https://bugzilla.redhat.com/show_bug.cgi?id=1279242
The gist of this bug is that NetworkManager on Fedora 23 and Rawhide does not have RFC4941 privacy extensions enabled. So the IPv6 address is predicated on a real MAC address (at least on baremetal) and the address is not temporary and is never deprecated. This is reported to have worked correctly on Fedora 22.
Could this be assessed for security impact, in particular as it relates to Fedora release criteria? https://fedoraproject.org/wiki/Fedora_24_Final_Release_Criteria#Security_bug...
How would this get fixed with an update? Is there a mechanism to sed the user configuration to change ipv6.ip-privacy to 2? Or is this something that's likely stuck with a value of -1 for the live of the release, unless the user manually makes a change?
Thanks,
Bump.
If this can't be fixed with an update, i think it's much worse than bad. It's not just a regression. Windows and OS X have done this correctly for almost a decade. There is no release criterion that applies I think. Making it a blocker would require adding some kind of privacy criterion?
Chris Murphy
I am trying to find out if there is anyone on this list
On 10 February 2016 at 18:56, Chris Murphy lists@colorremedies.com wrote:
Bump.
If this can't be fixed with an update, i think it's much worse than bad. It's not just a regression. Windows and OS X have done this correctly for almost a decade. There is no release criterion that applies I think. Making it a blocker would require adding some kind of privacy criterion?
Chris Murphy
-- security mailing list security@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/security@lists.fedoraproject.org
Hi,
On 2016-02-11 17:57, Stephen John Smoogen wrote:
I am trying to find out if there is anyone on this list
I am, but I think not all of security-team are. Not sure about current policies which list to use for what.
On 10 February 2016 at 18:56, Chris Murphy lists@colorremedies.com wrote:
If this can't be fixed with an update, i think it's much worse than bad. It's not just a regression. Windows and OS X have done this correctly for almost a decade. There is no release criterion that applies I think. Making it a blocker would require adding some kind of privacy criterion?
Unfortunately our last two meetings were only sparsely visisted - I did bring up the issue, but there is no outcome except that we should keep it on our agenda.
I'm not accustomed enough with the release cycle for fedora, but I'd guess this would be a system-wide change, which had a deadline for 2016-02-02. [1] Maybe we should talk to the fedora-engineering people if this change would be acceptable?
Also I do not know how big the required changes would be, did you already try to implement this change?
~astra
On Friday, 12 February 2016 2:08 PM, David Kaufmann wrote: On 2016-02-11 17:57, Stephen John Smoogen wrote:
I am trying to find out if there is anyone on this list
On 10 February 2016 at 18:56, Chris Murphy wrote:
If this can't be fixed with an update, i think it's much worse than bad. It's not just a regression. Windows and OS X have done this correctly for almost a decade. There is no release criterion that applies I think. Making it a blocker would require adding some kind of privacy criterion?
Is there a bug filed against NM in Fedora for this? --- -P J P http://feedmug.com
security@lists.fedoraproject.org