FS#44325 - [avahi] Remove browse-domains from conf file

Attached to Project: Arch Linux
Opened by Eike M Wülfers (emw) - Tuesday, 24 March 2015, 17:26 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 26 March 2015, 00:09 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The installed file /etc/avahi/avahi-daemon.conf contains the line

browse-domains=0pointer.de, zeroconf.org

I was first thinking that it might be an example line that got uncommented accidentally, but it is uncommented in debian as well [1].
The avahi website is only displaying a generic web-server landing page currently, so no help either [2].

I have to admit that I don't know much about avahi, but why whould I want to browse e.g. Lenard's domain for avahi services?
In avahi-discover, the other domain at least shows a ot of (probably) example services with IP 10.1.2.3. Also pretty useless as a user, though.

Would it break something to comment this line by default?

---
[1] http://anonscm.debian.org/cgit/pkg-utopia/avahi.git/tree/avahi-daemon/avahi-daemon.conf
[2] http://avahi.org/

Additional info:
* Package version 0.6.31-14
* config and/or log files etc.


Steps to reproduce:
* Install the package.
This task depends upon

Closed by  Gaetan Bisson (vesath)
Thursday, 26 March 2015, 00:09 GMT
Reason for closing:  Fixed
Additional comments about closing:  avahi-0.6.31-15 in [extra]
Comment by Eike M Wülfers (emw) - Tuesday, 24 March 2015, 18:39 GMT
Sorry, I forgot to edit the title.

Fedora aparently turned the domains off for being a security issue: http://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault#Unnecessary_attack_vector:_browse-domains
Comment by Gaetan Bisson (vesath) - Tuesday, 24 March 2015, 19:27 GMT
We ship upstream's default avahi-daemon.conf; could you bring this issue up with them? This is the preferred way to fix upstream issues when there is no imminent risk. Thanks.
Comment by Eike M Wülfers (emw) - Tuesday, 24 March 2015, 19:29 GMT
Ok, thanks. Will try once their site is up again.
Comment by AK (Andreaskem) - Tuesday, 24 March 2015, 22:23 GMT
You might want to try the mailing list:
http://lists.freedesktop.org/mailman/listinfo/avahi
Comment by Jan de Groot (JGC) - Wednesday, 25 March 2015, 15:50 GMT
Avahi hasn't seen a release in 3 years. This bug is already fixed upstream, so there's no point in requesting this upstream.
Comment by Eike M Wülfers (emw) - Wednesday, 25 March 2015, 21:10 GMT
Thanks. Yes, it is fixed in Lennart's repository. They also made this sensible change [1] to not announce the workstation info.

So what do you think? Is this an attack vector?
At least one might find it a privacy issue that 0pointer.de and zeroconf.org could log their mDNS requests.

----
[1] http://git.0pointer.net/avahi.git/commit/avahi-daemon/avahi-daemon.conf?id=530fbb59abafb970ef1dd8f61571b13fb0918b23
Comment by Gaetan Bisson (vesath) - Wednesday, 25 March 2015, 23:14 GMT
Thanks everyone for your input; I'll switch our avahi upstream source to a git snapshot.

Loading...