inetd.conf should not contain unnecessary services

Automatically imported from Debian bug report #237535 http://bugs.debian.org/237535

Message-ID: <001b01c407c0$a91dbc30$0500a8c0@effenberger>
Date: Fri, 12 Mar 2004 00:29:09 +0100
From: "Florian Effenberger" <email address hidden>
To: <email address hidden>
Subject: inetd.conf should not contain unnecessary services

Package: inetd
Version: unknown

The following services should be disabled due to security considerations:

discard
daytime
time

Message-Id: <email address hidden>
Date: Fri, 12 Mar 2004 01:57:49 +0000
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: reassign 237535 to netkit-inetd

reassign 237535 netkit-inetd

Message-ID: <email address hidden>
Date: Sun, 11 Apr 2004 17:07:12 +0200
From: "Per Olofsson" <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Why are these services not disabled?

I agree that these services should be disabled by default. Is there
any good reason why they're not?

--
Pelle

Message-Id: <email address hidden>
Date: Wed, 28 Jul 2004 23:31:17 +0200
From: Frederik Dannemare <email address hidden>
To: <email address hidden>
Subject: netkit-inetd not in releaseable state, imo

severity 237535 serious
merge 237535 261906
thanks

not in releaseable state, imo. not until daytime, discard, etc is off by
default. please fix, before sarges freezes.

*** Bug 7190 has been marked as a duplicate of this bug. ***

This matches Warty's security policy; these services should be disabled by default

Message-ID: <email address hidden>
Date: Thu, 29 Jul 2004 02:22:55 +0100
From: Colin Watson <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: Frederik Dannemare <email address hidden>
Subject: not release-critical

severity 261906 normal
thanks

This bug isn't covered by the list of issues meriting a serious bug in
http://release.debian.org/sarge_rc_policy.txt. I don't really buy it
being a security bug either; while it may introduce some small
additional exposure, it doesn't "introduce a security hole on systems
where you install the package", and if that were true then the
vulnerability in inetd should simply be fixed. In general design issues
like this don't merit serious bugs unless the maintainer says so.

I'm therefore setting the severity back to its previous value of normal.
Sorry.

Cheers,

--
Colin Watson [<email address hidden>]

Message-Id: <email address hidden>
Date: Thu, 29 Jul 2004 15:33:22 +1000 (EST)
From: <email address hidden> (Anthony Towns)
To: <email address hidden>
Subject: severity of 261906 is wishlist

severity 261906 wishlist

netkit-base (0.10-9ubuntu1) warty; urgency=low
 .
   * Disable time, discard and daytime services by default. (Closes: #432)

Message-Id: <email address hidden>
Date: Sun, 24 Oct 2004 12:17:06 -0400
From: Anthony Towns <email address hidden>
To: <email address hidden>
Subject: Bug#237535: fixed in netkit-base 0.10-10

Source: netkit-base
Source-Version: 0.10-10

We believe that the bug you reported is fixed in the latest version of
netkit-base, which is due to be installed in the Debian FTP archive:

netkit-base_0.10-10.diff.gz
  to pool/main/n/netkit-base/netkit-base_0.10-10.diff.gz
netkit-base_0.10-10.dsc
  to pool/main/n/netkit-base/netkit-base_0.10-10.dsc
netkit-inetd_0.10-10_powerpc.deb
  to pool/main/n/netkit-base/netkit-inetd_0.10-10_powerpc.deb
netkit-ping_0.10-10_powerpc.deb
  to pool/main/n/netkit-base/netkit-ping_0.10-10_powerpc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anthony Towns <email address hidden> (supplier of updated netkit-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Mon, 25 Oct 2004 01:53:56 +1000
Source: netkit-base
Binary: netkit-inetd netkit-ping
Architecture: source powerpc
Version: 0.10-10
Distribution: unstable
Urgency: high
Maintainer: Anthony Towns <email address hidden>
Changed-By: Anthony Towns <email address hidden>
Description:
 netkit-inetd - The Internet Superserver
 netkit-ping - The ping utility from netkit
Closes: 237535 261906 275585
Changes:
 netkit-base (0.10-10) unstable; urgency=high
 .
   * The "POSIX got it right, dammit." release.
 .
   * Use non-blocking sockets for UDP built-ins, because Linux's select()
     semantics are broken, but fast. Thanks to Colin Phipps for the
     fix. (Closes: Bug#275585)
   * Don't enable any built-in services by default. (Closes: Bug#237535,
     Bug#261906)
Files:
 aa24d78d3c0a5963b76577ad752e3518 696 net standard netkit-base_0.10-10.dsc
 e22a450e0a422825e08b69a0658c9edd 10607 net standard netkit-base_0.10-10.diff.gz
 c101f59f8953395cc8bea2823d32540a 29868 net standard netkit-inetd_0.10-10_powerpc.deb
 5f249e69ac9724e5f3e8cabcf3a44b1e 19434 net standard netkit-ping_0.10-10_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQCVAwUBQXvUdORRvX9xctrtAQEOYwP7B4thqdlAMj2ujGvurtQe3GECF9UAe/rJ
w8kLxUDkeesWhLIG4723tJxDhEIvH/OtE4nHgj4aYxKh4EaDv05Hcv9bNy+535/F
eassT3UVqBnPeVKVuZqFQith+Em/eRo+jo6CfAMUOIVVOjLFVvaW3XZGqsTDUkd9
/9Wj052bQek=
=ZDuA
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Thu, 04 Nov 2004 13:45:32 GMT
From: ROBERTOJIMENOCA <email address hidden>
To: <email address hidden>
Subject: Bug#237535: it seems it's not fixed

The bug seems to not be fixed because I just installed Debian unstable
selected to not open the holes and their are open.

Why does Debian even ship an inetd by default?
Why does Debian include that unuseful code in inetd?
Why the average user would want to have those holes open?

Message-Id: <email address hidden>
Date: Thu, 4 Nov 2004 12:33:00 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: tagging 237535

# Automatically generated email from bts, devscripts version 2.8.5
tags 237535 - d-i

Re-resolving as NOTWARTY to avoid further spam from Debian