subject:"\[SECURITY\] \[DSA 4078\-1\] linux security update"

Re: [SECURITY] [DSA 4078-1] linux security update

2018-01-12 Thread Henrique de Moraes Holschuh

On Fri, 12 Jan 2018, Moritz Mühlenhoff wrote:
> Frank Nord  schrieb:
> > Peaking at ubuntu:
> > https://usn.ubuntu.com/usn/usn-3522-3/
> > "USN-3522-1 fixed a vulnerability in the Linux kernel to address
> > Meltdown (CVE-2017-5754). Unfortunately, that update introduced
> > a regression where a few systems failed to boot successfully. This
> > update fixes the problem."
> >
> > Do you know, if the regression mentioned in
> > USN-3522-3 exists in stretch's deb9u2 as of today?
> 
> No, the Ubuntu 4.4 regression was an Ubuntu-specific broken hunk
> in the backported patch sets, it's unrelated to what you're seeing
> in stretch.

For the record, an issue with EFI was found on 4.4 upstream, as well as
another issue with EFI on both 4.4 and 4.9 upstream.  I believe the
fixes will show up in the next -stable.  They are related to the changes
done due to the meltdown mitigation, and they don't trigger on every
system.

-- 
  Henrique Holschuh

Re: [SECURITY] [DSA 4078-1] linux security update

2018-01-12 Thread Moritz Mühlenhoff

Frank Nord  schrieb:
> Peaking at ubuntu:
> https://usn.ubuntu.com/usn/usn-3522-3/
> "USN-3522-1 fixed a vulnerability in the Linux kernel to address
> Meltdown (CVE-2017-5754). Unfortunately, that update introduced
> a regression where a few systems failed to boot successfully. This
> update fixes the problem."
>
> Do you know, if the regression mentioned in
> USN-3522-3 exists in stretch's deb9u2 as of today?

No, the Ubuntu 4.4 regression was an Ubuntu-specific broken hunk
in the backported patch sets, it's unrelated to what you're seeing
in stretch.

Cheers,
Moritz

Re: [SECURITY] [DSA 4078-1] linux security update

2018-01-11 Thread Frank Nord

Hello,

Am 2018-01-11 um 12:29 schrieb Frank Nord:
> Hello,
> 
> 
> Am 2018-01-11 um 11:58 schrieb Henrique de Moraes Holschuh:
>> On Thu, 11 Jan 2018, Frank Nord wrote:
>>> I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU,
>>> P7550  @ 2.6 GHz).
> 
>>> 3.20170707.1~deb9u1 from stretch. What's the recommended
>>> microcode-version for this kernel?

[...]
> Getting back to my original question: Shall I file a bug report for
> deb9u2 not being able to boot my P7550 (in contrast to deb9u1) or is it
> known anyway?

Peaking at ubuntu:
https://usn.ubuntu.com/usn/usn-3522-3/
"USN-3522-1 fixed a vulnerability in the Linux kernel to address
Meltdown (CVE-2017-5754). Unfortunately, that update introduced
a regression where a few systems failed to boot successfully. This
update fixes the problem."

Problems were reported on a Core i5-2500 - maybe its related:
https://lists.ubuntu.com/archives/ubuntu-users/2018-January/293149.html

Do you know, if the regression mentioned in
USN-3522-3 exists in stretch's deb9u2 as of today?

Greetings,
Frank

Re: [SECURITY] [DSA 4078-1] linux security update

2018-01-11 Thread Frank Nord

Hello,


Am 2018-01-11 um 11:58 schrieb Henrique de Moraes Holschuh:
> On Thu, 11 Jan 2018, Frank Nord wrote:
>> I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU,
>> P7550  @ 2.6 GHz).

>> 3.20170707.1~deb9u1 from stretch. What's the recommended
>> microcode-version for this kernel?
> 
> The one you have is currently fine.  Intel has not published
> Spectre-related microcode mitigation for the Core 2 duo, at least not
> yet.
> 
> Maybe they will update the Core2 duo, maybe they will not... It is a
> very old model, the microcode might not have enough control there to do
> it without disabling way way too much stuff (and thus incurring an
> absurd performance regression).
> 
> When the microcode doesn't have the Spectre mitigation support for
> whatever reason (or you opt to not use it because it is too slow, etc),
> "retpoline" software mitigation should do the job just fine to protect
> against the currently known variants of spectre.
> 
> However, retpoline support is not ready yet.  It is being worked on the
> kernel upstream, and it requires compiler support, too... which is also
> being worked at gcc and clang upstream.
> 
> We have a couple interesting weeks ahead of us, with lots of -security
> and stable updates to do :p

Thanks for your help - that's interesting.

Getting back to my original question: Shall I file a bug report for
deb9u2 not being able to boot my P7550 (in contrast to deb9u1) or is it
known anyway?

Greetings,
Frank

Re: [SECURITY] [DSA 4078-1] linux security update

2018-01-11 Thread Henrique de Moraes Holschuh

On Thu, 11 Jan 2018, Frank Nord wrote:
> I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU,
> P7550  @ 2.6 GHz).

...

> 3.20170707.1~deb9u1 from stretch. What's the recommended
> microcode-version for this kernel?

The one you have is currently fine.  Intel has not published
Spectre-related microcode mitigation for the Core 2 duo, at least not
yet.

Maybe they will update the Core2 duo, maybe they will not... It is a
very old model, the microcode might not have enough control there to do
it without disabling way way too much stuff (and thus incurring an
absurd performance regression).

When the microcode doesn't have the Spectre mitigation support for
whatever reason (or you opt to not use it because it is too slow, etc),
"retpoline" software mitigation should do the job just fine to protect
against the currently known variants of spectre.

However, retpoline support is not ready yet.  It is being worked on the
kernel upstream, and it requires compiler support, too... which is also
being worked at gcc and clang upstream.

We have a couple interesting weeks ahead of us, with lots of -security
and stable updates to do :p

-- 
  Henrique Holschuh

Re: [SECURITY] [DSA 4078-1] linux security update

2018-01-10 Thread Frank Nord

Hello,


Am 2018-01-04 um 23:25 schrieb Yves-Alexis Perez:

> -
> Debian Security Advisory DSA-4078-1   secur...@debian.org
> https://www.debian.org/security/Yves-Alexis Perez
> January 04, 2018  https://www.debian.org/security/faq
> -
> 
> Package: linux
> CVE ID : CVE-2017-5754
> 
> For the stable distribution (stretch), this problem has been fixed in
> version 4.9.65-3+deb9u2.

I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU,
P7550  @ 2.6 GHz).

deb9u1 went fine, but when booting u2, the system freezes. After
fsck,... running /scripts/init-bottom and loading ip_tables it hangs,
showing a panic on usb-drives from time to time.

https://share.mailbox.org/ajax/share/0af9382a020c6148ab0d0bf20c614d5ab1e0c91bf0f480f7/1/8/MzQ/MzQvMTA

Booting without usb-devices, freezes without an error.

Are you aware of any regressions? I'm using intel microcode
3.20170707.1~deb9u1 from stretch. What's the recommended
microcode-version for this kernel?

Thanks,
Frank

-- 
For those of you without hope, we have rooms with color TV,
cable and air conditioning

[SECURITY] [DSA 4078-1] linux security update

2018-01-04 Thread Yves-Alexis Perez

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4078-1   secur...@debian.org
https://www.debian.org/security/Yves-Alexis Perez
January 04, 2018  https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2017-5754

Multiple researchers have discovered a vulnerability in Intel processors,
enabling an attacker controlling an unprivileged process to read memory from
arbitrary addresses, including from the kernel and all other processes running
on the system.

This specific attack has been named Meltdown and is addressed in the Linux
kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table
Isolation, enforcing a near complete separation of the kernel and userspace
address maps and preventing the attack. This solution might have a performance
impact, and can be disabled at boot time by passing `pti=off' to the kernel
command line.

We also identified a regression for ancient userspaces using the vsyscall
interface, for example chroot and containers using (e)glibc 2.13 and older,
including those based on Debian 7 or RHEL/CentOS 6. This regression will be
fixed in a later update.

The other vulnerabilities (named Spectre) published at the same time are not
addressed in this update and will be fixed in a later update.

For the oldstable distribution (jessie), this problem will be fixed in a
separate update.

For the stable distribution (stretch), this problem has been fixed in
version 4.9.65-3+deb9u2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlpOqZMACgkQ3rYcyPpX
RFuTTQf/btBqg9/I3XlnJFyGAmd4eQolTcU5cfDJqNhD4TZoyMocghvw1kYtu7z9
bYVhwCRukJym8O8AXJOxvlcsP7g0ANXqVDHpzCN8byKYgzigVP9brfOu/zDa4uYY
EYf8V3pc2QzNo5OV4G+sK5ZklkDnNIde+OxUfU0Otl9fUG2rS5JTFvaRgvGazlbb
cN5wltoHD6DBeSRnfadwYPHQR5U+KAJNImh34Y6T73i7n5dGTnNhs6E7n0wlJL9O
SQLwoqQeiDpcE7C4TZ1pb4AbFCZXaic+1ONbWy8D7erKNA7kV1U2LQDmPDw9kmua
Lc5heEX026Xfdy83v6NAPwR+NU8stg==
=GGyG
-END PGP SIGNATURE-

Re: [SECURITY] [DSA 4078-1] linux security update

Re: [SECURITY] [DSA 4078-1] linux security update

Re: [SECURITY] [DSA 4078-1] linux security update

Re: [SECURITY] [DSA 4078-1] linux security update

Re: [SECURITY] [DSA 4078-1] linux security update

Re: [SECURITY] [DSA 4078-1] linux security update

[SECURITY] [DSA 4078-1] linux security update

7 matches

Site Navigation

Mail list logo

Footer information