On Thu, 2010-11-18 at 03:33 +0000, Ben Hutchings wrote: > Unlike device or filesystem modules, most protocol modules may be auto- > loaded on behalf of local users without any special capabilities. This > means that security vulnerabilities in such protocol modules may be > exploitable by local users even on a system where there is no need for > the protocol. > > Protocol modules are requested via module aliases generated from the > protocol-family, protocol and type numbers passed to socket(). > Administrators can of course blacklist the modules or disable their > aliases, but there is an ever-growing list of protocols. There has been > some discussion upstream of providing a means to disable or restrict > this auto-loading altogether, but this is currently unresolved. [...] It looks like DECnet is not in great shape w.r.t security and is not at all widely used. You appear to be maintaining both kernel (upstream) and userland (in Debian). What do you think of moving the module alias into dnet-common, so systems without that package are not vulnerable to security flaws in the decnet module? Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
Attachment:
signature.asc
Description: This is a digitally signed message part