From dc716a1ee9353ae4c6a9599670f724853c46dc8b Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Sun, 10 May 2026 18:45:36 +0000 Subject: [PATCH 1/2] Fix two typos. Signed-off-by: Kurt Garloff --- blog/2026-05-10-kernel-root-exploits.md | 2 +- community/tools/zuul.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/blog/2026-05-10-kernel-root-exploits.md b/blog/2026-05-10-kernel-root-exploits.md index 28716e09ae..2681e9b468 100644 --- a/blog/2026-05-10-kernel-root-exploits.md +++ b/blog/2026-05-10-kernel-root-exploits.md @@ -211,7 +211,7 @@ key or to use a tool like kubectl-node-shell with the appropriate privileges. ```bash -for node in $(kubectl get nodes | grep -v '^NAME' | awk '{print $1;}') do; +for node in $(kubectl get nodes | grep -v '^NAME' | awk '{print $1;}'); do kubectl node_shell "$node" -- bash -c 'echo -e "# Temporarily disable algif_aead (copy.fail)\ninstall algif_aead /bin/false" > /etc/modprobe.d/disable-aead-copyfail.conf' kubectl node_shell "$node" -- bash -c 'echo -e "# Temporarily disable esp4, esp6, rxrpc (Dirty Frag)\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false" > /etc/modprobe.d/disable-esp46-rxrpc-dirtyfrag.conf' done diff --git a/community/tools/zuul.md b/community/tools/zuul.md index db7e2adfe5..cb3b494d88 100644 --- a/community/tools/zuul.md +++ b/community/tools/zuul.md @@ -19,7 +19,7 @@ Note: This needs to be updated! - the merge-mode which should be used to auto-merge - the jobs to run in each pipeline (gh_check, gh_gate, gh_post, gh_tag) - these [pipelines](https://github.com/SovereignCloudStack/zuul-config/blob/main/zuul.d/) are triggered by events - - ihere are [some default jobs](https://opendev.org/zuul/zuul-jobs/src/branch/master/playbooks) + - here are [some default jobs](https://opendev.org/zuul/zuul-jobs/src/branch/master/playbooks) - If you have _self-defined_ jobs, you need to create a folder _.playbooks_ - this folder containers ansible playbooks which will be triggered From cd365651a55ef3a0a886f83d9364b85c0f733f84 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Tue, 12 May 2026 08:45:24 +0200 Subject: [PATCH 2/2] Update information on stable kernels. Signed-off-by: Kurt Garloff --- blog/2026-05-10-kernel-root-exploits.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/blog/2026-05-10-kernel-root-exploits.md b/blog/2026-05-10-kernel-root-exploits.md index 2681e9b468..19011ed327 100644 --- a/blog/2026-05-10-kernel-root-exploits.md +++ b/blog/2026-05-10-kernel-root-exploits.md @@ -124,12 +124,14 @@ The fixes for Dirty Frag are still in development as of May 8. The first fixes have been merged upstream and released in 7.0.5, 6.18.28, 6.12.87, 6.6.138, 6.1.172, 5.15.206 and 5.10.255 but there is [more to come for rxrpc](https://lwn.net/ml/all/2026050859-ahead-anchovy-05e2@gregkh/). +Update 2026-05-11: 7.0.6 and 6.18.29 contain this last patch, older kernels don't need it. The responsible disclosure process for Dirty Frag unfortunately failed due to the [patches being spotted](https://www.openwall.com/lists/oss-security/2026/05/07/12), so the upstream maintainers and the distributors this time did not have time to carefully prepare and test fixes ahead of the publication of the issue. So we have to expect that it will take a few days until all Linux distributor -manage to ship tested fixed kernels. +manage to ship tested fixed kernels. Alma Linux has done so already, others are +expected to follow soon. A fully effective workaround is again to prevent loading the affected modules by placing another file `dirtyfrag.conf` in `/etc/modprobe.d/`: @@ -254,3 +256,4 @@ SCS security contact is [security@scs.community](mailto:security@scs.community), - kubectl node-shell instructions, v0.2, 2026-05-09, 12:45 CEST. - Mention succssful patching of community infra, v0.3, 2026-05-09, 13:30 CEST. - Correct facts on the failure of the responsible disclosure. Release as v1.0, 2026-05-09, 20:00 CEST. +- Update on final rxrpc fix in stable kernels. v1.1, 2026-05-12, 08:45 CEST.