On 20 February 2018 at 05:09, Andy Smith <a...@strugglers.net> wrote:

> Hello,
> On Mon, Feb 19, 2018 at 09:03:20PM +0000, Michael Fothergill wrote:
> > On 19 February 2018 at 19:10, Michael Lange <klappn...@freenet.de>
> wrote:
> > > no, I meant to say that you were looking at the wrong place if you
> wanted
> > > to see if the "spectre-2" fix has arrived in debian, for this one you
> > > will have to look here:
> > >
> > > https://security-tracker.debian.org/tracker/CVE-2017-5715
> >
> > ​No, we were not looking for it.  I think a joint fix for meltdown and
> > spectre 1 would fit the bill at present .
> They are different bugs with different fixes. No one is even certain
> HOW to fix Spectre variant 1 yet, or if it can be without entirely
> new CPUs. Things have only got as far as kicking around ideas on how
> to make exploiting it harder.
> Your suggestion makes about as much sense as lumping every single
> buffer overflow bug into one CVE and then saying almost all software
> ever made is vulnerable, until there is one patch that fixes
> everything at once.

​I think I just got Spectre 1 and 2 mixed up in the discussion.  I did not
the Spectre fix worked for the entirety of the the Spectre vulnerability.
​I also read in quite a few places that fixing all of it was an open ended

> Your comments along the lines of "I thought it was fixed…", as
> Michael Lange pointed out, were about Spectre variant 2 but you are
> looking at the security tracker page for Spectre variant 1.
> CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere
> yet, not even in Linux upstream.
> Spectre v2, which you are talking about, is CVE-2017-5715, again as
> Michael Lange just pointed out to you. As you can see from the link
> that Michael gave you, Spectre v2 is fixed in the kernel package in
> sid. Read it again:
>     <https://security-tracker.debian.org/tracker/CVE-2017-5715>
> That's the retpoline stuff you're talking about.

​For me at any rate if the new version of gcc 4.9 makes it easier for a
new user to get access to that portion of Spectre vulnerability jointly
with the the availability of Meltdown as is, then as I said I would be
very pleased.  and if a third person comes on the site asking about
this problem then we could encourage them to try it.



> Cheers,
> Andy
> --
> https://bitfolk.com/ -- No-nonsense VPS hosting

Reply via email to