Protect against CVE-2017-6074 in Tails 2.11
It looks like upgrading to Linux 4.9 (
Feature #12122) won’t be an option for 2.11, so we need another solution. anonym mentioned somewhere else that we could blacklist the corresponding module, or something similar.
|Related to Tails - Feature #6457: Blocklist rare network protocols||Confirmed|
#2 Updated by anonym 2017-03-03 11:00:36
> anonym mentioned somewhere else that we could blacklist the corresponding module, or something similar.
You are referring to my comment Feature #6457#note-19. Indeed, blacklisting the
dccp module is enough. It is normally mentioned among a few other modules to blacklist in various Linux hardening guides, e.g. CIS in the “4.6 Uncommon Network Protocols” chapter suggests this:
install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true
So we might as well work on our CIS compliance and do all of that, as an initial step towards Feature #6457, and fixing this CVE in particular.
#6 Updated by intrigeri 2017-03-05 10:06:59
- Assignee changed from intrigeri to anonym
- % Done changed from 50 to 60
- QA Check changed from Ready for QA to Info Needed
I’ve verified that none of the newly blacklisted modules appear in any WhisperBack report since the beginning of 2014 (Feature #6457#note-22). Code review passes, and based on your test results I’m gonna merge this branch. Thanks!
[Snipped discussion moved to