Your message dated Thu, 11 Jul 2019 10:03:14 +0200
with message-id <[email protected]>
and subject line Re: Bug#925270: znc unwisely advertises exact Debian version
has caused the Debian Bug report #925270,
regarding znc unwisely advertises exact Debian version
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
925270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925270
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: znc
Severity: normal
Potential security implications here, but not directly exploitable—will
leave for the maintainer to determine how serious the problem is.
Debian's znc versions follow the upstream convention of advertising
themselves when the user exits them. This practice isn't terribly wise on
its own, but it also advertises the axact version of Debian (or derivative)
being run by the host. Worse, it's not even information that must be
queried—it's spammed into IRC channels upon quit. A few examples from today.
<-- nick (~u@h) has quit (Quit: ZNC 1.6.5+deb1+deb9u1 - http://znc.in)
<-- nick (~u@h) has quit (Quit: ZNC 1.6.6+deb1ubuntu0.1 - http://znc.in)
<-- nick (~u@h) has quit (Quit: ZNC 1.6.5+deb1+deb9u1 - http://znc.in)
And one counter-example of how changing the default might be a good idea:
<-- nick (~u@h has quit (Quit: ZNC - https://znc.in)
As the host part of the u@h is often not concealed in any way, spamming
this information into a public forum might provide a nefarious user with
information for an attack of opportunity against an unprotected host. The
other way someone might usually obtain this information (CTCP request) in
most clients alerts the user that someone's asking, and can be replied to
with anything (or nothing)—I don't know if that's true of znc.
I mean, I suppose going into a crowded room and shouting something like the
OS you run exactly, that you haven't installed security updates in over two
weeks, and your IP address is something the user is perfectly happy to do.
Debian shouldn't preconfigure software to potentially do that by default.
I'd say this would warrant a 1.6.5-1+deb9u2 to disable that by default—but
that's up to you and the security team. :)
Joseph
--- End Message ---
--- Begin Message ---
Closing, since this is wontfix and configurable
Am 22.03.2019 um 08:57 schrieb Alexey Sokolov:
> 22.03.2019 8:08, Uli Schlachter пишет:
>> Hi,
>>
>> On 22.03.19 00:53, T. Joseph Carter wrote:
>>> <-- nick (~u@h) has quit (Quit: ZNC 1.6.5+deb1+deb9u1 - http://znc.in)
>>> <-- nick (~u@h) has quit (Quit: ZNC 1.6.6+deb1ubuntu0.1 - http://znc.in)
>>> <-- nick (~u@h) has quit (Quit: ZNC 1.6.5+deb1+deb9u1 - http://znc.in)
>>>
>>> And one counter-example of how changing the default might be a good idea:
>>>
>>> <-- nick (~u@h has quit (Quit: ZNC - https://znc.in)
>> This behaviour goes back to [1], I think. Before that, ZNC would do the
>> second kind of quit message. Commit [1] introduced an option called
>> "HideVersion", which defaults to "false". If this option is "false", the
>> function CZNC::GetTag() *always* includes version information. When set
>> to "true", CZNC::GetTag() only includes version information when told so
>> by its caller (seems to be: only the web interface for logged-in users).
> No, before that commit, ZNC sometimes did expose the version, sometimes
> did not. That commit made it consistent, and configurable.
>
> I made it false by default to follow example of other software which
> exposes its version, e.g. nginx.
>
>> When I proposed to restore the old behaviour and instead to make
>> "HideVersion" also not include the version when explicitly told
>> otherwise, I was told that this is the way it is supposed to work.
>>
> AFAIR, the patch you proposed caused it to always hide the version, even
> for logged in users, and in znc --version
>
>> Anyway: Set "HideVersion = true" in your znc to get rid of the version
>> information. Webadmin can modify this setting, but controlpanel can not.
>>
>> If wanted, Debian could patch src/znc.cpp to change the default for
>> m_bHideVersion to true (the line looks like "m_bHideVersion(false)").
>>
>> Cheers,
>> Uli
>>
>> [1]:
>> https://github.com/znc/znc/commit/f9a45076690990f75a14315db4f456e750073723
>>
>
--
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
Blog: http://www.linux-dev.org/
E-Mail: [email protected]
[email protected]
*/
--- End Message ---
