On Wed, Feb 22, 2006 at 08:59:40AM -0800, Rick Moen wrote: > Quoting aliban (aliban@gmx.net): > > > MS Blaster infected many million system within seconds... > > Relying on the vulnerable MSDE embedded SQL database engine being > embedded into a large number of consumer software products, and > irresponsibly left bound to all network ports, not just loopback. You are confusing worms, Blaster exploited the DCOM RPC vulnerability (CAN-2003-0352). The one that exploited CAN-2002-0649 and CAN-2002-1145 in both SQL Server and MSDE was SQLExp / Slammer. The former worm targeted a critical OS service, the later a database service. Neither of which were actually useful if bound to loopback, BTW. IMHO the problem here is having a music program (as rhythmbox) Recommends: avahi-daemon, when IMHO it should be Suggests: . The functionality provided by avahi-daemon (a network service for sharing music) is not something I would say that all rhythmbox users require (based on rhythmbox' description, which looks like a music library organization tool for me). However, it will get it installed per default by users using 'aptitude' (not 'apt') which is the recommended tool these days. If I were you (aliban) I would bug rhythmbox. It seems that Bug #349478 got it to reduce the Depends: on that daemon to a Recommends:, I think it would be better to have that as Suggests: Disclaimer: I don't know much about rhythmbox and the relationship of ahavi-daemon I agree with Michael Stone in that the dependecy chain here might be a problem in the long run. Maintainers remember: it's much better to *not* install/activate a network service than to have a service, even if it's chrooted, or running under lower privileges (like the ahavi maintainers describe in https://wiki.ubuntu.com/MainInclusionReportAvahi) which, BTW, is not that common. The keyword here is 'exposure'. Really, do *almost all* rhythmbox users need to share music (and consequentely need ahavi)? Regards Javier
Attachment:
signature.asc
Description: Digital signature