[Info-vax] DECNet support dropped from Linux kernel
Bob Eager
news0009 at eager.cx
Wed Nov 8 12:33:27 EST 2023
On Wed, 08 Nov 2023 11:29:33 -0500, Dave McGuire wrote:
> On 10/6/23 12:18, Scott Dorsey wrote:
>> Just looking at this week's list of kernel updates and noticed this
>> very interesting item tucked in there:
>>
>> Davide Ornaghi discovered that the DECnet network protocol
>> implementation in the Linux kernel contained a null pointer dereference
>> vulnerability. A remote attacker could use this to cause a denial of
>> service (system crash) or possibly execute arbitrary code. Please note
>> that kernel support for the DECnet has been removed to resolve this
>> CVE. (CVE-2023-3338)
>>
>> I can't tell if this is a good or a bad thing.
>
> It was, of course, a bad thing.
>
> But the problem has been addressed. John Forecast has released his
> DECnet for Linux stack, based on the original, with a great many fixes,
> and many changes to reduce its dependency on moving-target kernel APIs.
>
> https://github.com/JohnForecast/LinuxDECnet
>
> We're testing it here, and so far it works well, and not on ancient
> Linux. We're testing it with Ubuntu 22.04 in a VM under SmartOS.
John Forecast! A name from the past! I met him at Essex University in
1974, and was later able to help him by giving him a copy of his own
source code from his Ph.D.
More information about the Info-vax
mailing list