Package: tasksel Version: 3.31+deb8u1 Severity: normal Tags: d-i During installation, tasksel gives you the option of including "standard system utilities". This group includes nfs-common and rpcbind, which, post installation, automatically launch daemons that listen on ports. Debian's default iptables configuration after installation is to allow all connections. This is a security concern.
There's no indication to the user that selecting standard system utilities will do this. Having a permissive firewall policy by default is fine, provided that no open ports are running by default as well, but this is not the current situation. Possible solutions: 1. Do not include these packages in the task 2. More restrictive default firewall policy that will protect these ports until the user decides to make them available 3. Keep as is, but notify the user that the included packages will listen for connections upon selection -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tasksel depends on: ii apt 1.0.9.8 ii debconf [debconf-2.0] 1.5.56 ii liblocale-gettext-perl 1.05-8+b1 ii perl-base 5.20.2-3+deb8u1 ii tasksel-data 3.31+deb8u1 tasksel recommends no packages. tasksel suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
