Linux's ntfs kernel module, supporting Windows's native filesystem, has
three security issues open against it (CVE-2018-12929, CVE-2018-12930,
CVE-2018-12931) and there is no sign of progress towards fixing them
upstream.
This module is limited to read-only functionality by default; its write
support only covers overwriting existing files and has been disabled in
Debian kernel configurations since stretch. The alternative FUSE-based
implementation, ntfs-3g, is far more functional, though it may have
lower performance. It is already used in the installer and included in
all the desktop tasks (unless installation of Recommends is disabled).
I intend to disable building this module in the next upload to sid,
targetting buster.
I think we should also disable building it in updates to jessie and
stretch, but would like to get an OK from the Stable Release Managers
before doing that.
Ben.
--
Ben Hutchings
Horngren's Observation:
Among economists, the real world is often a special case.
Attachment:
signature.asc
Description: This is a digitally signed message part