Univention Bugzilla – Full Text Bug Listing |
Summary: | TCP/UDP port 4660 for NFS? | ||
---|---|---|---|
Product: | UCS | Reporter: | Philipp Hahn <hahn> |
Component: | NFS | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Jürn Brodersen <brodersen> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann |
Version: | UCS 4.2 | Flags: | hahn:
Patch_Available+
|
Target Milestone: | UCS 4.2-1-errata | ||
Hardware: | All | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Perhaps it was <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484861> = <https://bugzilla.linux-nfs.org/show_bug.cgi?id=177> Our version of rcp.statd in UCS-3.2 still has that bug: # rpc.statd -V rpc.statd version 1.2.2 # ps www `pidof rpc.statd` PID TTY STAT TIME COMMAND 10657 ? Ss 0:00 /sbin/rpc.statd --port 32765 --outgoing-port 32766 # lsof -p `pidof rpc.statd` | grep UDP rpc.statd 10657 statd 5u IPv4 67650 0t0 UDP *:657 rpc.statd 10657 statd 7u IPv4 67661 0t0 UDP *:32765 This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks. Our version of nfs-utils is new enough to have the "statd -o" bug fixed: # dpkg-query -W nfs-common nfs-common 1:1.2.8-9A~4.2.0.201703011138 # rpc.statd -V rpc.statd version 1.2.8 # ucr search --brief ^version/ version/erratalevel: 118 version/patchlevel: 1 version/releasename: Lesum version/version: 4.2 services/univention-nfs/debian/univention-nfs-server.postinst still needs fixing. This is a security vulnerability as nothing is bound to TCP/UDP port 4660, leaving that open to any internal process taking that port. Patch: sed -e '/4660/d' -i services/univention-nfs/debian/univention-nfs-server.postinst r81553 | Bug #33254 NFS: Remove old upgrade code r81552 | Bug #33254 NFS: Remove port 4660 from firewall Package: univention-nfs Version: 9.0.0-3A~4.2.0.201707311304 Branch: ucs_4.2-0 Scope: errata4.2-1 r81561 | Bug #32272,Bug #33254,Bug #45101,Bug #25446 NFS. YAML What I tested: ucr variables removed after upgrade -> OK mount share from master on slave -> read/write -> OK YAML: OK -> verified |
debian/univention-nfs-server.postinst > »··»···ucr set ... > »··»···»···security/packetfilter/package/univention-nfs/tcp/4660/all="ACCEPT" \ > »··»···»···security/packetfilter/package/univention-nfs/tcp/4660/all/en="NFS" \ > »··»···»···security/packetfilter/package/univention-nfs/udp/4660/all="ACCEPT" \ > »··»···»···security/packetfilter/package/univention-nfs/udp/4660/all/en="NFS" \ Why? AFAIK that port doesn't have anything to do with NFS.