Debian Bug report logs - #353787
avahi-daemon: Automatically installed and listening on all interfaces.

Package: gnome; Maintainer for gnome is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>; Source for gnome is src:meta-gnome (PTS, buildd, popcon).

Reported by: Aliban <aliban@gmx.net>

Date: Mon, 20 Feb 2006 22:33:02 UTC

Severity: wishlist

Tags: wontfix

Merged with 355064

Done: Emilio Pozuelo Monfort <pochu@debian.org>

Bug is archived. No further changes may be made.

Display info messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Ross Burton <ross@debian.org>:
Bug#353787; Package avahi-daemon. (full text, mbox, link).

Acknowledgement sent to Aliban <aliban@gmx.net>:
New Bug report received and forwarded. Copy sent to Ross Burton <ross@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: avahi-daemon
Version: 0.6.6-1
Severity: normal

I don't know why this pkg was installed in my testing. For sure I did not install it directly, maybe it was some strange dependency from something?

Anyway, this thing listens on all interfaces by default. I think this design is insecure. It should bind to localhost only (ok, this might not make 
sense for such a service) OR it should ask the user for the interfaces it binds to.

Please change the installer's  behaviour.

Thank you.


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Reply sent to sjoerd@spring.luon.net (Sjoerd Simons):
You have taken responsibility. (full text, mbox, link).

Notification sent to Aliban <aliban@gmx.net>:
Bug acknowledged by developer. (full text, mbox, link).

Message #10 received at 353787-done@bugs.debian.org (full text, mbox, reply):

On Mon, Feb 20, 2006 at 11:22:29PM +0100, Aliban wrote:
> Package: avahi-daemon
> Version: 0.6.6-1
> Severity: normal
> 
> I don't know why this pkg was installed in my testing. For sure I did not
> install it directly, maybe it was some strange dependency from something?

No strange dependencies. You probably got it because rhythmbox recommends it. 

> Anyway, this thing listens on all interfaces by default. I think this design
> is insecure. It should bind to localhost only (ok, this might not make sense
> for such a service) OR it should ask the user for the interfaces it binds to.

Uhm, yeah, well, an mDNS daemon that only listens on lo is completely useless.
If you would looked a little bit further you might have seen that the daemon
runs as a unprivileged user, version 0.6.6-2 of the package even runs in a
minimal chroot environment, so it's actually quite secure by design.

> Please change the installer's  behaviour.

If you don't want it, purge it from your system. Afaik everything that doesn't
directly need it only recommends it. Closing this bug

  Sjoerd
-- 
We gave you an atomic bomb, what do you want, mermaids?
		-- I. I. Rabi to the Atomic Energy Commission

Bug reopened, originator not changed. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. (full text, mbox, link).

Severity set to `wishlist'. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. (full text, mbox, link).

Bug reassigned from package `avahi-daemon' to `gnome'. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. (full text, mbox, link).

Merged 353787 355064. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. (full text, mbox, link).

Reply sent to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility. (Sun, 28 Feb 2010 18:12:14 GMT) (full text, mbox, link).

Notification sent to Aliban <aliban@gmx.net>:
Bug acknowledged by developer. (Sun, 28 Feb 2010 18:12:14 GMT) (full text, mbox, link).

Message #23 received at 353787-done@bugs.debian.org (full text, mbox, reply):

Description: The GNOME Desktop Environment, with extra components
 This is the GNOME Desktop environment, an intuitive and attractive
 desktop, with extra components.
 .
 This package depends on the standard distribution of the GNOME desktop
 environment, plus a complete range of plugins and other applications
 integrating with GNOME and Debian, providing the best possible
 environment to date.


avahi-daemon is one of the extra components in the description. If you don't
want it, you can remove it and install e.g. gnome-desktop-environment (which
only depends on the GNOME desktop).

Emilio

Reply sent to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility. (Sun, 28 Feb 2010 18:12:15 GMT) (full text, mbox, link).

Notification sent to Michael Stone <mstone@debian.org>:
Bug acknowledged by developer. (Sun, 28 Feb 2010 18:12:15 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 29 Mar 2010 07:39:40 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 23 19:47:59 2026; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #353787 avahi-daemon: Automatically installed and listening on all interfaces.

Debian Bug report logs - #353787
avahi-daemon: Automatically installed and listening on all interfaces.