<!DOCTYPE html>

<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <br>

    <blockquote type="cite"

cite="mid:CA+TuoW2Qs0p+ft3E1EqtnKhb7Z=jDM0brUvS5X-MHdHDUVpDcQ@mail.gmail.com">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <div dir="ltr">

        <div>

          <div style="font-size:small" class="gmail_default">DirtyFrag</div>

          <div style="font-size:small" class="gmail_default"><br>

          </div>

          <div style="font-size:small" class="gmail_default"><a

href="https://linux.slashdot.org/story/26/05/08/1913238/new-linux-dirty-frag-zero-day-gives-root-on-all-major-distros"

              moz-do-not-send="true" class="moz-txt-link-freetext">https://linux.slashdot.org/story/26/05/08/1913238/new-linux-dirty-frag-zero-day-gives-root-on-all-major-distros</a></div>

          <div style="font-size:small" class="gmail_default"><br>

          </div>

          <div style="font-size:small" class="gmail_default">This one

            does not have updates yet from the repositories.</div>

          <div style="font-size:small" class="gmail_default">The patches

            are in the code, but not released yet.</div>

          <div style="font-size:small" class="gmail_default"><br>

          </div>

          <div style="font-size:small" class="gmail_default">Someone

            watching the patches that are committed, figured out </div>

          <div style="font-size:small" class="gmail_default">the

            exploit, and released it ahead of the updates. </div>

          <div style="font-size:small" class="gmail_default"><br>

          </div>

          <div style="font-size:small" class="gmail_default">There is a

            mitigation here</div>

          <div style="font-size:small" class="gmail_default"><br>

          </div>

          <div style="font-size:small" class="gmail_default"><a

              href="https://github.com/V4bel/dirtyfrag#mitigation"

              moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/V4bel/dirtyfrag#mitigation</a></div>

        </div>

        <div>

          <div style="font-size:small" class="gmail_default">As with

            this class of bugs, a local account is needed, so this is </div>

          <div style="font-size:small" class="gmail_default">a concern

            if you have containers.</div>

          <div style="font-size:small" class="gmail_default"><br>

          </div>

          <div style="font-size:small" class="gmail_default">If you

            don't have containers, then the machine is not vulnerable.</div>

        </div>

      </div>

    </blockquote>

    <p>I have been setting in my gitlab's runners policy to not upload

      automatically container images.</p>

    <p>This approach have always felt like something too pedantic,

      cause, no auto-magic.<br>

      The dev side was forced to keep complete specification of images.

      Runner box(es) would always have local copy to dwell if needed.<br>

      On a security side, now at a display, no auto-download means no

      auto-inject of stuff. ... and, I am not even running containers as

      a service for someone else.</p>

  </body>

</html>