Hi all, On Fri, Mar 25, 2022 at 02:57:12PM -0300, Leandro Cunha wrote: > Hi, > > On Fri, Mar 25, 2022 at 2:38 PM Georgi Naplatanov <go...@oles.biz> wrote: > > > > On 3/25/22 19:19, Leandro Cunha wrote: > > > Hi, > > > > > > On Fri, Mar 25, 2022 at 4:19 AM Georgi Naplatanov <go...@oles.biz> wrote: > > >> > > >> On 3/25/22 03:24, Leandro Cunha wrote: > > >>> Hi, > > >>> > > >>> On Wed, Mar 23, 2022 at 6:18 PM Georgi Naplatanov <go...@oles.biz> > > >>> wrote: > > >>>> > > >>>> On 3/23/22 22:43, Leandro Cunha wrote: > > >>>>> Hi, > > >>>>> > > >>>>> On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov <go...@oles.biz> > > >>>>> wrote: > > >>>>>> > > >>>>>> On 3/23/22 18:35, piorunz wrote: > > >>>>>>> On 23/03/2022 15:41, Leandro Cunha wrote: > > >>>>>>> > > >>>>>>>> Please, take into consideration what is in the link and you can > > >>>>>>>> consult through > > >>>>>>>> it about CVE: > > >>>>>>>> https://security-tracker.debian.org/tracker/CVE-2017-5715 > > >>>>>>> > > >>>>>>> Leandro, > > >>>>>>> I've been on this website before I posted with > > >>>>>>> spectre-meltdown-checker > > >>>>>>> results. I have vulnerable status just like author of this topic. I > > >>>>>>> am > > >>>>>>> on intel-microcode 3.20210608.2, and by the look of it, this bug > > >>>>>>> supposed to be fixed in: > > >>>>>>> > > >>>>>>> "intel-microcode: Some microcode updates to partially adress > > >>>>>>> CVE-2017-5715 included in 3.20171215.1 > > >>>>>>> Further updates in 3.20180312.1" > > >>>>>>> > > >>>>>>> So my version of microcode is 3-4 years newer than that. > > >>>>>>> > > >>>>>>> Is it microcode problem, or spectre-meltdown-checker displaying > > >>>>>>> wrong > > >>>>>>> information, or something else entirely? > > >>>>>>> > > >>>>>> > > >>>>>> I want to mention that on the same computer with kernel Debian > > >>>>>> 5.10.92-2 > > >>>>>> > > >>>>>> spectre-meltdown-checker > > >>>>>> > > >>>>>> reports that the system is not vulnerable to CVE-2017-5715 > > >>>>>> > > >>>>>> Kind regards > > >>>>>> Georgi > > >>>>>> > > >>>>> > > >>>>> This script is reporting an already patched CVE as vulnerable. > > >>>> > > >>>> > > >>>> Are you sure this behavior on 5.10.103-1 is not some kind of > > >>>> regression? > > >>>> What is the evidence that vulnerability is still fixed? > > >>>> > > >>>> > > >>>> Kind regards > > >>>> Georgi > > >>>> > > >>> > > >>> When replying to your email I was aware of the script issue that was > > >>> reporting > > >>> several already resolved CVEs as unresolved. As Salvatore sent the > > >>> issue link. > > >>> But it seems to me that this problem was solved 7 days ago, it would be > > >>> interesting if there was an update or a backport to stable. > > >>> > > >> > > >> Hi Leandro, > > >> > > >> I also think that an update would be nice. > > >> > > >> Kind regards > > >> Georgi > > >> > > > > > > I applied a patch from upstream and repackaged it from unstable. > > > And this CVE is displayed as resolved. > > > > > > > Thank you, Leandro! > > > > I guess that the patch will appear in Debian stable (11.4), right? > > > > Kind regards > > Georgi > > > > This update must comply with the link below. I only did a test here. > It is up to the maintainers to analyze this. > I already see it as something necessary to be corrected. > [1] > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions
I would suggest to ask the maintainers if they can prepare an update to be included in the next point release. This can happen directly or to the bug #1008181. Sylvestre and Holger, would you have time to include the bugfix as well in the future bullseye point release? Regards, Salvatore