Hi, Trying to do a recap here to update the wiki page correctly:
https://wiki.debian.org/DebianSecurity/SpectreMeltdown See if you can fill in the blanks I've found... Spectre v2 ---------- My understanding of retpoline is that it was designed to fix spectre v2 (CVE-2017-5715), yet it's not clear to me the fix is actually complete without firmware updates. Do we have a clear status on that? On Ubuntu's side, they claim it requires cpu-level firmware updates, even though they seem to be in the process of rebuilding kernels and userspace (at least in 18.04LTS and parts of the other releases) with retpoline, so I'm not sure where we stand with this: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown#Current_Status We seem to have retpoline backported for GCC 4.9 now and work being done to backport that or the patches back into wheezy. But what about stretch/buster? Are we expecting an archive rebuild with retpoline? Is so, which suites and when? Spectre v1 ---------- And what about Specret v1? It's currently marked as unfixed in the kernel: https://security-tracker.debian.org/tracker/CVE-2017-5753 What are the expected mitigations here? I see that 4.15.4-1 is marked as fixed for that, but it's unclear to me if that trickles down to all userspace, considering the scope... Ubuntu fixed this in according to this advisory, but it's unclear to me what exactly they did, I lost track, to be honest: https://usn.ubuntu.com/usn/usn-3541-1/ Meltdown -------- We currently say that only amd64 is mitigated for Meltdown in the wiki - is there work being done in the kernel to try and fix this in other architectures? Or is the intersection of "vulnerable design + exotic architecture" too small to bother? It does seem like only *some* ARM Cortex cores are vulnerable, and that ARM seems to be pretty diligent about their firmware updates: https://developer.arm.com/support/security-update It looks like they recommend retpoline + kpti as mitigations for variant 1 and variant 2/3, respectively, which seems contrary to information I've found elsewhere, e.g. Google, which says basically: * variant 1: "per binary basis" * variant 2: "retpoline" * variant 3: "KPTI" https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html Overall ------- Overall, I think our page has improved significantly over what was there before, which was... well, nothing. :) But there's still work to do in documentation (on top of mitigation itself of course). In particular, I wonder why we are not tracking userland packages like xen, qemu, firefox, chromium, libvirt and others, like Ubuntu has been doing. Furthermore, do we want to add a timeline of activities so that people can get a quick glance at what was fixed when? We could regroup, for example, issues that are currently unrelated like gcc-4.9's DSA-4117-1... Thanks! -- Music gives a soul to the universe, wings to the mind, flight to the imagination and life to everything - Plato
