[Pkg-utopia-maintainers] Bug#968755: network-manager: Privacy settings should again be enabled by default

thefoo thefoo at foo.fo
Thu Aug 20 23:31:35 BST 2020 

Package: network-manager
Version: 1.26.2-1
Severity: important
Tags: ipv6 security patch
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

Dear maintainer,

This is basically a follow-up for bug 622845 from 2013, where people wanted IPv6 privacy extensions enabled by default for desktops/laptops but not for servers, and the "solution" was to rely on network-manager doing this because it's often installed on such systems.
It also obsoletes bug 668462.

Problem is, for a long time now the behaviour of NM is different than in 2013.

It allows setting "ip6-privacy" per connection, which works and is mirrored to the connections sysctl use_tempaddr too (on connecting).
If that setting is not set or -1 in the connection config file, it searches global configs in /etc/NetworkManager
If it's still not there, it finally reads from /proc/sys/net/ipv6/conf/default/use_tempaddr which is default 0 in Debian (for server use cases).

Therefore, effectively, using NM does NOT use privacy extentions by default, for years now.

Please change /etc/NetworkManager/NetworkManager.conf or add some file in /etc/NetworkManager/conf.d/ in Debian packets, where
ip6-privacy=2
is set, so that average non-server users finally are better protected against tracking again.

Thank you


-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.7.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages network-manager depends on:
ii  adduser          3.118
ii  dbus             1.12.20-1
ii  libaudit1        1:2.8.5-3+b1
ii  libbluetooth3    5.50-1.2
ii  libc6            2.30-4
ii  libcurl3-gnutls  7.68.0-1+b1
ii  libglib2.0-0     2.64.4-1
ii  libgnutls30      3.6.14-2+b1
ii  libjansson4      2.13.1-1
ii  libmm-glib0      1.14.0-0.1
ii  libndp0          1.6-1+b1
ii  libnewt0.52      0.52.21-4+b1
ii  libnm0           1.26.2-1
ii  libpam-systemd   246.2-1
ii  libpsl5          0.21.0-1.1
ii  libreadline8     8.0-4
ii  libselinux1      3.1-2
ii  libsystemd0      246.2-1
ii  libteamdctl0     1.30-1
ii  libudev1         246.2-1
ii  libuuid1         2.36-2
ii  policykit-1      0.105-29
ii  udev             246.2-1
ii  wpasupplicant    2:2.9.0-13

Versions of packages network-manager recommends:
ii  crda                         4.14+git20191112.9856751-1
ii  dnsmasq-base [dnsmasq-base]  2.82-1
ii  iptables                     1.8.5-2
ii  modemmanager                 1.14.0-0.1
ii  ppp                          2.4.7-2+4.1+deb10u1

Versions of packages network-manager suggests:
ii  isc-dhcp-client  4.4.1-2.1+b2
pn  libteam-utils    <none>

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list