Anibal Monsalve Salazar wrote: > >Also, unlike the comment in the file claims, manual modificatons are > >lost as soon as the package is reconfigured (or upgraded, I think): > > I'm afraid that is not the case. > > >root@dragon:/home/joey>cat /etc/portmap.conf > ># Portmap configuration file > ># > ># Note: if you manually edit this configuration file, > ># portmap configuration scripts will avoid modifying it > ># (for example, by running 'dpkg-reconfigure portmap'). > > > ># By default listen on all interfaces > ># > ># If you want portmap to listen only on the loopback > ># interface, uncomment the following line (it will be > ># uncommented automatically if you configure this > ># through debconf). > >OPTIONS="-i 127.0.0.1" > >root@dragon:/home/joey>dpkg-reconfigure portmap > >Stopping portmap daemon: portmap. > >Configuring portmap > >------------------- > > > >Portmap by default listens to all IP addresses. However, if you are not using > >RPC services that connect to remote servers (like NFS or NIS) you can safely > >bind it to the loopback IP address 127.0.0.1. > > > >This will allow RPC local services (like FAM) to work properly while preventing > >remote systems from accessing your RPC services. > > > >You can change this configuration also by editing the OPTIONS line in the > >/etc/portmap.conf file. If you just don't specify the -i option it will bind to > >all interfaces. > > > >Should portmap be bound to the loopback address? no > > Here you selected 'no'. > > >Starting portmap daemon: portmap. > >Restoring old RPC service information...done. > >root@dragon:/home/joey>cat /etc/portmap.conf > ># Portmap configuration file > ># > ># Note: if you manually edit this configuration file, > ># portmap configuration scripts will avoid modifying it > ># (for example, by running 'dpkg-reconfigure portmap'). > > > ># By default listen on all interfaces > ># > ># If you want portmap to listen only on the loopback > ># interface, uncomment the following line (it will be > ># uncommented automatically if you configure this > ># through debconf). > >#OPTIONS="-i 127.0.0.1" > > The obove commented out line is the result of the 'no' selection. THe missing information in the transcript is that "no" was the default, even though per the config file the default should have been yes. > >> * Fixed "SIGCHLD handler doesn't preserve errno", closes: #306929. > >> Patch by Alexander Achenbach <xela@slit.de>. > > > >Not important or RC is it? > > It's an RC bug. It may result in termination of the server process. > According to the author of the bug report, it was reported on > freebsd-bugs back in 1998. > > >>Version: 5-10 > >>Closes: 286301 301130 301535 > >>Changes: > >> portmap (5-10) unstable; urgency=high > >> . > >> * Re-added the debconf configuration, although the default for this is now > >> to have portamp listening in all interfaces. The debconf setting > >> allows system administrators, base-config and cdd developers to preseed > >> this value to 'true' (link only to the loopback interface) if needed. > >> Patch by Javier Fernández-Sanguino Peña <jfs@computer.org>. > >> Closes: #301130, #286301. > > > >So you made a change in -10 that introduced a RC bug that was fixed > >in -11? And no changes in -10 were RC or even important. The point of > >freeze exceptions is not to allow continuing unstable development of > >packages in sarge so I don't see why this should be accepted. > > Javier pushed -10 as an important security improvement for desktop/laptop > systems and I agree with him on that regard. Running portmap listening > to the world on a desktop/laptop system is a considerable security > risk. This is only my opinion, but debian systems have been running with these problems for as long as there was debian; delaying the sarge release to fix them does not seem worth it. -- see shy jo
Attachment:
signature.asc
Description: Digital signature