[kernel-sec-discuss] r4996 - dsa-texts

[Ben Hutchings]

Author: benh
Date: 2017-02-22 16:31:24 +0000 (Wed, 22 Feb 2017)
New Revision: 4996

Modified:
   dsa-texts/3.16.39-1+deb8u1
Log:
Add mitigations for issues fixed in 3.16.39-1+deb8u1

Modified: dsa-texts/3.16.39-1+deb8u1
===================================================================
--- dsa-texts/3.16.39-1+deb8u1	2017-02-22 16:22:01 UTC (rev 4995)
+++ dsa-texts/3.16.39-1+deb8u1	2017-02-22 16:31:24 UTC (rev 4996)
@@ -12,7 +12,9 @@
 
     It was discovered that the performance events subsystem does not
     properly manage locks during certain migrations, allowing a local
-    attacker to escalate privileges.
+    attacker to escalate privileges.  This can be mitigated by
+    disabling unprivileged use of performance events:
+    sysctl kernel.perf_event_paranoid=3
 
 CVE-2016-8405
 
@@ -85,13 +87,16 @@
     Di Shen discovered a race condition between concurrent calls to
     the performance events subsystem, allowing a local attacker to
     escalate privileges. This flaw exists because of an incomplete fix
-    of CVE-2016-6786.
+    of CVE-2016-6786.  This can be mitigated by disabling unprivileged
+    use of performance events: sysctl kernel.perf_event_paranoid=3
 
 CVE-2017-6074
 
     Andrey Konovalov discovered a use-after-free vulnerability in the
     DCCP networking code, which could result in denial of service or
-    local privilege escalation.
+    local privilege escalation.  On systems that do not already have
+    the dccp module loaded, this can be mitigated by disabling it:
+    echo >> /etc/modprobe.d/disable-dccp.conf install dccp false
 
 For the stable distribution (jessie), these problems have been fixed in
 version 3.16.39-1+deb8u1.