vino http server binds to external interfaces despite local_only configuration

Filed upstream:

https://bugzilla.gnome.org/show_bug.cgi?id=674268

Thank you for your bug report, that's the Ubuntu bug tracker you are using and not the Debian one though, is that an issue as well in the current Ubuntu version?

I mistakenly filed this bug with Ubuntu, when it would be more appropriate to file it with Debian or with Gnome (which I've also done). I cannot say whether this bug occurs with the current Ubuntu release, though I'd suspect that it does.

thanks, let's see what upstream says

As far as I know, the HTTP server is Vino is not used in Ubuntu. So as a workaround, the HTTP server can be disabled by passing the --disable-http-server flag during configuration.

The attachment "Patch for debian/rules to disable HTTP server" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Thanks for the patch! I'm uncomfortable ACKing this patch without more supporting information that it disabling it won't break people. I think the proper thing to do is continue to wait on upstream's response. It would probably make the process go quicker if a patch was submitted upstream that fixed the buggy behavior.

Unsubscribing ubuntu-sponsors for now. If you'd like to have a patch applied to Ubuntu, please link to a bzr branch or supply a debdiff (see https://wiki.ubuntu.com/SponsorshipProcess for details).

Thanks again.

Current situation on 14.04 LTS is the port 5800 is still open and currently responds to HTTP requests with:

<html><head><title>File Not Found</title></head>
<body><h1>File Not Found</h1></body></html>

Verified this was vino by killing it to see the port closed. Verified on a remote machine. In my testing I used the instructions in https://help.ubuntu.com/community/VNC/Servers were followed to allow only local connections.

This bug was fixed in the package vino - 3.8.1-0ubuntu7

---------------
vino (3.8.1-0ubuntu7) xenial; urgency=medium

  * debian/patches/git_struct_init.patch:
    - "Be more careful with memory allocation", should fix some of the
      segfault issues reports (lp: #987287)
  * debian/patches/git_small_bugfixes.patch:
    - backport some easy bugfixes
  * debian/patches/git_no_http_server.patch:
    - remove http server, it's not used and listen on interfaces for no
      reason (lp: #984093)

 -- Sebastien Bacher <email address hidden> Fri, 20 Nov 2015 16:51:19 +0100