Feb 23, 2006 at 12:04:50PM +0100, Javier Fernández-Sanguino Peña wrote:
The former worm targeted a critical OS service, the later a database service.
Neither of which were actually useful if bound to loopback, BTW.
Actually, they were. A lot of the embedded DB servers were only used by
On Wed, Feb 22, 2006 at 08:59:40AM -0800, Rick Moen wrote:
> Quoting aliban ([EMAIL PROTECTED]):
>
> > MS Blaster infected many million system within seconds...
>
> Relying on the vulnerable MSDE embedded SQL database engine being
> embedded into a large number of consumer software products, and
On Wed, Feb 22, 2006 at 04:57:26PM +0100, Loïc Minier wrote:
On Wed, Feb 22, 2006, Michael Stone wrote:
>From a pragmatic standpoint, pulling in nss-mdns is a PITA because it
makes certain name queries take forever--so there are reasons aside from
security to think this is annoying.
(nss-mdns
On Wed, 22 Feb 2006, aliban wrote:
> On debian testing the rhythmbox suggested to install the avahi-daemon that
> listens on all interfaces by default.
That's on par with the avahi-daemon's idea of how things should happen, and
it makes sense. Not that I'd want that active in my LAN anyway.
If
Quoting aliban ([EMAIL PROTECTED]):
> MS Blaster infected many million system within seconds...
Relying on the vulnerable MSDE embedded SQL database engine being
embedded into a large number of consumer software products, and
irresponsibly left bound to all network ports, not just loopback.
Don'
Loïc Minier schrieb:
>>On Wed, Feb 22, 2006, aliban wrote:
>>
>>
>
>
In this case you are doing the same mistakes Microsoft did with Windows
all the time:
default installation comes with a 'strange' service (that nobody needs,
therefore nobody knows) sitting some
Loïc Minier schrieb:
>>Hi,
>>
>>On Wed, Feb 22, 2006, aliban wrote:
>>
>>
>
>
as the package maintainer seems to ignore my complaint I forward the
discussion to debian-user mailing list.
>>
>>
>>
>> I am the package maintainer of Rhythmbox, am I the package m
On Wed, Feb 22, 2006, Michael Stone wrote:
> >From a pragmatic standpoint, pulling in nss-mdns is a PITA because it
> makes certain name queries take forever--so there are reasons aside from
> security to think this is annoying.
(nss-mdns does mdns too, but it's not related to avahi)
> Securit
On Wed, Feb 22, 2006 at 03:23:42PM +0100, Loïc Minier wrote:
If you do install a GNOME desktop environment, expect to have a web
browser which might run malicious code, games which might be sgid
games, and tons of stuff which might be opening more doors than you
like.
First, there's a differenc
On Wed, Feb 22, 2006, aliban wrote:
> In this case you are doing the same mistakes Microsoft did with Windows
> all the time:
Please, no generalities.
> default installation comes with a 'strange' service (that nobody needs,
> therefore nobody knows) sitting somewhere around and listening on ALL
Hi,
On Wed, Feb 22, 2006, aliban wrote:
> as the package maintainer seems to ignore my complaint I forward the
> discussion to debian-user mailing list.
I am the package maintainer of Rhythmbox, am I the package maintainer
you refer to? Or did you mean the avahi-daemon package manager?
I don't think so.
Are you god?
Even if the administrator makes mistakes and does not check what gets
installed the system should
be designed save.
In this case you are doing the same mistakes Microsoft did with Windows
all the time:
default installation comes with a 'strange' service (that nobod
The package maintainer has a point that an mDNS daemon would be pretty
pointless if it only bound to lo. I think it is more the
responsibility of the administrator to know what is going on his
system. If you are so worried about security, then why not check out
those NINE new Avahi packages when ap
64 matches
Mail list logo
