[Info-vax] DECNet support dropped from Linux kernel
Dave McGuire
mcguire at lssmuseum.org
Wed Nov 8 11:29:33 EST 2023
On 10/6/23 12:18, Scott Dorsey wrote:
> Just looking at this week's list of kernel updates and noticed this very
> interesting item tucked in there:
>
> Davide Ornaghi discovered that the DECnet network protocol implementation
> in the Linux kernel contained a null pointer dereference vulnerability. A
> remote attacker could use this to cause a denial of service (system crash)
> or possibly execute arbitrary code. Please note that kernel support for the
> DECnet has been removed to resolve this CVE. (CVE-2023-3338)
>
> I can't tell if this is a good or a bad thing.
It was, of course, a bad thing.
But the problem has been addressed. John Forecast has released his
DECnet for Linux stack, based on the original, with a great many fixes,
and many changes to reduce its dependency on moving-target kernel APIs.
https://github.com/JohnForecast/LinuxDECnet
We're testing it here, and so far it works well, and not on ancient
Linux. We're testing it with Ubuntu 22.04 in a VM under SmartOS.
-Dave
--
Dave McGuire, President/Curator
Large Scale Systems Museum
New Kensington, PA
More information about the Info-vax
mailing list