Ian Jackson
2008-Jun-09 16:25 UTC
[Pkg-xen-devel] Security module (Flask) support should be disabled
I notice that the Flask / ACM security module support has been enabled in the latest Debian Xen packages. I'm afraid I think this is a mistake. In our opinion this code is of very poor quality. It is certainly ill-tested and not widely used. We (Xensource/Citrix) have received more than one serious vulnerability report, of problems which make an installation with the Flask support compiled in much less secure than one without (as opposed to simply failures to provide the additional security properties intended). We have passed these reports upstream to the contributors of the Flask system but even after a substantial time we have not had a satisfactory resolution. Sadly these reports are still embargoed so I can't go into more detail. I can say that we're considering deprecating or even completely removing this facility in a future release. Certainly I would recommend against deploying a Xen with Flask compiled in. Ian.
Bastian Blank
2008-Jun-09 16:43 UTC
[Pkg-xen-devel] Security module (Flask) support should be disabled
On Mon, Jun 09, 2008 at 05:25:33PM +0100, Ian Jackson wrote:> I notice that the Flask / ACM security module support has been enabled > in the latest Debian Xen packages. I'm afraid I think this is a > mistake.Where? I don't see anything which enables the support. Also a quick grep over the hypervisors shows nothing substantial. Bastian -- No problem is insoluble. -- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4
Apparently Analagous Threads
- Bug#379721: xen-3.0: FTBFS: bashisms
- Bug#430967: xen-3.0: FTBFS with gcc-4.2 [i386]: C99 inline functions are not supported
- i386 hypervisor seeing only ~16G RAM, amd64 required?
- Bug#606590: Upgrading from Lenny leaves xen-hypervisor-3.2-1-amd64 in and doesn't install 4.0
- Bug#608715: Recent hardware components render the xen-hyervisor unusable, fails completeley to boot due to kernel panic