Security flaw found in systemd
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Security flaw found in systemd
Security flaw found in systemd: article link here:
https://www.theregister.co.uk/2018/10/2 ... hcpv6_rce/
https://www.theregister.co.uk/2018/10/2 ... hcpv6_rce/
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Security flaw found in systemd
How to disable it?
Re: Security flaw found in systemd
Network Manager settings, IPv6 choose disable/ignore and then there is a way to edit /etc/default/grub and add something to
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
like ipv6.disable=1
inside the quotesRe: Security flaw found in systemd
Why would grub need to be edited?
Re: Security flaw found in systemd
they say this is more of an ipv6 flaw and not so much systemd but still, like JeremyB says i also disabled ipv6 long ago
first i disabled it in my wifi router/modem
then disabled it in my etc/hosts
then disabled it in network tray icon
here's more ways to disable it http://ask.xmodulo.com/disable-ipv6-linux.html
@JeremyB
is there a difference from disabling in etc/default/grub using 2 lines?
ps: if you edit etc/default/grub be sure to run
first i disabled it in my wifi router/modem
then disabled it in my etc/hosts
then disabled it in network tray icon
here's more ways to disable it http://ask.xmodulo.com/disable-ipv6-linux.html
@JeremyB
is there a difference from disabling in etc/default/grub using 2 lines?
Code: Select all
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="ipv6.disable=1"
sudo update-grub
Re: Security flaw found in systemd
The grub way is system wide.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
Re: Security flaw found in systemd
Not sure as I just use Network Manager to disable but I tried the grub method and it wasn't much different in results, but not the method you speak oftrytip wrote: ⤴Sat Oct 27, 2018 6:28 pm they say this is more of an ipv6 flaw and not so much systemd but still, like JeremyB says i also disabled ipv6 long ago
first i disabled it in my wifi router/modem
then disabled it in my etc/hosts
then disabled it in network tray icon
here's more ways to disable it http://ask.xmodulo.com/disable-ipv6-linux.html
@JeremyB
is there a difference from disabling in etc/default/grub using 2 lines?ps: if you edit etc/default/grub be sure to runCode: Select all
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" GRUB_CMDLINE_LINUX="ipv6.disable=1"
sudo update-grub
Re: Security flaw found in systemd
hi schultz, heres the procedure to disable IPV6.
Edit the bold face line that starts as "GRUB_CMDLINE_LINUX_DEFAULT"...by deleting it and putting this one in its place
X out and "save" when prompted to do so
Then in terminal
Then: Reboot
Test
if this comes back with no response, you have succeeded.
Code: Select all
gksudo xed /etc/default/grub
Code: Select all
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
Then in terminal
Code: Select all
sudo update-grub
Then: Reboot
Test
Code: Select all
test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
Re: Security flaw found in systemd
there is no difference if you use
or
you get the same result, so i'll leave it as so.
Code: Select all
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="ipv6.disable=1"
Code: Select all
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
GRUB_CMDLINE_LINUX=""
Re: Security flaw found in systemd
the only difference is that (GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash") does it all in one step rather than 2 without being confusing.
Re: Security flaw found in systemd
The actual difference is that the DEFAULT line is not applied for recovery boots. That aside it's all the same.
Re: Security flaw found in systemd
In my modem/router setup, I see this
What is "6rd Tunnel Status"? Does this mean that IPv6 (all of it) is disabled?
IPv6 6rd Tunnel Status: DISABLED
.What is "6rd Tunnel Status"? Does this mean that IPv6 (all of it) is disabled?
Re: Security flaw found in systemd
No, that just means your ISP is not using https://en.wikipedia.org/wiki/IPv6_rapid_deployment
Re: Security flaw found in systemd
Thanks for the info gm10. I don't think IPv6 is enabled anyway in my router; everything else concerning IPv6 is marked "N/A."
But I disabled IPv6 also in grub to be doubly sure.
But I disabled IPv6 also in grub to be doubly sure.
Re: Security flaw found in systemd
...very theoritically (aka, don't take such seriously),
since the bug is in the way systemd-networkd's dhcpv6 client handles router advertisements,
*maybe* it would be enough to just disable those ones via sysctl than the whole IPv6 stack.
...again, that's a huge *maybe*, left it here merely for the sake of discussion / 'academic reasons' to speak off,
and to be perfectly honest, in case someone knows better & could verify such, and thereby satisfy my own curiosity...
Not that it really matters much on desktop systems: very few people use IPv6 in the first place,
hence disabling it altogether (ipv6.disable=1) is the easiest & most sane option.
since the bug is in the way systemd-networkd's dhcpv6 client handles router advertisements,
*maybe* it would be enough to just disable those ones via sysctl than the whole IPv6 stack.
...again, that's a huge *maybe*, left it here merely for the sake of discussion / 'academic reasons' to speak off,
and to be perfectly honest, in case someone knows better & could verify such, and thereby satisfy my own curiosity...
Not that it really matters much on desktop systems: very few people use IPv6 in the first place,
hence disabling it altogether (ipv6.disable=1) is the easiest & most sane option.
Re: Security flaw found in systemd
Hi Schultz, & Everyone Else,
You and everyone else should know that Linux does not waste time fixing these kinds of issues. According to the article you already linked:
See #2 & #3 to set priority to "IPv4" (I use #2 & #3)
http://www.blackmoreops.com/2015/08/04/ ... -in-linux/
Another good article on "Disabling IPv6"
http://www.binarytides.com/disable-ipv6-ubuntu/
IPv6 test - IPv6/4 connectivity and speed test
http://ipv6-test.com/
Hope this helps ...
You and everyone else should know that Linux does not waste time fixing these kinds of issues. According to the article you already linked:
Disable IPv6 if its not supportedSystemd creator Leonard Poettering has already published a security fix for the vulnerable component – this should be weaving its way into distros as we type.
See #2 & #3 to set priority to "IPv4" (I use #2 & #3)
http://www.blackmoreops.com/2015/08/04/ ... -in-linux/
Another good article on "Disabling IPv6"
http://www.binarytides.com/disable-ipv6-ubuntu/
IPv6 test - IPv6/4 connectivity and speed test
http://ipv6-test.com/
Hope this helps ...
Phd21: Mint 20 Cinnamon & KDE Neon 64-bit Awesome OS's, Dell Inspiron I5 7000 (7573, quad core i5-8250U ) 2 in 1 touch screen
Re: Security flaw found in systemd
before reboot:DAMIEN1307 wrote: ⤴Sat Oct 27, 2018 6:38 pm Testif this comes back with no response, you have succeeded.Code: Select all
test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
Code: Select all
anyuser@OEMTUFFBOOK:~$ test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
Running kernel is IPv6 ready
anyuser@OEMTUFFBOOK:~$
Code: Select all
anyuser@OEMTUFFBOOK:~$ test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
anyuser@OEMTUFFBOOK:~$
since I've done this grub update (already had done sysctl.conf edit months back) will the issue of apps/programs trying ip6 go away since system is loaded with no ip6 support now, or is it advisable to add to comment out the ip6 lines in etc/hosts as well?
from trytip's mention and link:
Code: Select all
# comment these IPv6 hosts
# ::1 ip6-localhost ip6-loopback
# fe00::0 ip6-localnet
# ff00::0 ip6-mcastprefix
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters
- Pjotr
- Level 24
- Posts: 20086
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Security flaw found in systemd
Exactly. I expect a fix (level 4) for Mint 19 / Ubuntu 18.04 within days.phd21 wrote: ⤴Sun Oct 28, 2018 12:35 am Hi Schultz, & Everyone Else,
You and everyone else should know that Linux does not waste time fixing these kinds of issues. According to the article you already linked:
Systemd creator Leonard Poettering has already published a security fix for the vulnerable component – this should be weaving its way into distros as we type.
Security flaws are being discovered, and fixed, on an almost daily basis. That's why we get those frequent security updates....
So: no worries, mates. Business as usual.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Security flaw found in systemd
That's true, but are we to see this more often since systemd seems to be hooked into just about everything? (I don't mean that in a carte blanche way, so nobody jump all over me about it.)Pjotr wrote:
Security flaws are being discovered, and fixed, on an almost daily basis.