Quoting Michael Rose (mdrose@zoho.com): > Package: tasksel > Version: 3.31+deb8u1 > Severity: normal > Tags: d-i > > During installation, tasksel gives you the option of including "standard system > utilities". This group includes nfs-common and rpcbind, which, post > installation, automatically launch daemons that listen on ports. Debian's > default iptables configuration after installation is to allow all connections. > This is a security concern. > > There's no indication to the user that selecting standard system utilities will > do this. Having a permissive firewall policy by default is fine, provided that > no open ports are running by default as well, but this is not the current > situation. > > Possible solutions: > 1. Do not include these packages in the task > 2. More restrictive default firewall policy that will protect these ports until > the user decides to make them available > 3. Keep as is, but notify the user that the included packages will listen for > connections upon selection This is not tasksel's job, indeed. If these packages are "Priority: standard", they're included in the "standard" task. Tasksel is not really in position to raise a judgment about the behaviour of installed packages. This bug report should eventually be reassigned against nfs-common.
Attachment:
signature.asc
Description: Digital signature