-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19/11/2010 03:08, Ben Hutchings wrote: > On Thu, 2010-11-18 at 03:33 +0000, Ben Hutchings wrote: >> Unlike device or filesystem modules, most protocol modules may be auto- >> loaded on behalf of local users without any special capabilities. This >> means that security vulnerabilities in such protocol modules may be >> exploitable by local users even on a system where there is no need for >> the protocol. >> >> Protocol modules are requested via module aliases generated from the >> protocol-family, protocol and type numbers passed to socket(). >> Administrators can of course blacklist the modules or disable their >> aliases, but there is an ever-growing list of protocols. There has been >> some discussion upstream of providing a means to disable or restrict >> this auto-loading altogether, but this is currently unresolved. > [...] > > It looks like DECnet is not in great shape w.r.t security and is not at > all widely used. You appear to be maintaining both kernel (upstream) > and userland (in Debian). What do you think of moving the module alias > into dnet-common, so systems without that package are not vulnerable to > security flaws in the decnet module? >
Hiya, The Debian DECnet package already modprobes the decnet module in the init script (it avoids some potential auto-loading race conditions), so disabling auto-load will be fine. For info, the kernel module is unmaintained upstream - I orphaned it some time ago as I have neither the time nor expertise to handle it (and never did, to be quite honest). Chrissie -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFM5pTPhej7/PCycRMRAkCaAJ0QrI45Em21Ei377xuji14ItVusxQCgpSOx td8bFgVexFnfCC/eXnf04CY= =L0c9 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ce694cf.4090...@debian.org