Package: boinc-client Version: 6.2.14-3 Severity: normal Rather distrubingly, BOINC binds to all network adaptors rather than just localhost, despite the allow_remote_gui_rpc setting not being set.
As an end-user, I would have expected just for it to bind to the localhost for availability for the boinc-manager. While there is not an explicity security issue here, because no hosts/ip's are listed in the remote authorisation file, there is an implicit one and that is if there is ever a buffer overflow against boinc then it's possible that is going to be exploited by other people. Netstat output: tcp 0 0 0.0.0.0:31416 0.0.0.0:* LISTEN 20006/boinc tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3126/cupsd You can see where cupsd for example has bound locally and boinc has bound globally. If I can be of any further assistance then please don't hesistate to let me know. -- Package-specific info: -- Contents of /etc/default/boinc-client: # This file is /etc/default/boinc-client, it is a configuration file for the # /etc/init.d/boinc-client init script. # Set this to 1 to enable and to 0 to disable the init script. ENABLED="1" # Set this to 1 to enable advanced scheduling of the BOINC core client and # all its sub-processes (reduces the impact of BOINC on the system's # performance). SCHEDULE="1" # The BOINC core client will be started with the permissions of this user. BOINC_USER="boinc" # This is the data directory of the BOINC core client. BOINC_DIR="/var/lib/boinc-client" # This is the location of the BOINC core client, that the init script uses. # If you do not want to use the client program provided by the boinc-client # package, you can specify here an alternative client program. #BOINC_CLIENT="/usr/local/bin/boinc" BOINC_CLIENT="/usr/bin/boinc" # Here you can specify additional options to pass to the BOINC core client. # Type 'boinc --help' or 'man boinc' for a full summary of allowed options. #BOINC_OPTS="--allow_remote_gui_rpc" BOINC_OPTS="" -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages boinc-client depends on: ii adduser 3.110 add and remove users and groups ii ca-certificates 20080809 Common CA certificates ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii libcurl3 7.18.2-8 Multi-protocol file transfer libra ii libssl0.9.8 0.9.8g-15 SSL shared libraries ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3 ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii python 2.5.2-3 An interactive high-level object-o ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime boinc-client recommends no packages. Versions of packages boinc-client suggests: pn boinc-app-seti <none> (no description available) ii boinc-manager 6.2.14-3 GUI to control and monitor the BOI pn schedtool <none> (no description available) -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
