2011-02-24 00:23:59 |
Ivan Kharlamov |
bug |
|
|
added bug |
2011-02-24 00:32:02 |
Ivan Kharlamov |
summary |
Lucid rsnapshot package turns on remote access |
Lucid rsnapshot package turns remote access on |
|
2011-02-24 00:33:15 |
Ivan Kharlamov |
description |
Binary package hint: rsnapshot
When installed on Ubuntu Lucid Desktop, rsnapshot pulls whole ssh metapackage which it doesn't need, therefore making machine vulnerable to dictionary attacks.
Rsnapshot is designed to pull snapshots from remote computers, it is NOT dependent on openssh-server and it's typical usage scenarios do NOT involve openssh-server usage on a client side.
In Maverick rsnapshot package doesn't introduce this vulnerability. (Since rsnapshot installation doesn't pull openssh-server on Maverick)
Default sshd_config which is automatically installed with openssh-server package allows passworded remote access(which is IMHO a strange default pocily, but that's another issue).
Steps to reproduce vulnerability:
1. Perform clean Ubuntu Lucid install.
2. #apt-get update
#apt-get upgrade
3. #apt-get install rsnapshot
4. Now your port 22 is open and you are able to access the machine from the outside, just use your username and password.
I've installed rsnapshot package on my Lucid Desktop few weeks ago to backup data from remote server. And now I've discovered that port 22 is open and sshd daemon is running and accepting login attempts from external botnets. After reading logs I've traced this problem to this package. For me this is disturbing since I use this machine at home and typically don't turn password authentication off assuming that remote access to my machine is disabled. |
Binary package hint: rsnapshot
When installed on Ubuntu Lucid Desktop, rsnapshot pulls whole ssh metapackage which it doesn't need, therefore making machine vulnerable to dictionary attacks.
Rsnapshot is designed to pull snapshots from remote computers, it is NOT dependent on openssh-server and it's typical usage scenarios do NOT involve openssh-server usage on a client side.
In Maverick rsnapshot package doesn't introduce this vulnerability. (Since rsnapshot installation doesn't pull openssh-server on Maverick)
Default sshd_config which is automatically installed with openssh-server package allows passworded remote access(which is IMHO a strange default pocily for a desktop distribution, but that's another issue).
Steps to reproduce vulnerability:
1. Perform clean Ubuntu Lucid install.
2. #apt-get update
#apt-get upgrade
3. #apt-get install rsnapshot
4. Now your port 22 is open and you are able to access the machine from the outside, just use your username and password.
I've installed rsnapshot package on my Lucid Desktop few weeks ago to backup data from remote server. And now I've discovered that port 22 is open and sshd daemon is running and accepting login attempts from external botnets. After reading logs I've traced this problem to this package. For me this is disturbing since I use this machine at home and typically don't turn password authentication off assuming that remote access to my machine is disabled. |
|
2011-02-24 00:46:11 |
Ivan Kharlamov |
description |
Binary package hint: rsnapshot
When installed on Ubuntu Lucid Desktop, rsnapshot pulls whole ssh metapackage which it doesn't need, therefore making machine vulnerable to dictionary attacks.
Rsnapshot is designed to pull snapshots from remote computers, it is NOT dependent on openssh-server and it's typical usage scenarios do NOT involve openssh-server usage on a client side.
In Maverick rsnapshot package doesn't introduce this vulnerability. (Since rsnapshot installation doesn't pull openssh-server on Maverick)
Default sshd_config which is automatically installed with openssh-server package allows passworded remote access(which is IMHO a strange default pocily for a desktop distribution, but that's another issue).
Steps to reproduce vulnerability:
1. Perform clean Ubuntu Lucid install.
2. #apt-get update
#apt-get upgrade
3. #apt-get install rsnapshot
4. Now your port 22 is open and you are able to access the machine from the outside, just use your username and password.
I've installed rsnapshot package on my Lucid Desktop few weeks ago to backup data from remote server. And now I've discovered that port 22 is open and sshd daemon is running and accepting login attempts from external botnets. After reading logs I've traced this problem to this package. For me this is disturbing since I use this machine at home and typically don't turn password authentication off assuming that remote access to my machine is disabled. |
Binary package hint: rsnapshot
When installed on Ubuntu Lucid Desktop, rsnapshot pulls whole ssh metapackage which it doesn't need, therefore making machine vulnerable to dictionary attacks.
Rsnapshot is designed to pull snapshots from remote computers, it is NOT dependent on openssh-server and it's typical usage scenarios do NOT involve openssh-server usage on a client side.
In Maverick rsnapshot package doesn't introduce this vulnerability. (Since rsnapshot installation doesn't pull openssh-server on Maverick)
Default sshd_config which is automatically installed with openssh-server package allows passworded remote access(which is IMHO a strange default pocily for a desktop distribution, but that's another issue).
Steps to reproduce vulnerability:
1. Perform clean Ubuntu Lucid install.
2. #apt-get update
#apt-get upgrade
3. #apt-get install rsnapshot
4. Now your port 22 is open and you are able to access the machine from the outside, just use your username and password.
I've installed rsnapshot package on my Lucid Desktop few weeks ago to backup data from remote server. To my surprise I've discovered that port 22 is open and sshd daemon is running and accepting login attempts from external botnets. After reading logs I've traced this problem to this package. For me this is disturbing since I use this machine at home and typically don't turn password authentication off assuming that remote access to my machine is disabled. |
|
2011-02-26 12:59:28 |
Ivan Kharlamov |
description |
Binary package hint: rsnapshot
When installed on Ubuntu Lucid Desktop, rsnapshot pulls whole ssh metapackage which it doesn't need, therefore making machine vulnerable to dictionary attacks.
Rsnapshot is designed to pull snapshots from remote computers, it is NOT dependent on openssh-server and it's typical usage scenarios do NOT involve openssh-server usage on a client side.
In Maverick rsnapshot package doesn't introduce this vulnerability. (Since rsnapshot installation doesn't pull openssh-server on Maverick)
Default sshd_config which is automatically installed with openssh-server package allows passworded remote access(which is IMHO a strange default pocily for a desktop distribution, but that's another issue).
Steps to reproduce vulnerability:
1. Perform clean Ubuntu Lucid install.
2. #apt-get update
#apt-get upgrade
3. #apt-get install rsnapshot
4. Now your port 22 is open and you are able to access the machine from the outside, just use your username and password.
I've installed rsnapshot package on my Lucid Desktop few weeks ago to backup data from remote server. To my surprise I've discovered that port 22 is open and sshd daemon is running and accepting login attempts from external botnets. After reading logs I've traced this problem to this package. For me this is disturbing since I use this machine at home and typically don't turn password authentication off assuming that remote access to my machine is disabled. |
Binary package hint: rsnapshot
When installed on Ubuntu Lucid Desktop, rsnapshot pulls whole ssh metapackage which it doesn't need, therefore making machine exposed to dictionary attacks.
Rsnapshot is designed to pull snapshots from remote computers, it is NOT dependent on openssh-server and it's typical usage scenarios do NOT involve openssh-server usage on a client side.
In Maverick rsnapshot package doesn't introduce this vulnerability. (Since rsnapshot installation doesn't pull openssh-server on Maverick)
Default sshd_config which is automatically installed with openssh-server package allows passworded remote access(which is IMHO a strange default pocily for a desktop distribution, but that's another issue).
Steps to reproduce vulnerability:
1. Perform clean Ubuntu Lucid install.
2. #apt-get update
#apt-get upgrade
3. #apt-get install rsnapshot
4. Now your port 22 is open and you are able to access the machine from the outside, just use your username and password.
I've installed rsnapshot package on my Lucid Desktop few weeks ago to backup data from remote server. To my surprise I've discovered that port 22 is open and sshd daemon is running and accepting login attempts from external botnets. After reading logs I've traced this problem to this package. For me this is disturbing since I use this machine at home and typically don't turn password authentication off assuming that remote access to my machine is disabled. |
|
2011-02-26 13:38:07 |
Ivan Kharlamov |
visibility |
private |
public |
|
2011-02-27 14:54:48 |
Ivan Kharlamov |
branch linked |
|
lp:ubuntu/lucid/rsnapshot |
|
2011-02-27 15:30:53 |
Ivan Kharlamov |
branch linked |
|
lp:rsnapshot |
|
2011-02-27 15:31:39 |
Ivan Kharlamov |
branch unlinked |
lp:ubuntu/lucid/rsnapshot |
|
|
2011-03-08 15:32:32 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Lucid |
|
2011-03-08 15:32:32 |
Marc Deslauriers |
bug task added |
|
rsnapshot (Ubuntu Lucid) |
|
2011-03-08 15:32:32 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Maverick |
|
2011-03-08 15:32:32 |
Marc Deslauriers |
bug task added |
|
rsnapshot (Ubuntu Maverick) |
|
2011-03-08 15:32:32 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Natty |
|
2011-03-08 15:32:32 |
Marc Deslauriers |
bug task added |
|
rsnapshot (Ubuntu Natty) |
|
2011-03-08 15:32:42 |
Marc Deslauriers |
rsnapshot (Ubuntu Maverick): status |
New |
Fix Released |
|
2011-03-08 15:32:47 |
Marc Deslauriers |
rsnapshot (Ubuntu Natty): status |
New |
Fix Released |
|
2011-03-08 15:32:54 |
Marc Deslauriers |
rsnapshot (Ubuntu Lucid): status |
New |
Confirmed |
|
2011-03-08 15:33:01 |
Marc Deslauriers |
rsnapshot (Ubuntu Lucid): importance |
Undecided |
Medium |
|
2015-05-10 20:54:18 |
Guillaume Delacour |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=422262 |
|
2015-06-17 11:20:13 |
Rolf Leggewie |
rsnapshot (Ubuntu Lucid): status |
Confirmed |
Won't Fix |
|