On 18/10/2018 16:51, Daniel P. Berrangé wrote: > > After adding the new $YEAR/$ID.xml file, 'make' will build the > corresponding indexes and HTML/TXT renderings. Ideally the machine which > is hosting the QEMU website would run 'make' after pulling new > commits. In this series, however, I have just commited the rendered > content to git.
"git push" is already running Jekyll, which has a templating mechanism similar to the one used for blog posts (https://jekyllrb.com/docs/collections/). Basically one security notice would be a file in a _secnotices directory, with the metadata in a YAML preamble like this: --- title: Speculative store bypass id: 2018-001 date: 2018-05-21 reported: 2018-03-12 fixed: 2018-06-26 credits: - reporter: - name: Ken Johnson (Microsoft Security Response Center) - name: Jann Horn (Google Project Zero) - patcher: - name: Daniel P. Berrangé email: berra...@redhat.com - name: Konrad Rzeszutek Wilk email: konrad.w...@oracle.com advisories: - type: CVE id: 2018-3639 branches: - master: state: fixed change: - d19d1f965904a533998739698020ff4ee8a103da: fixed - 403503b162ffc33fb64cfefdf7b880acf41772cd: fixed - 4f50c1673a89b07f376ce5c42d22d79a79cd466d: merged - a764f3f7197f4d7ad8fe8424269933de912224cb: fixed - e409d9a158c77c650651e8118f6c86c8dc76eba6: merged - 7ba1e61953f4592606e60b2e7507ff6a6faf861a: vulnerable tag: - v0.10.1: vulnerable ... +--- {% contentfor description %} An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). + +It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). {% endcontentfor %} {% contentfor impact %} As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. {% endcontentfor %} {% contentfor mitigation %} None {% endcontentfor %} (Requires the jekyll-contentblocks plugin). I am not a YAML fan, but I still would probably have to hide if I suggested using XSLT to convert the XML files to YAML. :) Still, one question is obvious: is the XML an industry standard? That would make it more palatable...
