Bug #12280

Protect against CVE-2017-6074 in Tails 2.11

Added by intrigeri 2017-03-03 08:21:10 . Updated 2017-03-09 13:56:51 .

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:

Affected tool:
Deliverable for:


It looks like upgrading to Linux 4.9 (Feature #12122) won’t be an option for 2.11, so we need another solution. anonym mentioned somewhere else that we could blacklist the corresponding module, or something similar.


Related issues

Related to Tails - Feature #6457: Blocklist rare network protocols Confirmed


#1 Updated by intrigeri 2017-03-03 08:21:35

  • related to Feature #6457: Blocklist rare network protocols added

#2 Updated by anonym 2017-03-03 11:00:36

intrigeri wrote:
> anonym mentioned somewhere else that we could blacklist the corresponding module, or something similar.

You are referring to my comment Feature #6457#note-19. Indeed, blacklisting the dccp module is enough. It is normally mentioned among a few other modules to blacklist in various Linux hardening guides, e.g. CIS in the “4.6 Uncommon Network Protocols” chapter suggests this:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

So we might as well work on our CIS compliance and do all of that, as an initial step towards Feature #6457, and fixing this CVE in particular.

#3 Updated by anonym 2017-03-03 12:31:20

  • Status changed from Confirmed to In Progress

Applied in changeset commit:aba3923d149b8c1041fdebf0f369e6f87bfaf339.

#4 Updated by anonym 2017-03-04 11:23:56

  • Assignee changed from anonym to intrigeri
  • % Done changed from 0 to 50
  • QA Check set to Ready for QA
  • Feature Branch set to bugfix/12280-blacklist-dccp

There has been two successful test runs on Jenkins. Please review’n’merge!

#5 Updated by anonym 2017-03-04 12:40:33

Also, I locally tested successfully all of mac_spoofing.feature due to commit:442a293d896076a1a8242d8d4f3320dc016495bb.

#6 Updated by intrigeri 2017-03-05 10:06:59

  • Assignee changed from intrigeri to anonym
  • % Done changed from 50 to 60
  • QA Check changed from Ready for QA to Info Needed

I’ve verified that none of the newly blacklisted modules appear in any WhisperBack report since the beginning of 2014 (Feature #6457#note-22). Code review passes, and based on your test results I’m gonna merge this branch. Thanks!

[Snipped discussion moved to Bug #12266]

#7 Updated by intrigeri 2017-03-05 10:11:20

Ooops, sorry. Will move this discussion to Bug #12266 right now.

#8 Updated by intrigeri 2017-03-05 10:11:40

  • Status changed from In Progress to Fix committed
  • % Done changed from 60 to 100

Applied in changeset commit:b446df9ca5a97b2858ad0bf3f1dbcc15843e7d0d.

#9 Updated by intrigeri 2017-03-05 10:13:40

  • Assignee deleted (anonym)
  • QA Check deleted (Info Needed)

#10 Updated by anonym 2017-03-09 13:56:51

  • Status changed from Fix committed to Resolved