Christoph Anton Mitterer
2020-01-17 15:10:02 UTC
Package: netbase
Version: 6.0
Severity: important
Hi.
Recently, isakmp was removed for udp from /etc/services.
First, this should be added back, as it's perfectly fine to be used on UDP (see rfc2408).
IIRC UDP was actually *the* transport protocol on which it's used (TCP is only breifly
mentioned in the standard).
It's rather the TCP version which should be removed (but this should be thoroughly checked
first).
This however points to another serious problem with simply removing entries from services.
People may actually use these and since they likely don't read the changelog and there is
no NEWS.Debian which would mention it (and which one can users expect to read) pretty bad
things can happen.
In my case I used it in iptables rules files, so either
- the rules are (rather silently) not loaded and thus system security could easily be
compromised completely (since the default Debian boots anyway even if e.g.
netfilter-persistent fails to load rules
- or on my case, where I've tightened the unit files for netfilter-persistend a bit (i.e.
making it a hard RequiredBy=sysinit.target network-pre.target network.target
it causes the system to hang at boot,.. which is stil better than a security compromise
but still not so good ;-)
Not sure what's best to do, cause obviously it makes sense to keep services cleaned up.
Maybe you should add NEWS.Debian entries each time you remove something.
Cheers,
Chris.
Version: 6.0
Severity: important
Hi.
Recently, isakmp was removed for udp from /etc/services.
First, this should be added back, as it's perfectly fine to be used on UDP (see rfc2408).
IIRC UDP was actually *the* transport protocol on which it's used (TCP is only breifly
mentioned in the standard).
It's rather the TCP version which should be removed (but this should be thoroughly checked
first).
This however points to another serious problem with simply removing entries from services.
People may actually use these and since they likely don't read the changelog and there is
no NEWS.Debian which would mention it (and which one can users expect to read) pretty bad
things can happen.
In my case I used it in iptables rules files, so either
- the rules are (rather silently) not loaded and thus system security could easily be
compromised completely (since the default Debian boots anyway even if e.g.
netfilter-persistent fails to load rules
- or on my case, where I've tightened the unit files for netfilter-persistend a bit (i.e.
making it a hard RequiredBy=sysinit.target network-pre.target network.target
it causes the system to hang at boot,.. which is stil better than a security compromise
but still not so good ;-)
Not sure what's best to do, cause obviously it makes sense to keep services cleaned up.
Maybe you should add NEWS.Debian entries each time you remove something.
Cheers,
Chris.