Your message dated Tue, 21 Feb 2006 00:39:13 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#353787: avahi-daemon: Automatically installed and
listening on all interfaces.
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: avahi-daemon
Version: 0.6.6-1
Severity: normal
I don't know why this pkg was installed in my testing. For sure I did not
install it directly, maybe it was some strange dependency from something?
Anyway, this thing listens on all interfaces by default. I think this design is
insecure. It should bind to localhost only (ok, this might not make
sense for such a service) OR it should ask the user for the interfaces it binds
to.
Please change the installer's behaviour.
Thank you.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
--- End Message ---
--- Begin Message ---
On Mon, Feb 20, 2006 at 11:22:29PM +0100, Aliban wrote:
> Package: avahi-daemon
> Version: 0.6.6-1
> Severity: normal
>
> I don't know why this pkg was installed in my testing. For sure I did not
> install it directly, maybe it was some strange dependency from something?
No strange dependencies. You probably got it because rhythmbox recommends it.
> Anyway, this thing listens on all interfaces by default. I think this design
> is insecure. It should bind to localhost only (ok, this might not make sense
> for such a service) OR it should ask the user for the interfaces it binds to.
Uhm, yeah, well, an mDNS daemon that only listens on lo is completely useless.
If you would looked a little bit further you might have seen that the daemon
runs as a unprivileged user, version 0.6.6-2 of the package even runs in a
minimal chroot environment, so it's actually quite secure by design.
> Please change the installer's behaviour.
If you don't want it, purge it from your system. Afaik everything that doesn't
directly need it only recommends it. Closing this bug
Sjoerd
--
We gave you an atomic bomb, what do you want, mermaids?
-- I. I. Rabi to the Atomic Energy Commission
--- End Message ---
