Univention Bugzilla – Bug 33254
TCP/UDP port 4660 for NFS?
Last modified: 2017-08-09 16:57:15 CEST
debian/univention-nfs-server.postinst > »··»···ucr set ... > »··»···»···security/packetfilter/package/univention-nfs/tcp/4660/all="ACCEPT" \ > »··»···»···security/packetfilter/package/univention-nfs/tcp/4660/all/en="NFS" \ > »··»···»···security/packetfilter/package/univention-nfs/udp/4660/all="ACCEPT" \ > »··»···»···security/packetfilter/package/univention-nfs/udp/4660/all/en="NFS" \ Why? AFAIK that port doesn't have anything to do with NFS.
Perhaps it was <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484861> = <https://bugzilla.linux-nfs.org/show_bug.cgi?id=177> Our version of rcp.statd in UCS-3.2 still has that bug: # rpc.statd -V rpc.statd version 1.2.2 # ps www `pidof rpc.statd` PID TTY STAT TIME COMMAND 10657 ? Ss 0:00 /sbin/rpc.statd --port 32765 --outgoing-port 32766 # lsof -p `pidof rpc.statd` | grep UDP rpc.statd 10657 statd 5u IPv4 67650 0t0 UDP *:657 rpc.statd 10657 statd 7u IPv4 67661 0t0 UDP *:32765
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Our version of nfs-utils is new enough to have the "statd -o" bug fixed: # dpkg-query -W nfs-common nfs-common 1:1.2.8-9A~4.2.0.201703011138 # rpc.statd -V rpc.statd version 1.2.8 # ucr search --brief ^version/ version/erratalevel: 118 version/patchlevel: 1 version/releasename: Lesum version/version: 4.2 services/univention-nfs/debian/univention-nfs-server.postinst still needs fixing. This is a security vulnerability as nothing is bound to TCP/UDP port 4660, leaving that open to any internal process taking that port. Patch: sed -e '/4660/d' -i services/univention-nfs/debian/univention-nfs-server.postinst
r81553 | Bug #33254 NFS: Remove old upgrade code r81552 | Bug #33254 NFS: Remove port 4660 from firewall Package: univention-nfs Version: 9.0.0-3A~4.2.0.201707311304 Branch: ucs_4.2-0 Scope: errata4.2-1 r81561 | Bug #32272,Bug #33254,Bug #45101,Bug #25446 NFS. YAML
What I tested: ucr variables removed after upgrade -> OK mount share from master on slave -> read/write -> OK YAML: OK -> verified
<http://errata.software-univention.de/ucs/4.2/130.html>