On Tue, Oct 10, 2017 at 03:42:40PM +0200, Vincent Lefevre wrote: > On 2017-10-10 14:27:24 +0200, Moritz Muehlenhoff wrote: > > On Tue, Oct 10, 2017 at 02:16:28PM +0200, Vincent Lefevre wrote: > > > On 2017-10-10 13:58:16 +0200, Moritz Muehlenhoff wrote: > > > > This is neutralised by kernel hardening starting with stretch, see > > > > release notes: > > > > https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security > > > > > > which is there just because of this kind of bugs. > > > > > > Note also that this is still an optional feature, and not all users > > > use Debian provided kernels. > > > > It is not optional, see the release notes section I quoted. > > It is said: "It is enabled in the Debian Linux kernel by default." > ^^^^^^^^^^ > Thus, that's optional. There is no guarantee that it is enabled > after a system configuration change (done on purpose, due to a > bug, or whatever). One should not blindly rely on this feature.
It is not optional. You omitted to quote the second part: "/tmp-related bugs which are rendered non-exploitable by this mechanism are not treated as security vulnerabilities. If you use a custom Linux kernel you should enable it using a sysctl setting" Cheers, Moritz