Package: release-notes Severity: wishlist Hi there, netcat-openbsd 1.218-5 adds support for abstract sockets (on Linux), which is a breaking change with possible security implications: https://sources.debian.org/src/netcat-openbsd/1.218-5/debian/NEWS/ . elbrus suggested to mention that in the Bookworm release notes; I propose the following text, mostly straight from the NEWS entry — feel free to adjust of course :-) --8<--------------------------------------------------------------------->8-- netcat-openbsd and abstract socket support ========================================== Starting with netcat-openbsd 1.218-5, nc.openbsd(1)'s Linux builds support [abstract namespace sockets](https://manpages.debian.org/unix.7.en.html#Abstract_sockets) in the AF_UNIX family. Socket paths starting with an at symbol '@' are interpreted in the abstract namespace. This has possible security implications: `nc -lU @foobar.sock` used to bind pathname socket '@foobar.sock' in the current directory, subject to umask and file system access restrictions, while (on Linux) it now binds 'foobar.sock' in the abstract namespace where ownership and permissions have *no meaning*. In order to specify a pathname socket make sure the argument doesn't start with '@'; for instance by prefixing with './' or by using a fully-qualified socket path. (Note however that on Linux socket pathnames may not exceed 108 bytes in size.) This change is a Linux-only behavior, and only affects UNIX domain sockets (flag '-U'). --8<--------------------------------------------------------------------->8-- Cheers -- Guilhem.
Attachment:
signature.asc
Description: PGP signature