Your message dated Thu, 07 Sep 2023 11:48:58 +0000 with message-id <e1qedvk-005rec...@fasolo.debian.org> and subject line Bug#968711: fixed in procps 2:4.0.4-1 has caused the Debian Bug report #968711, regarding sysctl.conf: Insufficient/misleading content to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 968711: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968711 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: procps Version: 2:3.3.15-2 Severity: normal Tags: ipv6 Dear maintainers, please consider changing the following things in the shipped sysctl.conf file. All of these things could easily be done by the user, but many users don't know enough about these things to recognize problems, and new installs should not have useless defaults. a) IPv4+6 accept_redirects Current file content: # Do not accept ICMP redirects (prevent MITM attacks) #net.ipv4.conf.all.accept_redirects = 0 #net.ipv6.conf.all.accept_redirects = 0 According to kernel documentation and source, for normal situations with forwarding=0: The IPv4 setting "all" is separate from the interface settings, and redirects are accepted if at least one of them is 1. (For IPv6, it seems all is ignored and just the interface setting is valid.) Therefore, both cases should not only set "all" (at least if uncommented), but "default" too. b) IPv4 source route Current file content: # Do not accept IP source route packets (we are not a router) #net.ipv4.conf.all.accept_source_route = 0 According to kernel documentation and source: The all-value is already 0 by default (this can be practically seen in a fresh Debian install too) And source routing gets only enabled if "both" the all value and the interface value are 1, so effectively it is disabled everywhere. Therefore, I suggest removing this commented part from sysctl.conf And btw. source routing is not specific to routers. c) IPv6 source route Current file content: #net.ipv6.conf.all.accept_source_route = 0 Again according to the docs etc., this is a very different setting from the IPv4 one. After what happened around the IPv6 "RH0" routing headers (which are not supported at all in Kernel anymore, and that's good), the possible setting values now are >= 0 for enabling something that is not a security problem, and <0 for disabling it completely. Default (for "all" and all interfaces) is 0, meaning securely enabled. Therefore, the sysctl.conf setting (if uncommented) would not unaccept anything like it says, and it can be removed too as it is default. And if not removed, it should set "default" too instead of just "all". Always see https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt etc. Thank you -- System Information: Debian Release: 10.5 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-10-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages procps depends on: ii init-system-helpers 1.56+nmu1 ii libc6 2.28-10 ii libncurses6 6.1+20181013-2+deb10u2 ii libncursesw6 6.1+20181013-2+deb10u2 ii libprocps7 2:3.3.15-2 ii libtinfo6 6.1+20181013-2+deb10u2 ii lsb-base 10.2019051400 Versions of packages procps recommends: pn psmisc <none> procps suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: procps Source-Version: 2:4.0.4-1 Done: Craig Small <csm...@debian.org> We believe that the bug you reported is fixed in the latest version of procps, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 968...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small <csm...@debian.org> (supplier of updated procps package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 07 Sep 2023 21:31:09 +1000 Source: procps Architecture: source Version: 2:4.0.4-1 Distribution: unstable Urgency: medium Maintainer: Craig Small <csm...@debian.org> Changed-By: Craig Small <csm...@debian.org> Closes: 968711 1031765 1035649 1036631 1037450 1042887 Changes: procps (2:4.0.4-1) unstable; urgency=medium . * New upstream release - ps: Fix buffer overflow in -C option CVE-2023-4016 Closes: #1042887 - library: Refactor the escape code Closes: #1035649 - pgrep: Use only --signal option for signal Closes: #1031765 - pgrep: suppress >15 warning if using regex Closes: #1037450 - ps: fixed missing or corrupted fields with -m option Closes: #1036631 - free: New -L option for one line output - ps: New --signames options to show signal names * watch: Color support turned on by default use -C to turn off * Remove redundant lines from sysctl.conf Closes: #968711 Checksums-Sha1: cc87b0e1332dcb81a025cc11f2bf778d77410aa0 2136 procps_4.0.4-1.dsc 2b859acd7060e9898ac457dbd26dbebf563cc44b 1401540 procps_4.0.4.orig.tar.xz ee2e0b1fefeb88386b6927fdb9eb7500ed0fe29e 29836 procps_4.0.4-1.debian.tar.xz 439a65f0ee06eba91d61a3b30e1faccba3ed7a58 7512 procps_4.0.4-1_amd64.buildinfo Checksums-Sha256: 8bfa1364ab7018d4880452ff00e6c2a43c6ccb90fb773b5c35e03d5487427fbd 2136 procps_4.0.4-1.dsc 22870d6feb2478adb617ce4f09a787addaf2d260c5a8aa7b17d889a962c5e42e 1401540 procps_4.0.4.orig.tar.xz a04269ad8daf8dd2fac1c31ab50cc4f13d9b1adf6969b32985e00556f39264d8 29836 procps_4.0.4-1.debian.tar.xz c2626b37c0c4f9f821efe5b991dbbd7c23bc4340a5960a163f3b881e354f866d 7512 procps_4.0.4-1_amd64.buildinfo Files: 3304a991f09c0afcab36b29d7554e98c 2136 admin optional procps_4.0.4-1.dsc 2f747fc7df8ccf402d03e375c565cf96 1401540 admin optional procps_4.0.4.orig.tar.xz 112fe03e192a99a8452ae6ac5532a97a 29836 admin optional procps_4.0.4-1.debian.tar.xz 3bf396445c55f2b14363ff6b8badf7f2 7512 admin optional procps_4.0.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmT5tMsACgkQAiFmwP88 hONvng/7BySeRctsADPqln0Let4XgkzbWEy8h16EEw0dMaUxnOX+KXAyOGEuclzH 9jVLvd7uDp+T0nXMdbl7yiljtKVMRyQcbPtnbwFITFKjLhOjORMtnjvi6MGT7AUc jq7R8UDQgDk2T56nFlsEsmTMUCEoNPbCxtXKsAim/bO0yrRnyp6GfjtXFU2TBlTX 04ET+KFzY7FYHoesDjpi6Wl6LqZMzHNqqA0TRxASGwga4RZ/NG6M4+oqg4WzRKBL Sd4G3d10I1nYfy4UtfshefIhAzOElttxyw+YaLcU1RA4bFpMuQSIg4R0gbYgc7UJ kF0RRVi1Bfm3Kk1whSiX+FMUrOu6Uh43AFmY3oV2/hWodon4VN7te3lknHfTJOei GboS/Ul7CcN5wI8rUKsNLDIXgm6a4szR8jogVngDn7LRy6SvUH6/7WCcZD54TTNc Omng6Oq2P6uHeEtVGaHfr6WxM4846U/PpF87aKaOMVYGl0JnOpBhEtqsrnDAdyr6 n+W5Snpcb5QANPD8FdT2AOZfTftzSzef0ZVyDbioUFsXbg2hR/C20ujGjfQqM0Vp q/FNLSZeDv5edh2z6mCYwhWaaT9lIXZZQyBcH2ZGFD1JLSe3UKO2X5se5ETl2AWr YdezVkZf0sxSxfEXFfAPOkX9HaKZyeDq7LvrwSvYX0v082hzKHk= =yaz/ -----END PGP SIGNATURE-----
--- End Message ---
