2014-11-30 09:00:51 +0100, Marco d'Itri: > On Nov 29, Stephane Chazelas <stephane.chaze...@gmail.com> wrote: > > > Yes, but I don't think RFC conformance is good enough a reason > > to not fix a vulnerability. > Everybody has known this for years. > UDP small services should never be enabled, that's all. [...]
Thanks Marco, would you guys accept a patch that adds that (or something along those lines) to the documentation? Maybe something like: "With the exception of "discard", please note that the protocols implemented by the internal UDP services (chargen, time, daytime, echo) have serious security flaws and those services should not be enabled on production systems or exposed to untrusted networks." Cheers, Stephane
