Package: avahi-daemon
Version: 0.6.27-2
Tags: security
Severity: critical
Justification: Introduces possible denial-of-service scenario.
Hi,
when I scan my server from another machine on the network using nmap, I
get this:
[snip]
It seems that mandriva already released an update
On Thu, 2011-02-24 at 15:31 +, Julien Reveret wrote:
[snip]
It seems that mandriva already released an update for avahi :
http://lists.grok.org.uk/pipermail/full-disclosure/2011-February/079525.html
I guess you're facing the same issue.
0.6.28-4 has been accepted to unstable
Package: avahi-daemon
Version: 0.6.27-2
Tags: security
Severity: critical
Justification: Introduces possible denial-of-service scenario.
Hi,
when I scan my server from another machine on the network using nmap, I
get this:
# nmap -sU -p5353 192.168.2.2
Starting Nmap 5.00 ( http
On Fri, Mar 03, 2006, Joey Hess wrote:
Standard Desktop task installs do not install Recommends anyway, so
rhythmbox does not pull in avahi-daemon in those situations and you need
to deal with that somehow.
It's a but in task installation then.
--
Loïc Minier [EMAIL PROTECTED
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
On Fri, 03 Mar 2006, Loïc Minier wrote:
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
True. But that requires a broken kernel, which we patch regularly as a
security procedure anyway. Mounting removable filesystems
Hi,
On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
I thought security people would recommend havin a per-port ACL for
allowed traffic, and port visibility set to limit the view to only the
router when not otherwise required.
I don't think you have seen many
On Fri, Mar 03, 2006, Michael Stone wrote:
On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
Do you have any other solution permitting the same functionalities, but
without the listening port?
No. If someone wants that functionality than that's how they need to get
it. The
On Fri, Mar 03, 2006, Javier Fernández-Sanguino Peña wrote:
On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
This is a desktop machine, it should permit sharing of files on your
local network. DNS servers have their port 53 open to respond to name
resolution queries, just
automatically.
I think, your proposed solutions do not cover this issue at all. Users,
who know what they want and what they are doing, do not run into this
problem, since they can manually deselect avahi-daemon. We are indeed
talking about regular users. In another mail, you agreed, the maybe only
10
On Fri, Mar 03, 2006, Javier Fernández-Sanguino Peña wrote:
(IMHO this dicussion is reaching to a point in which it should move to
d-devel instead, but I'll keep it here)
Uh, please don't move it there, in the contrary, this discussion
already reached flame-level, and no arguments are coming
On Sat, Mar 04, 2006 at 10:31:02AM +0100, Loïc Minier wrote:
And for the same thing, why would a typical desktop machine provide users
to share even files! My desktop system at home (and my parent's and my
uncle's and whatnot) are completely stand-alone desktop systems, connected
to
the
On Sat, Mar 04, 2006 at 09:51:31AM +0100, Loïc Minier wrote:
On Fri, Mar 03, 2006, Joey Hess wrote:
Standard Desktop task installs do not install Recommends anyway, so
rhythmbox does not pull in avahi-daemon in those situations and you need
to deal with that somehow.
It's a but in task
pulls it in by default, which means you get the
feature and the open port.
I think, your proposed solutions do not cover this issue at all. Users,
who know what they want and what they are doing, do not run into this
problem, since they can manually deselect avahi-daemon. We are indeed
talking
On Sat, Mar 04, 2006 at 11:07:25AM +0100, Loïc Minier wrote:
I'm doing my final pass on the deb-sec part of this discussion, I don't
intend to participate much further, no new arguments are popping up.
Quite sincerily, this discussion is getting nowhere. There are sufficient
arguments in this
Hi,
I'm stepping out of this discussion, but would like to summarize it a
little (this is obviously biased):
- the current default situation is on purpose, and is a choice between
security and usability, completely subjective
- RB can be enhanced to work better when avahi-daemon
On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
Rhythmbox is a very easy to use music playing and management program
which supports a wide range of audio formats (including mp3 and ogg).
The current version also supports Internet Radio, iPod integration,
Audio CD burning, and
On Sat, Mar 04, 2006 at 10:26:31AM +0100, Loïc Minier wrote:
My point of view is that installing the application gets them the
functionalities they'd expect to find in the default setup.
And I agreed that perhaps the rhythmbox community would expect that,
which is why I reconsidered and asked
On Sat, Mar 04, 2006 at 11:16:08AM +0100, Loïc Minier wrote:
I must add people on this list are obviously biased towards security.
I guess you can stake out the ground of biased against security, but
that's kind of a bad place to be for a software distributor in the 21st
century.
--
Loïc Minier wrote:
On Fri, Mar 03, 2006, Joey Hess wrote:
Standard Desktop task installs do not install Recommends anyway, so
rhythmbox does not pull in avahi-daemon in those situations and you need
to deal with that somehow.
It's a but in task installation then.
If you mean a bug
Philipp A. Hartmann wrote:
But still it's only a Recommends. Therefore, rhythmbox needs to handle
the absence og avahi-daemon gracefully, since you cannot rely on it's
installation. For sake of plug-and-play and comfort, this might be even
done in some kind of GUI message, which tells the user
Javier Fernández-Sanguino Peña wrote:
- rhythmbox does not mention music sharing *at*all* in the package
description. Even the GUI doesn't mention this (when starting it up
for the first time) nor the documentation (in it's 'Introduction')
Rhythmbox doesn't go broadcasting files over the
On Sat, Mar 04, 2006, Joey Hess wrote:
If you mean a bug, no, I go out of my way to not install recommends,
because Debian is still rife with long and useless recommends chains.
I completely agree there are a number of broken recommends, but
shouldn't we fix these? Yes, it's painful. :(
--
Loïc Minier wrote:
I completely agree there are a number of broken recommends, but
shouldn't we fix these? Yes, it's painful. :(
I'd prefer not to break new installations in order to find them. This
thread shows that pulling in recommends by default in aptitude is enough
to expose
On Sat, Mar 04, 2006 at 01:26:24PM -0500, Joey Hess wrote:
If avahi is not running, rhythmbox prints this to std(something) on
startup and/or when you enble sharing in its prefs:
Notice that *most* users will not see this as they will start up rhythmbox
from a GNOME application menu and not
On Sat, Mar 04, 2006 at 11:32:20AM +0100, Loïc Minier wrote:
On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
Rhythmbox is a very easy to use music playing and management program
which supports a wide range of audio formats (including mp3 and ogg).
The current version also
in the gnome meta-package in sarge I guess you are correct (now).
However, for sid users, notice that rhythmbox depended on avahi-daemon from
version 0.9.2-3 (2006-01-22) until version 0.9.3-1 (2006-02-05).
So, any sid user that upgraded his system (even from sarge or etch) in those
two weeks
On Sat, Mar 04, 2006 at 10:12:56AM +0100, Loïc Minier wrote:
But you're still way more secure while sitting behind a NAT with
responsible coworkers than connected to the Internet directly, without
any firewall, and that's where desktops sit most of the time.
Well, a NATed gateway is not
. The keyword here is 'exposure'.
The avahi-daemon is nicely chrooted, and runs under a different user.
You just can't have the functionality of plug'n'play on a network
without any central server without listening at some point to
something...
Can you please count the open ports on your
0.0.0.0:*
LISTEN 18007/pdnsd
udp0 0 0.0.0.0:53530.0.0.0:*
29989/avahi-daemon
And so what? Do you want to proove me it listens on the network?
That's by design, the point is to listen for queries.
Why did you disable them?
I didn't disable
not related to avahi)
Package: avahi-daemon
Recommends: libnss-mdns
The dependency chains here get a little scary.
Indeed, but it's even worse! avahi-daemon recommends libnss-mdns which
recommends zeroconf. However, both Recommends are bogus. There's a
bug against the second one, and I talked
Hi there,
For people on the list interested in the discussion, Michael Stone has
filed #355064, where the discussion went on.
Bye,
--
Loïc Minier [EMAIL PROTECTED]
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe.
On Fri, 03 Mar 2006, Loïc Minier wrote:
This is a desktop machine, it should permit sharing of files on your
local network. DNS servers have their port 53 open to respond to name
In what planet do you live? Desktop machines are plugged to extremely
hostile networks all the time (think cable
On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
Do you have any other solution permitting the same functionalities, but
without the listening port?
No. If someone wants that functionality than that's how they need to get
it. The question has always been about what level of
On Fri, Mar 03, 2006 at 02:45:28PM +0100, Loïc Minier wrote:
Indeed, but it's even worse! avahi-daemon recommends libnss-mdns which
recommends zeroconf. However, both Recommends are bogus. There's a
bug against the second one, and I talked a little with Sjoerd on the
first one, and it seems
On Fri, Mar 03, 2006 at 10:47:56AM -0300, Henrique de Moraes Holschuh wrote:
Not in my servers, it doesn't. And I should add, not even in my desktops:
all removable filesystems are mounted nodev, nosuid.
Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
it won't bork
On Fri, 03 Mar 2006, Michael Stone wrote:
On Fri, Mar 03, 2006 at 10:47:56AM -0300, Henrique de Moraes Holschuh wrote:
Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
it won't bork if you tell it to be nosuid, nodev either) is never a
feature,
it is a security
On Fri, Mar 03, 2006 at 11:20:56AM -0300, Henrique de Moraes Holschuh wrote:
So, I repeat my question: should we hunt down and file bugs (grave or worse)
on packages automounting removable media without nosid, nodev ?
Here's what I'd suggest:
Write a policy that covers best practices and see
On Fri, 03 Mar 2006, Loïc Minier wrote:
If music sharing is a questionable feature to you, you don't need to
discuss this further, you're obviously the security guy, talking in
debian-security@ of stuff he doesn't want to support security-wise, and
You are *not allowed* to support security
On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
This is a desktop machine, it should permit sharing of files on your
local network. DNS servers have their port 53 open to respond to name
resolution queries, just consider your desktop installation to be a
name server
) Recommends:
avahi-daemon, when IMHO it should be Suggests: . The functionality
provided by avahi-daemon (a network service for sharing music) is not
something
I would say that all rhythmbox users require (based on rhythmbox'
description, which
looks like a music library organization
Hi,
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
On Fri, 03 Mar 2006, Loïc Minier wrote:
If music sharing is a questionable feature to you, you don't need to
discuss this further, you're obviously the security guy, talking in
debian-security@ of stuff he doesn't want
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
Well, no: that's the opposite of plug'n'play. See, if you're USB stick
contains a malicious vfat file system, it gets automatically mounted
nevertheless. It's a feature.
Not in my servers, it doesn't. And I should add, not even
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
True. But that requires a broken kernel, which we patch regularly as a
security procedure anyway. Mounting removable filesystems suid,dev allow a
lot more damage *by design* in the standard Linux security-model.
And we also support
On Fri, 03 Mar 2006, Loïc Minier wrote:
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
True. But that requires a broken kernel, which we patch regularly as a
security procedure anyway. Mounting removable filesystems suid,dev allow a
lot more damage *by design* in the standard
On Fri, 03 Mar 2006, Loïc Minier wrote:
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
Well, no: that's the opposite of plug'n'play. See, if you're USB stick
contains a malicious vfat file system, it gets automatically mounted
nevertheless. It's a feature.
Not in my
On Fri, 03 Mar 2006, Loïc Minier wrote:
proposed multiple options in other posts, all of them ignored. People
*not* trying for a middle-ground solution are those claiming an open
port by default is unacceptable, no matter what.
You will notice I didn't propose you disable open ports by
at unavailable
features.
And the popup mixing application level information with package level
information would also be awful: You should install package foo to get
this functionality.
Standard Desktop task installs do not install Recommends anyway, so
rhythmbox does not pull in avahi-daemon
On Fri, Mar 03, 2006 at 06:47:34PM +0100, Loïc Minier wrote:
Hi,
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
Inside the network? Most managed networks have filtering at the borders, at
key router nodes, and if it has a more advanced distributed-firewall
mentality,
Hi,
On Thu, Feb 23, 2006, Javier Fernández-Sanguino Peña wrote:
IMHO the problem here is having a music program (as rhythmbox) Recommends:
avahi-daemon, when IMHO it should be Suggests: . The functionality
provided by avahi-daemon (a network service for sharing music
service, the later a database service.
Neither of which were actually useful if bound to loopback, BTW.
IMHO the problem here is having a music program (as rhythmbox) Recommends:
avahi-daemon, when IMHO it should be Suggests: . The functionality
provided by avahi-daemon (a network service for sharing
On Thu, Feb 23, 2006 at 12:04:50PM +0100, Javier Fernández-Sanguino Peña wrote:
The former worm targeted a critical OS service, the later a database service.
Neither of which were actually useful if bound to loopback, BTW.
Actually, they were. A lot of the embedded DB servers were only used by
Javier Fernández-Sanguino Peña schrieb:
If I were you (aliban) I would bug rhythmbox. It seems that Bug #349478 got
it to reduce the Depends: on that daemon to a Recommends:, I think it would
be better to have that as Suggests:
Disclaimer: I don't know much about rhythmbox and the relationship of
On Thu, Feb 23, 2006 at 12:47:44PM +0100, aliban wrote:
I am sorry, but I am quite new linux and debian at all and you may excuse
my question:
why is there no rule to prompt the user for all applications that open
ports on non-localhost?
The default policy is a compromise between
Quoting Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]):
You are confusing worms, Blaster exploited the DCOM RPC vulnerability
(CAN-2003-0352). The one that exploited CAN-2002-0649 and
CAN-2002-1145 in both SQL Server and MSDE was SQLExp / Slammer.
True. Thank you, and apologies for my
Hi,
as the package maintainer seems to ignore my complaint I forward the discussion
to debian-user mailing list.
On debian testing the rhythmbox suggested to install the avahi-daemon that
listens on all interfaces by default.
I think this kind of install behaviour is insecure even
apt says they are going to be
installed? If you miss it there, it is very prominently displayed on
startup that the Avahi daemon is starting. Oh noes! I'd better stop
that and figure out exactly what it is. If you interested in a
security report on Avahi, Ubuntu has one here.
https://wiki.ubuntu.com
not check out
those NINE new Avahi packages when apt says they are going to be
installed? If you miss it there, it is very prominently displayed on
startup that the Avahi daemon is starting. Oh noes! I'd better stop
that and figure out exactly what it is. If you interested in a
security report on Avahi
Hi,
On Wed, Feb 22, 2006, aliban wrote:
as the package maintainer seems to ignore my complaint I forward the
discussion to debian-user mailing list.
I am the package maintainer of Rhythmbox, am I the package maintainer
you refer to? Or did you mean the avahi-daemon package manager
On Wed, Feb 22, 2006, aliban wrote:
In this case you are doing the same mistakes Microsoft did with Windows
all the time:
Please, no generalities.
default installation comes with a 'strange' service (that nobody needs,
therefore nobody knows) sitting somewhere around and listening on ALL
On Wed, Feb 22, 2006 at 03:23:42PM +0100, Loïc Minier wrote:
If you do install a GNOME desktop environment, expect to have a web
browser which might run malicious code, games which might be sgid
games, and tons of stuff which might be opening more doors than you
like.
First, there's a
On Wed, Feb 22, 2006, Michael Stone wrote:
From a pragmatic standpoint, pulling in nss-mdns is a PITA because it
makes certain name queries take forever--so there are reasons aside from
security to think this is annoying.
(nss-mdns does mdns too, but it's not related to avahi)
you mean the avahi-daemon package manager?
No, I don't think you are responsible for this. the package manager of
avahi-daemon.
But this is more a general discussion/complaint :)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL
Loïc Minier schrieb:
On Wed, Feb 22, 2006, aliban wrote:
In this case you are doing the same mistakes Microsoft did with Windows
all the time:
default installation comes with a 'strange' service (that nobody needs,
therefore nobody knows) sitting somewhere around and listening on
Quoting aliban ([EMAIL PROTECTED]):
MS Blaster infected many million system within seconds...
Relying on the vulnerable MSDE embedded SQL database engine being
embedded into a large number of consumer software products, and
irresponsibly left bound to all network ports, not just loopback.
On Wed, 22 Feb 2006, aliban wrote:
On debian testing the rhythmbox suggested to install the avahi-daemon that
listens on all interfaces by default.
That's on par with the avahi-daemon's idea of how things should happen, and
it makes sense. Not that I'd want that active in my LAN anyway
does mdns too, but it's not related to avahi)
No?
Package: avahi-daemon
Source: avahi
Version: 0.6.7-1
Depends: libavahi-common3 (= 0.6.4), libavahi-core3 (= 0.6.0), libc6 (= 2.3.5-1),
libcap1, libdaemon0, libdbus-1-2 (= 0.60), libexpat1 (= 1.95.8), adduser, dbus (=
0.60)
Recommends: libnss
66 matches
Mail list logo
