Package: network-manager Version: 1.26.2-1 Severity: important Tags: ipv6 security patch X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Dear maintainer, This is basically a follow-up for bug 622845 from 2013, where people wanted IPv6 privacy extensions enabled by default for desktops/laptops but not for servers, and the "solution" was to rely on network-manager doing this because it's often installed on such systems. It also obsoletes bug 668462. Problem is, for a long time now the behaviour of NM is different than in 2013. It allows setting "ip6-privacy" per connection, which works and is mirrored to the connections sysctl use_tempaddr too (on connecting). If that setting is not set or -1 in the connection config file, it searches global configs in /etc/NetworkManager If it's still not there, it finally reads from /proc/sys/net/ipv6/conf/default/use_tempaddr which is default 0 in Debian (for server use cases). Therefore, effectively, using NM does NOT use privacy extentions by default, for years now. Please change /etc/NetworkManager/NetworkManager.conf or add some file in /etc/NetworkManager/conf.d/ in Debian packets, where ip6-privacy=2 is set, so that average non-server users finally are better protected against tracking again. Thank you -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.7.0-2-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages network-manager depends on: ii adduser 3.118 ii dbus 1.12.20-1 ii libaudit1 1:2.8.5-3+b1 ii libbluetooth3 5.50-1.2 ii libc6 2.30-4 ii libcurl3-gnutls 7.68.0-1+b1 ii libglib2.0-0 2.64.4-1 ii libgnutls30 3.6.14-2+b1 ii libjansson4 2.13.1-1 ii libmm-glib0 1.14.0-0.1 ii libndp0 1.6-1+b1 ii libnewt0.52 0.52.21-4+b1 ii libnm0 1.26.2-1 ii libpam-systemd 246.2-1 ii libpsl5 0.21.0-1.1 ii libreadline8 8.0-4 ii libselinux1 3.1-2 ii libsystemd0 246.2-1 ii libteamdctl0 1.30-1 ii libudev1 246.2-1 ii libuuid1 2.36-2 ii policykit-1 0.105-29 ii udev 246.2-1 ii wpasupplicant 2:2.9.0-13 Versions of packages network-manager recommends: ii crda 4.14+git20191112.9856751-1 ii dnsmasq-base [dnsmasq-base] 2.82-1 ii iptables 1.8.5-2 ii modemmanager 1.14.0-0.1 ii ppp 2.4.7-2+4.1+deb10u1 Versions of packages network-manager suggests: ii isc-dhcp-client 4.4.1-2.1+b2 pn libteam-utils <none> -- no debconf information
