Re: Bug#542470: closed by maximilian attems m...@stro.at (Re: Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled)
advocatux advoca...@gmail.com writes: Yep, I know I can add ipv6.disable=1 in /boot/grub/menu.lst but this method doesn't work always, it depends on which 2.6.30 kernel version you're running. It works with the 2.6.30 kernel in Debian. I'm no DD but I believe that is about as much as you can expect Debian to support... Yeah, just like having IPv4 enabled by default. Given the number of attacks, I would say that IPv4 is much more dangerous and should be disabled immediately by any sane administrator :-) triple *lol* ;) Certainly that mockery doesn't fit with Debian community spirit, does it? and for sure doesn't help to fill bug reports. I put the smiley there for a reason. I apologize if my comment hurt you in any way. I'm sure the kernel team found your bug report very useful even if it was closed. It does help documenting the potential problems users may face, and will serve as help to others having the same question as you. People analizing this bug in Ubuntu Bug System (https://bugs.launchpad.net/bugs/351656) changed the status from security vulnerability no to yes, and that's because an initial machine running other kernel, with IPv4 traffic filtered and IPv6 disabled, after install a 2.6.30 kernel ends with unfiltered ports listening to IPv6 traffic. Well, AFAIK there is no change to a default Debian installation. IPv6 is enabled by default both in 2.6.26 and 2.6.30 and there are no iptables or ip6tables rules installed. Something could of course have checked on upgrade whether the admin chose to blacklist the ipv6 module and warn that this has no effect anymore, but personally I don't see the need. If you do, I'm pretty sure that patches are welcome as usual. For the record: Unfiltered ports are not a security problem. Network protocol support is not a security problem. Debian is as secure with IPv6 enabled as it is with IPv4 enabled. If you think otherwise, then I suggest you demonstrate the attack and file appropriate bugs against the packages with the real security problem. Security in Linux is not based on the kernel preventing application abuse by disabling any useful feature. Bjørn -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled
advocatux advoca...@gmail.com writes: IPv6 is enabled by default in kernel 2.6.30 and can't be disabled, at least not in an easy way. Sure there is. Boot with ipv6.disable=1 on the command line. kvm-sid:~# dmesg|grep -i ipv6 [0.00] Command line: BOOT_IMAGE=/boot/vmlinuz-2.6.30-1-amd64 root=UUID=0d3e856e-8f99-4b3e-8d4f-37a65486930b ro console=tty0 console=ttyS0,9600n8 ipv6.disable=1 [0.00] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-2.6.30-1-amd64 root=UUID=0d3e856e-8f99-4b3e-8d4f-37a65486930b ro console=tty0 console=ttyS0,9600n8 ipv6.disable=1 [0.585652] IPv6: Loaded, but administratively disabled, reboot required to enable [0.588546] Mobile IPv6 kvm-sid:~# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:aa:00:ff:00:fc inet addr:192.168.3.230 Bcast:192.168.3.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1406 (1.3 KiB) TX bytes:1190 (1.1 KiB) I've tried both echo 1 /proc/sys/net/ipv6/conf/all/disable_ipv6 and sysctl -w net.ipv6.conf.all.disable_ipv6=1 methods without any success. I think this bug is related to https://bugs.launchpad.net/bugs/351656 in Ubuntu. In that report someone says there's a fix from upstream and that's already fixed in 2.6.31 series. Oh, it went in a while ago. See http://patchwork.ozlabs.org/patch/27856/ There'd be a possible security risk in this whole thing. Yeah, just like having IPv4 enabled by default. Given the number of attacks, I would say that IPv4 is much more dangerous and should be disabled immediately by any sane administrator :-) Bjørn -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#542470: closed by maximilian attems m...@stro.at (Re: Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled)
2009/8/20 Debian Bug Tracking System ow...@bugs.debian.org: This is an automatic notification regarding your Bug report which was filed against the linux-image-2.6.30-1-686 package: #542470: linux-image-2.6.30-1-686: IPv6 can not be disabled It has been closed by maximilian attems m...@stro.at. Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact maximilian attems m...@stro.at by replying to this email. -- 542470: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542470 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Mensaje reenviado -- From: maximilian attems m...@stro.at To: 542470-d...@bugs.debian.org Date: Thu, 20 Aug 2009 15:53:52 +0200 Subject: Re: Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled On Thu, Aug 20, 2009 at 02:25:58PM +0200, Bjørn Mork wrote: advocatux advoca...@gmail.com writes: IPv6 is enabled by default in kernel 2.6.30 and can't be disabled, at least not in an easy way. Sure there is. Boot with ipv6.disable=1 on the command line. [...] thus closing. Yep, I know I can add ipv6.disable=1 in /boot/grub/menu.lst but this method doesn't work always, it depends on which 2.6.30 kernel version you're running. Yeah, just like having IPv4 enabled by default. Given the number of attacks, I would say that IPv4 is much more dangerous and should be disabled immediately by any sane administrator :-) triple *lol* ;) Certainly that mockery doesn't fit with Debian community spirit, does it? and for sure doesn't help to fill bug reports. People analizing this bug in Ubuntu Bug System (https://bugs.launchpad.net/bugs/351656) changed the status from security vulnerability no to yes, and that's because an initial machine running other kernel, with IPv4 traffic filtered and IPv6 disabled, after install a 2.6.30 kernel ends with unfiltered ports listening to IPv6 traffic. Bye. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#542470: closed by maximilian attems m...@stro.at (Re: Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled)
On Thu, Aug 20, 2009 at 10:47:56PM +0200, advocatux wrote: Yep, I know I can add ipv6.disable=1 in /boot/grub/menu.lst but this method doesn't work always, it depends on which 2.6.30 kernel version you're running. So this bug was closed when 2.6.30 was uploaded to unstable, no? We're not going to support anything less than 2.6.30 with the squeeze release. Are you claiming that something needs to be done in lenny and/or etch? It doesn't seem like it. noah signature.asc Description: Digital signature
Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled
Package: linux-image-2.6.30-1-686 Version: 2.6.30-5 Severity: normal IPv6 is enabled by default in kernel 2.6.30 and can't be disabled, at least not in an easy way. I've tried both echo 1 /proc/sys/net/ipv6/conf/all/disable_ipv6 and sysctl -w net.ipv6.conf.all.disable_ipv6=1 methods without any success. I think this bug is related to https://bugs.launchpad.net/bugs/351656 in Ubuntu. In that report someone says there's a fix from upstream and that's already fixed in 2.6.31 series. There'd be a possible security risk in this whole thing. Regards. -- Package-specific info: ** Version: Linux version 2.6.30-1-686 (Debian 2.6.30-5) (m...@debian.org) (gcc version 4.3.3 (Debian 4.3.3-15) ) #1 SMP Mon Aug 3 16:18:30 UTC 2009 ** Command line: root=/dev/mapper/gregson-root ro ** Not tainted ** Kernel log: [4.635990] usb usb4: configuration #1 chosen from 1 choice [4.636167] hub 4-0:1.0: USB hub found [4.636241] hub 4-0:1.0: 2 ports detected [4.636866] ACPI: PCI Interrupt Link [LNKF] enabled at IRQ 11 [4.636932] uhci_hcd :02:01.1: PCI INT B - Link[LNKF] - GSI 11 (level, low) - IRQ 11 [4.637012] uhci_hcd :02:01.1: UHCI Host Controller [4.637165] uhci_hcd :02:01.1: new USB bus registered, assigned bus number 5 [4.637270] uhci_hcd :02:01.1: irq 11, io base 0xa400 [4.637409] usb usb5: New USB device found, idVendor=1d6b, idProduct=0001 [4.637471] usb usb5: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [4.637540] usb usb5: Product: UHCI Host Controller [4.637595] usb usb5: Manufacturer: Linux 2.6.30-1-686 uhci_hcd [4.637653] usb usb5: SerialNumber: :02:01.1 [4.637876] usb usb5: configuration #1 chosen from 1 choice [4.638004] hub 5-0:1.0: USB hub found [4.639029] hub 5-0:1.0: 2 ports detected [4.674466] SCSI subsystem initialized [4.823370] libata version 3.00 loaded. [4.848144] ide-gd driver 1.18 [4.848263] hda: max request size: 128KiB [4.875398] ide-cd driver 5.00 [4.876202] hda: 160086528 sectors (81964 MB) w/2048KiB Cache, CHS=65535/16/63 [4.877455] hda: cache flushes supported [4.877635] hda: hda1 hda2 [4.901097] ide-cd: hdc: ATAPI 40X DVD-ROM drive, 512kB Cache [4.901318] Uniform CD-ROM driver Revision: 3.20 [4.913464] ide-cd: hdd: ATAPI 32X CD-ROM CD-R/RW drive, 2048kB Cache [5.081943] device-mapper: uevent: version 1.0.3 [5.084084] device-mapper: ioctl: 4.14.0-ioctl (2008-04-23) initialised: dm-de...@redhat.com [5.423958] PM: Starting manual resume from disk [5.489211] kjournald starting. Commit interval 5 seconds [5.489292] EXT3-fs: mounted filesystem with ordered data mode. [7.240796] udev: starting version 141 [7.473488] Marking TSC unstable due to TSC halts in idle [7.473650] ACPI: CPU0 (power states: C1[C1] C2[C2]) [7.473894] processor ACPI_CPU:00: registered as cooling_device1 [7.473958] ACPI: Processor [CPU0] (supports 2 throttling states) [7.476314] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input1 [7.476395] ACPI: Power Button [PWRF] [7.476594] input: Power Button as /devices/LNXSYSTM:00/device:00/PNP0C0C:00/input/input2 [7.476668] ACPI: Power Button [PWRB] [7.476851] input: Sleep Button as /devices/LNXSYSTM:00/device:00/PNP0C0E:00/input/input3 [7.476927] ACPI: Sleep Button [SLPB] [7.666465] parport_pc 00:0b: reported by Plug and Play ACPI [7.666582] parport0: PC-style at 0x378, irq 7 [PCSPP,TRISTATE] [7.882075] pci_hotplug: PCI Hot Plug PCI Core version: 0.5 [7.913328] input: PC Speaker as /devices/platform/pcspkr/input/input4 [8.052585] gameport: NS558 PnP Gameport is pnp00:0e/gameport0, io 0x201, speed 755kHz [8.057431] shpchp: Standard Hot Plug PCI Controller Driver version: 0.4 [8.086799] intel_rng: FWH not detected [8.176868] ACPI: PCI Interrupt Link [LNKB] enabled at IRQ 11 [8.176938] i801_smbus :00:1f.3: PCI INT B - Link[LNKB] - GSI 11 (level, low) - IRQ 11 [8.827555] input: ImPS/2 Generic Wheel Mouse as /devices/platform/i8042/serio1/input/input5 [9.086851] Intel ICH :00:1f.5: PCI INT B - Link[LNKB] - GSI 11 (level, low) - IRQ 11 [9.086951] Intel ICH :00:1f.5: setting latency timer to 64 [9.408067] intel8x0_measure_ac97_clock: measured 55157 usecs (2650 samples) [9.408136] intel8x0: clocking to 48000 [ 10.232835] EXT3 FS on dm-0, internal journal [ 11.048986] loop: module loaded [ 12.807334] fuse init (API version 7.11) [ 12.933062] kjournald starting. Commit interval 5 seconds [ 12.933372] EXT3 FS on dm-5, internal journal [ 12.933472] EXT3-fs: mounted filesystem with ordered data mode. [ 12.962840] kjournald starting. Commit interval 5 seconds [ 12.963197] EXT3 FS on dm-4, internal journal [ 12.963295] EXT3-fs: mounted filesystem with ordered data mode. [ 12.990717] kjournald starting. Commit interval 5 seconds [ 12.991052] EXT3 FS on dm-1, internal
