*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Jamie Strandboge
(jdstrand):
Binary package hint: netbase
ipv6 /etc/hosts is missing the "localhost" hostname
#1: (How Discovered) Intrepid installed. In a case where a program
could not find its server on ipv4 localhost, it queried for ipv6
localhost. A DNS AAAA query for "localhost" was subsequently seen going
to the external DNS server instead of being resolved on the machine.
When localhost was added to the ipv6 section of /etc/hosts, the external
query was not made (and an associated blocking delay disappeared).
(This is not a duplicate of bug 274995, but was exposed by it.)
#2: A fresh install of netbase_4.32ubuntu1 (intrepid) leaves /etc/hosts with
this ipv6 section
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
However, the update_hosts_file() in the netbase.postinst script in that package
indicates that section ought to look like this:
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
(It is important to note that the update_hosts_file() function adds to
/etc/hosts only if "::1" is not found. It will not update the hosts
file if the word "localhost" is missing from an existing line.)
#3: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=427067 also
clearly indicates intention. Mentioned in that report, a useful
message at http://www.ietf.org/mail-
archive/web/dnsop/current/msg05542.html which is not authoritative to
any specific implementation, but suggests that localhost should be
listed for consistency. (Furthermore, http://www.ietf.org/mail-
archive/web/dnsop/current/msg05541.html suggests a possible misplaced
intention for those who decided to not include localhost for ::1 was to
avoid breaking legacy software. This is very plausible, as search
engines easily reveal a great deal of examples of legacy software having
difficultly when ipv6 is present.)
SEVERITY/PRIORITY/SECURITY CONSIDERATIONS: If a rouge DNS server
answers a AAAA request for localhost with an IP address, it could
redirect output for the affected purpose at worst or externally expose
the existence of certain services at least. Otherwise, a properly
formed /etc/hosts file is foundational/fundamental for network hosts --
changing it either way may have an impact. If a change ought to be
made, it ought to be made quickly as users and developers are
transitioning to IPv6 or will be in short order. They more time they
have to find and fix bugs, the better.
** Affects: netbase (Ubuntu)
Importance: Undecided
Status: New
--
ipv6 /etc/hosts missing localhost hostname
https://bugs.launchpad.net/bugs/301430
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
