Your message dated Tue, 16 May 2023 23:22:31 +0200
with message-id <[email protected]>
and subject line This is a bug for an ancient version of NBD
has caused the Debian Bug report #731626,
regarding fix for CVE-2013-6410 confuses authfile parser for single IP
authorizations
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
731626: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731626
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nbd-server
Version: 1:3.2-4~deb7u4
Severity: important
Dear nbd maintainer
Since the latest security update my clients cannot connect to the nbd-
server.
-----------/etc/nbd-server/config---------
[generic]
[backup]
exportname = /dev/winuserfs_vg1/storebackup
authfile = /etc/nbd-server/allow
-----------
-----------/etc/nbd-server/allow---------
130.149.125.113
---------------------------------------------------
On the client:
$ nbd-client -N backup winuserfs /dev/nbd0
Negotiation: ..size = 13216954585799MB
bs=1024, sz=13858981371759755264 bytes
On the server gives the following entry in the log.
Dec 7 16:42:50 winuserfs nbd_server[4359]: connect from
130.149.125.113, assigned file is /dev/winuserfs_vg1/storebackup
Dec 7 16:42:50 winuserfs nbd_server[4359]: Unauthorized client
-------------------------------------------------------------------------
Same in the oldstype case:
-----------/etc/nbd-server/config---------
[generic]
oldstyle = true
[backup]
exportname = /dev/winuserfs_vg1/storebackup
port = 20000
authfile = /etc/nbd-server/allow
-----------
-----------/etc/nbd-server/allow---------
130.149.125.113
---------------------------------------------------
On the Client:
$ nbd-client winuserfs 20000 /dev/nbd0; mount -t ext4 /dev/nbd0
/mnt/winuserfs_backup
Negotiation: Error: Server closed connection
Exiting.
On the server gives the following entry in the log:
Dec 7 16:47:18 winuserfs nbd_server[4424]: connect from
130.149.125.113, assigned file is /dev/winuserfs_vg1/storebackup
Dec 7 16:47:18 winuserfs nbd_server[4424]: Unauthorized client
If I start the server without /etc/nbd-server/allow connection works.
Dec 7 16:54:29 winuserfs nbd_server[4516]: connect from
130.149.125.113, assigned file is /dev/winuserfs_vg1/storebackup
Dec 7 16:54:29 winuserfs nbd_server[4516]: Can't open authorization
file /etc/nbd-server/allow (No such file or directory).
Dec 7 16:54:29 winuserfs nbd_server[4516]: Authorized client
Dec 7 16:54:29 winuserfs nbd_server[4519]: Starting to serve
Dec 7 16:54:29 winuserfs nbd_server[4519]: Size of exported
file/device is 114890375168
Downgrading to 1:3.2-4~deb7u3 also solves the issue
In the Oldstyle case the log gives:
Dec 7 17:04:30 winuserfs nbd_server[5038]: connect from
130.149.125.113, assigned file is /dev/winuserfs_vg1/storebackup
Dec 7 17:04:30 winuserfs nbd_server[5038]: Authorized client
Dec 7 17:04:30 winuserfs nbd_server[5043]: Starting to serve
Dec 7 17:04:30 winuserfs nbd_server[5043]: Size of exported
file/device is 114890375168
-- System Information:
Debian Release: 7.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15
(charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash
Versions of packages nbd-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38
ii libglib2.0-0 2.33.12+really2.32.4-5
ii ucf 3.0025+nmu3
nbd-server recommends no packages.
nbd-server suggests no packages.
-- debconf information:
nbd-server/convert: true
nbd-server/useports: false
nbd-server/autogen:
nbd-server/name:
nbd-server/filename:
nbd-server/number: 0
nbd-server/port:
--
PGP ID 65C92061
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Package: nbd-server
Version: 1:3.19-3+deb10u1
This bug was filed against the version of NBD that was found in Debian
Wheezy. The problem only occurred because of a CVE update for stable,
and never existed in unstable; since the problem was minor, and only
existed in an optional feature, no update to resolve the issue was ever
made.
Debian Wheezy has long since been declared EOL, and the affected version
has died with it. Therefore, closing this bug report.
Thanks for your interest in Debian.
--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
I will have a Tin-Actinium-Potassium mixture, thanks.
--- End Message ---