[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
Hey James, thanks for maintaining pptpd for so many years. I know I'm cranky when old software I use is removed just because it's no longer in fashion. But we do try to move people to safer protocols and safer programs over time. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in Release Notes for Ubuntu: New Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Fix Released Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. Current Windows versions natively support IPSec and L2TP as much better alternatives. https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- configuration#how-to-use-wfp-to-configure-ipsec-policies https://learn.microsoft.com/en-US/troubleshoot/windows- server/networking/configure-l2tp-ipsec-server-behind-nat-t-device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
I'm upstream. I saw the removal first in the release notes. Yet I'm not surprised by removal. The contributions to pptp and pptpd have declined, so the release cadence has slowed as well (1.4.0 in 2013, but a few commits in git since). Number of people asking for help has also declined. Some countries or corporations still require it, presumably because it is so easily monitored. Using pptpd on Ubuntu will be more difficult because of removal from Ubuntu, but that's just a security by obscurity; very easily bypassed by installing the software yourself. Thanks for holding on so long. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in Release Notes for Ubuntu: New Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Fix Released Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. Current Windows versions natively support IPSec and L2TP as much better alternatives. https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- configuration#how-to-use-wfp-to-configure-ipsec-policies https://learn.microsoft.com/en-US/troubleshoot/windows- server/networking/configure-l2tp-ipsec-server-behind-nat-t-device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
Do not remove PPTP. Just dont't use it for yourself. But I have no choises. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in Release Notes for Ubuntu: New Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Fix Released Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. Current Windows versions natively support IPSec and L2TP as much better alternatives. https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- configuration#how-to-use-wfp-to-configure-ipsec-policies https://learn.microsoft.com/en-US/troubleshoot/windows- server/networking/configure-l2tp-ipsec-server-behind-nat-t-device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
Robie, good idea, I've added a note about pptpd and bcrelay being removed, with a link back here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2041751 Thanks -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in Release Notes for Ubuntu: New Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Fix Released Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. Current Windows versions natively support IPSec and L2TP as much better alternatives. https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- configuration#how-to-use-wfp-to-configure-ipsec-policies https://learn.microsoft.com/en-US/troubleshoot/windows- server/networking/configure-l2tp-ipsec-server-behind-nat-t-device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
The removal of pptpd seems like something that should be release noted to me, to give enquiring users somewhere to refer to. ** Also affects: ubuntu-release-notes Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in Release Notes for Ubuntu: New Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Fix Released Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. Current Windows versions natively support IPSec and L2TP as much better alternatives. https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- configuration#how-to-use-wfp-to-configure-ipsec-policies https://learn.microsoft.com/en-US/troubleshoot/windows- server/networking/configure-l2tp-ipsec-server-behind-nat-t-device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
I actually agree that we should aim to remove these packages entirely, rather than merely demoting them. I think removal of the server is a clear-cut case. Nobody should need to run a pptp server nowadays on Ubuntu, and if anyone is, forcing them to migrate to a better VPN solution on upgrade (or maintaining their own pptpd without Ubuntu support) is IMHO reasonable. Removing the client, I think, is less clear-cut. If you don't have a pptp server to talk to, then shipping the client is harmless. If you DO have a pptp server to talk to, then the client is essential. Anyone running a PPTP server on Windows these days should upgrade... but dropping the client support from Ubuntu doesn't give the Ubuntu users any more leverage to make their server admin upgrade, it just makes Ubuntu unusable in such an environment. So I think we should remove pptpd from the archive for noble, but that we should propose removal of the clients via discussion with the Debian maintainers. ** Changed in: pptpd (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Fix Released Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. Current Windows versions natively support IPSec and L2TP as much better alternatives. https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- configuration#how-to-use-wfp-to-configure-ipsec-policies https://learn.microsoft.com/en-US/troubleshoot/windows- server/networking/configure-l2tp-ipsec-server-behind-nat-t-device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
Removing packages from noble: pptpd 1.4.0-12build2 in noble bcrelay 1.4.0-12build2 in noble amd64 bcrelay 1.4.0-12build2 in noble arm64 bcrelay 1.4.0-12build2 in noble armhf bcrelay 1.4.0-12build2 in noble ppc64el bcrelay 1.4.0-12build2 in noble riscv64 bcrelay 1.4.0-12build2 in noble s390x pptpd 1.4.0-12build2 in noble amd64 pptpd 1.4.0-12build2 in noble arm64 pptpd 1.4.0-12build2 in noble armhf pptpd 1.4.0-12build2 in noble ppc64el pptpd 1.4.0-12build2 in noble riscv64 pptpd 1.4.0-12build2 in noble s390x Comment: server implementation of an obsolete insecure protocol; LP: #2041751 1 package successfully removed. ** Changed in: pptpd (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Fix Released Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. Current Windows versions natively support IPSec and L2TP as much better alternatives. https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- configuration#how-to-use-wfp-to-configure-ipsec-policies https://learn.microsoft.com/en-US/troubleshoot/windows- server/networking/configure-l2tp-ipsec-server-behind-nat-t-device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
** Description changed: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. - IPSec OpenVPN Strongswan are much better alternatives. + Current Windows versions natively support IPSec and L2TP as much better + alternatives. + + https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- + configuration#how-to-use-wfp-to-configure-ipsec-policies + + https://learn.microsoft.com/en-US/troubleshoot/windows- + server/networking/configure-l2tp-ipsec-server-behind-nat-t-device -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: New Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. Current Windows versions natively support IPSec and L2TP as much better alternatives. https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- configuration#how-to-use-wfp-to-configure-ipsec-policies https://learn.microsoft.com/en-US/troubleshoot/windows- server/networking/configure-l2tp-ipsec-server-behind-nat-t-device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
The seeding [1] of it is also quite clear on why it is still there. """ # This stack is no more very relevant, but was in the early days of internet # dialin. This stack is a candidate for demotion, but OTOH received no # bugs/CVEs over the last years and therefore can stay as-is for now. # ppp itself is still recommended by network-manager and thereby has quite # an install base. """ Removing is maybe too hard as Steve outlined, but what about at least demoting to universe (to encourage it a bit less)? The seed change to the section linked above would be trivial, but it would need coordination with the Desktop variants as a dependency to network-manager-pptp is in most of the meta packages. reverse-depends --release=noble src:network-manager-pptp Reverse-Recommends == * network-manager (for network-manager-pptp) * ubuntu-budgie-desktop [amd64 arm64 armhf ppc64el] * ubuntu-budgie-desktop-minimal [amd64 arm64 armhf ppc64el] * ubuntu-budgie-desktop-raspi [arm64 armhf] * ubuntu-desktop [amd64 arm64 armhf ppc64el] * ubuntu-desktop-minimal [amd64 arm64 armhf ppc64el] * ubuntu-mate-core (for network-manager-pptp-gnome) * ubuntu-mate-desktop (for network-manager-pptp-gnome) * ubuntu-unity-desktop [amd64 arm64 armhf ppc64el] * ubuntukylin-desktop (for network-manager-pptp-gnome) * vanilla-gnome-desktop [amd64 arm64 armhf ppc64el] * xubuntu-desktop (for network-manager-pptp-gnome) * xubuntu-desktop (for network-manager-pptp) Reverse-Depends === * lomiri-indicator-network (for network-manager-pptp) It comes at a comfort loss though, since this is depended on by all those meta packages to work right away in a fresh install, which would be a behavior that will be lost. Also if there is a CVE, then only people using ubuntu pro would get a fix. Which is free for personal use, but those forced to use pptp are likely people with non-personal use of outdated infrastructure. So we'd make the world a bit less secure as likely not all would get the fixes then. Still I'd want to know from Steve and Seth which discussed so far - what would you think about that as a compromise? [1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/platform/tree/supported-misc-servers#n190 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Incomplete Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. IPSec OpenVPN Strongswan are much better alternatives. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
Microsoft has implemented an IPSec stack: https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec- configuration#how-to-use-wfp-to-configure-ipsec-policies "The Microsoft implementation of IPsec uses Windows Filtering Platform to setup IPsec policies." This page is a bit thin on which applications to open, which buttons to click, etc, but they do have IPSec available in their ecosystem. Microsoft has implemented LT2P: https://learn.microsoft.com/en- US/troubleshoot/windows-server/networking/configure-l2tp-ipsec-server- behind-nat-t-device "This article describes how to configure a L2TP/IPsec server behind a NAT-T device." A third party has implemented OpenVPN for Windows: https://openvpn.net/client/client-connect-vpn-for-windows/ "For Windows 7, 8, 10, and 11. Note: Windows 7 and 8 are not officially supported anymore." A third party has implemented Wireguard for Windows: https://www.wireguard.com/install/#windows-7-81-10-11-2008r2-2012r2-2016-2019-2022 " Windows [7, 8.1, 10, 11, 2008R2, 2012R2, 2016, 2019, 2022 – v0.5.3]" Selecting a replacement requires some effort on the part of the network administrator with knowledge of what features and operating systems they need for their environment. I think pptp is bad enough that removing it makes sense. On the other hand, we still have telnet, and there's appropriate uses and inappropriate uses, and maybe this falls into the same category of compatibility software where users should expect a significant reduction in security if it is used. Thanks -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Incomplete Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. IPSec OpenVPN Strongswan are much better alternatives. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
>From the linked page: However, that doesn't mean people don't accept the risks. There are many corporations and individuals using PPTP with full knowledge of these risks. Some use mitigating controls, and some don't. No one has ever run pptp on Linux, as either a client or server, because they thought it was a good protocol. It was used because compatibility was required with the other end. > IPSec OpenVPN Strongswan are much better alternatives. What is the compatibility story for these on Windows? The page you link also says: > Microsoft promote something else. What, specifically, and what is the Linux compatibility story with that "something else"? It should be clear in this removal bug what users should be using instead of pptp as a Windows-compatible VPN. ** Changed in: pptpd (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: Incomplete Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. IPSec OpenVPN Strongswan are much better alternatives. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2041751] Re: RM: Remove dangerously insecure MPPE PPTP from Ubuntu
Subscribing ~ubuntu-archive to look at this request. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2041751 Title: RM: Remove dangerously insecure MPPE PPTP from Ubuntu Status in linux package in Ubuntu: New Status in network-manager-pptp package in Ubuntu: New Status in pptp-linux package in Ubuntu: New Status in pptpd package in Ubuntu: New Bug description: Remove dangerously insecure MPPE PPTP from Ubuntu https://pptpclient.sourceforge.net/protocol-security.phtml It has been dead for over 20 years now. IPSec OpenVPN Strongswan are much better alternatives. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2041751/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp