26538f5a40
* add guide component * add mitigate kernel playbook * add to troubleshooting * remove redundant * remove redundant * FIX ISSUES * fix * fix url to raw * update docs and add new playbook * update and simplify docs and ansible * create ntm explanation component and import it * rm mistaken empty file * rm crap * rm crap * rm all crap * try to fix nextra screaming seagul * try to fix nextra screaming seagul * try to fix nextra screaming seagul * UX improvement by logic refactoring * UX improvement by logic refactoring * UX improvement by logic refactoring * UX improvement by logic refactoring * fix header urls * fix command syntax * fix indentation * update auto-stats * resolve review comments * resolve review comments in docs * fix remove kernel book * soften warning * address comments * address comments * update stats
42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
# Mitigation playbook for CopyFail (CVE-2026-31431) and DirtyFrag (CVE-2026-43284 / CVE-2026-43500)
|
|
# This playbook applies interim module blacklists only
|
|
# Kernel patches are not yet available (May 2026)
|
|
# Once patched kernels ship, use remove_kernel_CVE_mitigations.yml to reverse everything
|
|
# This playbook is idempotent - safe to re-run if mitigations were already applied
|
|
|
|
- name: Mitigate Copy Fail + Dirty Frag
|
|
hosts: all
|
|
become: true
|
|
tasks:
|
|
- name: Blacklist algif_aead (Copy Fail)
|
|
copy:
|
|
dest: /etc/modprobe.d/disable-algif_aead.conf
|
|
content: "install algif_aead /bin/false\n"
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
|
|
- name: Blacklist esp4, esp6, rxrpc (Dirty Frag)
|
|
copy:
|
|
dest: /etc/modprobe.d/dirtyfrag.conf
|
|
content: |
|
|
install esp4 /bin/false
|
|
install esp6 /bin/false
|
|
install rxrpc /bin/false
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
|
|
- name: Unload all affected modules
|
|
modprobe:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- algif_aead
|
|
- esp4
|
|
- esp6
|
|
- rxrpc
|
|
ignore_errors: true
|
|
|
|
- name: Drop page cache to clear any contamination
|
|
shell: echo 3 > /proc/sys/vm/drop_caches |