On Sun, Mar 4, 2018 at 6:36 AM, Hauke Mehrtens <ha...@hauke-m.de> wrote: > On 02/27/2018 11:37 AM, Rafał Miłecki wrote: >> There has been some talk on upcoming 17.01 fix release and Meltdown/Spectre. >> >> Quick summary: >> 1) Most of LEDE supported devices aren't affected >> 2) For most LEDE use cases these vulnerabilities don't matter >> 3) 17.01 uses 4.4.116 which includes Meltdown fixes >> 4) Spectre mitigation requires newer GCC and CPU microcode update >> 5) Zoltan did some progress on x86 microcode update support >> >> So right now in some specific cases (mostly when running an unverified >> software) Spectre may be a problem. >> >> There are two problems solving it: >> >> 1) Microcode updates are not (fully) available yet >> It's unclear how long it will take Intel to release updates microcodes. >> >> 2) GCC officially supports Spectre mitigation in 7.2 and 8.0 >> LEDE 17.01 uses GCC 5.4. It seems fixes are unofficially backported to the >> 5.5: >> https://github.com/hjl-tools/gcc/commits/hjl/indirect/gcc-5-branch/master >> So the only solution for LEDE is to switch from 5.4 to 5.5 and apply >> backported fixes. I'm not sure how safe it's going to be (possible >> regressions caused by 5.5 update). >> >> If I'm wrong about anything, please let me know. >> >> In this situation my suggestion it to release 17.01.5 now and take >> care of Spectre in another release in few months from now. What do you >> think? Any objections? > > I agree with you. We should do the LEDE 17.01.5 release now with the > current state, there are already many other bugfixes in the the lede > 17.01 branch some for security problems which probably can be abused > much easier in most of the common OpenWrt uses cases that Spectre. > > I would also wait with the ARM Spectre fixes till this code hits the 4.4 > LTS kernel tree and then we can release it in lede 17.01.6 in some months. > > I am, not sure if we should update the GCC at all or if users that > really want these fixes should go to OpenWrt 18.X. The MIPS SATA data corruption issue affects kernels 4.9 and above. 17.01 uses 4.4 i believe.
I vote for leaving GCC at 5.5. > > mbedtls 2.7 fixed 2 security problems in their last release, but this > version is ABI incompatible but API compatible with the previous > version, should I backport the commits or should I increase the > PKG_RELEASE number for all depended packages? > > This is my personal opinion on this topic. > > Hauke > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev