Add mitigations for issues fixed in 3.16.39-1+deb8u1

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@4996 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 8 insertions, 3 deletions

diff --git a/dsa-texts/3.16.39-1+deb8u1 b/dsa-texts/3.16.39-1+deb8u1
index a6afb7c1..741eafb1 100644
--- a/dsa-texts/3.16.39-1+deb8u1
+++ b/dsa-texts/3.16.39-1+deb8u1
@@ -12,7 +12,9 @@ CVE-2016-6786 / CVE-2016-6787
 
     It was discovered that the performance events subsystem does not
     properly manage locks during certain migrations, allowing a local
-    attacker to escalate privileges.
+    attacker to escalate privileges.  This can be mitigated by
+    disabling unprivileged use of performance events:
+    sysctl kernel.perf_event_paranoid=3
 
 CVE-2016-8405
 
@@ -85,13 +87,16 @@ CVE-2017-6001
     Di Shen discovered a race condition between concurrent calls to
     the performance events subsystem, allowing a local attacker to
     escalate privileges. This flaw exists because of an incomplete fix
-    of CVE-2016-6786.
+    of CVE-2016-6786.  This can be mitigated by disabling unprivileged
+    use of performance events: sysctl kernel.perf_event_paranoid=3
 
 CVE-2017-6074
 
     Andrey Konovalov discovered a use-after-free vulnerability in the
     DCCP networking code, which could result in denial of service or
-    local privilege escalation.
+    local privilege escalation.  On systems that do not already have
+    the dccp module loaded, this can be mitigated by disabling it:
+    echo >> /etc/modprobe.d/disable-dccp.conf install dccp false
 
 For the stable distribution (jessie), these problems have been fixed in
 version 3.16.39-1+deb8u1.