Project

General

Profile

Bug #12280

Protect against CVE-2017-6074 in Tails 2.11

Added by intrigeri 9 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
Start date:
03/03/2017
Due date:
% Done:

100%

QA Check:
Feature Branch:
bugfix/12280-blacklist-dccp
Type of work:
Code
Blueprint:
Easy:
Affected tool:

Description

It looks like upgrading to Linux 4.9 (#12122) won't be an option for 2.11, so we need another solution. anonym mentioned somewhere else that we could blacklist the corresponding module, or something similar.


Related issues

Related to Tails - Feature #6457: Blacklist rare network protocols Confirmed

Associated revisions

Revision aba3923d (diff)
Added by anonym 9 months ago

Fix CVE-2017-6074 by disabling the 'dccp' module.

For details, see: http://seclists.org/oss-sec/2017/q1/471

Will-fix: #12280

Revision b446df9c
Added by intrigeri 9 months ago

Merge remote-tracking branch 'origin/bugfix/12280-blacklist-dccp' into stable (fix-committed: #12280)

History

#1 Updated by intrigeri 9 months ago

  • Related to Feature #6457: Blacklist rare network protocols added

#2 Updated by anonym 9 months ago

intrigeri wrote:

anonym mentioned somewhere else that we could blacklist the corresponding module, or something similar.

You are referring to my comment #6457#note-19. Indeed, blacklisting the dccp module is enough. It is normally mentioned among a few other modules to blacklist in various Linux hardening guides, e.g. CIS in the "4.6 Uncommon Network Protocols" chapter suggests this:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

So we might as well work on our CIS compliance and do all of that, as an initial step towards #6457, and fixing this CVE in particular.

#3 Updated by anonym 9 months ago

  • Status changed from Confirmed to In Progress

#4 Updated by anonym 9 months ago

  • Assignee changed from anonym to intrigeri
  • % Done changed from 0 to 50
  • QA Check set to Ready for QA
  • Feature Branch set to bugfix/12280-blacklist-dccp

There has been two successful test runs on Jenkins. Please review'n'merge!

#5 Updated by anonym 9 months ago

Also, I locally tested successfully all of mac_spoofing.feature due to 442a293d896076a1a8242d8d4f3320dc016495bb.

#6 Updated by intrigeri 9 months ago

  • Assignee changed from intrigeri to anonym
  • % Done changed from 50 to 60
  • QA Check changed from Ready for QA to Info Needed

I've verified that none of the newly blacklisted modules appear in any WhisperBack report since the beginning of 2014 (#6457#note-22). Code review passes, and based on your test results I'm gonna merge this branch. Thanks!

[Snipped discussion moved to #12266]

#7 Updated by intrigeri 9 months ago

Ooops, sorry. Will move this discussion to #12266 right now.

#8 Updated by intrigeri 9 months ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 60 to 100

#9 Updated by intrigeri 9 months ago

  • Assignee deleted (anonym)
  • QA Check deleted (Info Needed)

#10 Updated by anonym 9 months ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF