Bug#1098506: marked as done (pptpd: consider removing from Debian)

Sun, 02 Mar 2025 03:06:18 -0800 

Your message dated Sun, 2 Mar 2025 11:58:53 +0100
with message-id <1740911...@msgid.manchmal.in-ulm.de>
and subject line Re: Bug#1098506: pptpd: consider removing from Debian
has caused the Debian Bug report #1098506,
regarding pptpd: consider removing from Debian
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1098506: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098506
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: pptpd
Version: 1.5.0-1
Severity: serious
Tags: security trixie sid
X-Debbugs-CC: t...@security.debian.org

Please consider removing pptpd from Debian before the Trixie release.
It was removed from Ubuntu before the Ubuntu 24.04 LTS release because
it's an ancient insecure protocol and it was figured that at least
Ubuntu shouldn't be providing the server side any more. See
https://launchpad.net/bugs/2041751

https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890

Thank you,
Jeremy Bícha

--- End Message ---
--- Begin Message --- 
Control: tags 1098506 wontfix

Jeremy Bícha wrote...

> Please consider removing pptpd from Debian before the Trixie release.
> It was removed from Ubuntu before the Ubuntu 24.04 LTS release because
> it's an ancient insecure protocol and it was figured that at least
> Ubuntu shouldn't be providing the server side any more. See
> https://launchpad.net/bugs/2041751
> 
> https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890

A little bit of link following later there's
https://pptpclient.sourceforge.net/protocol-security.phtml and this
shows inddeed pptpd is not the problem per se, but mschapv2. There are
other uses cases for pptpd, so removing pptpd would hit those users as
well.

So, pptpd's configuration file (pptpd-options) could see a grim warning
about mschapv2 for to those who really missed the memo the the past
twenty-ish years. But remove just for that? Nope.

    Christoph

Attachment: signature.asc
Description: PGP signature


--- End Message ---

Reply via email to