Another day, another #Linux security vulnerability!
-
Another day, another #Linux security vulnerability!
Dirty Frag: https://github.com/V4bel/dirtyfrag
For my fellow #NixOS users, here is the mitigation I applied to my systems: https://github.com/stapelberg/nix/commit/05e40d77799a8d68dc019b316cb824904a53361c
-
Another day, another #Linux security vulnerability!
Dirty Frag: https://github.com/V4bel/dirtyfrag
For my fellow #NixOS users, here is the mitigation I applied to my systems: https://github.com/stapelberg/nix/commit/05e40d77799a8d68dc019b316cb824904a53361c
Now, the exploit did not work as-is on the NixOS 25.11 system I tested, so maybe the exploit code needs more adjustment (buys us more time) or does not work on NixOS for some reason.
But better safe than sorry! So just mitigate proactively.
-
Now, the exploit did not work as-is on the NixOS 25.11 system I tested, so maybe the exploit code needs more adjustment (buys us more time) or does not work on NixOS for some reason.
But better safe than sorry! So just mitigate proactively.
@zekjur I do the module block with the install rule; but I think the most elegant is what Debian sysadmin team does: https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/blob/production/modules/debian_org/templates/rc.local.erb?ref_type=heads
/etc/rc.local (which runs at boot if systemd/init hooks it, do check that):
sleep 60
echo 1 > /proc/sys/kernel/modules_disabledThus after the first minute of boot, disable any further module loading.
Works on kernels and for modules that one does not use. Thus Debian is fine, RHEL is not for this class of bugs.(and one can 0 it if need to load a mod)
-
R relay@relay.mycrowd.ca shared this topic
