Re: [SECURITY] [DSA 4078-1] linux security update
On Fri, 12 Jan 2018, Moritz Mühlenhoff wrote: > Frank Nordschrieb: > > Peaking at ubuntu: > > https://usn.ubuntu.com/usn/usn-3522-3/ > > "USN-3522-1 fixed a vulnerability in the Linux kernel to address > > Meltdown (CVE-2017-5754). Unfortunately, that update introduced > > a regression where a few systems failed to boot successfully. This > > update fixes the problem." > > > > Do you know, if the regression mentioned in > > USN-3522-3 exists in stretch's deb9u2 as of today? > > No, the Ubuntu 4.4 regression was an Ubuntu-specific broken hunk > in the backported patch sets, it's unrelated to what you're seeing > in stretch. For the record, an issue with EFI was found on 4.4 upstream, as well as another issue with EFI on both 4.4 and 4.9 upstream. I believe the fixes will show up in the next -stable. They are related to the changes done due to the meltdown mitigation, and they don't trigger on every system. -- Henrique Holschuh
Re: [SECURITY] [DSA 4078-1] linux security update
Frank Nordschrieb: > Peaking at ubuntu: > https://usn.ubuntu.com/usn/usn-3522-3/ > "USN-3522-1 fixed a vulnerability in the Linux kernel to address > Meltdown (CVE-2017-5754). Unfortunately, that update introduced > a regression where a few systems failed to boot successfully. This > update fixes the problem." > > Do you know, if the regression mentioned in > USN-3522-3 exists in stretch's deb9u2 as of today? No, the Ubuntu 4.4 regression was an Ubuntu-specific broken hunk in the backported patch sets, it's unrelated to what you're seeing in stretch. Cheers, Moritz
Re: [SECURITY] [DSA 4078-1] linux security update
Hello, Am 2018-01-11 um 12:29 schrieb Frank Nord: > Hello, > > > Am 2018-01-11 um 11:58 schrieb Henrique de Moraes Holschuh: >> On Thu, 11 Jan 2018, Frank Nord wrote: >>> I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU, >>> P7550 @ 2.6 GHz). > >>> 3.20170707.1~deb9u1 from stretch. What's the recommended >>> microcode-version for this kernel? [...] > Getting back to my original question: Shall I file a bug report for > deb9u2 not being able to boot my P7550 (in contrast to deb9u1) or is it > known anyway? Peaking at ubuntu: https://usn.ubuntu.com/usn/usn-3522-3/ "USN-3522-1 fixed a vulnerability in the Linux kernel to address Meltdown (CVE-2017-5754). Unfortunately, that update introduced a regression where a few systems failed to boot successfully. This update fixes the problem." Problems were reported on a Core i5-2500 - maybe its related: https://lists.ubuntu.com/archives/ubuntu-users/2018-January/293149.html Do you know, if the regression mentioned in USN-3522-3 exists in stretch's deb9u2 as of today? Greetings, Frank
Re: [SECURITY] [DSA 4078-1] linux security update
Hello, Am 2018-01-11 um 11:58 schrieb Henrique de Moraes Holschuh: > On Thu, 11 Jan 2018, Frank Nord wrote: >> I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU, >> P7550 @ 2.6 GHz). >> 3.20170707.1~deb9u1 from stretch. What's the recommended >> microcode-version for this kernel? > > The one you have is currently fine. Intel has not published > Spectre-related microcode mitigation for the Core 2 duo, at least not > yet. > > Maybe they will update the Core2 duo, maybe they will not... It is a > very old model, the microcode might not have enough control there to do > it without disabling way way too much stuff (and thus incurring an > absurd performance regression). > > When the microcode doesn't have the Spectre mitigation support for > whatever reason (or you opt to not use it because it is too slow, etc), > "retpoline" software mitigation should do the job just fine to protect > against the currently known variants of spectre. > > However, retpoline support is not ready yet. It is being worked on the > kernel upstream, and it requires compiler support, too... which is also > being worked at gcc and clang upstream. > > We have a couple interesting weeks ahead of us, with lots of -security > and stable updates to do :p Thanks for your help - that's interesting. Getting back to my original question: Shall I file a bug report for deb9u2 not being able to boot my P7550 (in contrast to deb9u1) or is it known anyway? Greetings, Frank
Re: [SECURITY] [DSA 4078-1] linux security update
On Thu, 11 Jan 2018, Frank Nord wrote: > I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU, > P7550 @ 2.6 GHz). ... > 3.20170707.1~deb9u1 from stretch. What's the recommended > microcode-version for this kernel? The one you have is currently fine. Intel has not published Spectre-related microcode mitigation for the Core 2 duo, at least not yet. Maybe they will update the Core2 duo, maybe they will not... It is a very old model, the microcode might not have enough control there to do it without disabling way way too much stuff (and thus incurring an absurd performance regression). When the microcode doesn't have the Spectre mitigation support for whatever reason (or you opt to not use it because it is too slow, etc), "retpoline" software mitigation should do the job just fine to protect against the currently known variants of spectre. However, retpoline support is not ready yet. It is being worked on the kernel upstream, and it requires compiler support, too... which is also being worked at gcc and clang upstream. We have a couple interesting weeks ahead of us, with lots of -security and stable updates to do :p -- Henrique Holschuh
Re: [SECURITY] [DSA 4078-1] linux security update
Hello, Am 2018-01-04 um 23:25 schrieb Yves-Alexis Perez: > - > Debian Security Advisory DSA-4078-1 secur...@debian.org > https://www.debian.org/security/Yves-Alexis Perez > January 04, 2018 https://www.debian.org/security/faq > - > > Package: linux > CVE ID : CVE-2017-5754 > > For the stable distribution (stretch), this problem has been fixed in > version 4.9.65-3+deb9u2. I've problems applying this on my mac mini (Intel(R) Core(TM) 2 Duo CPU, P7550 @ 2.6 GHz). deb9u1 went fine, but when booting u2, the system freezes. After fsck,... running /scripts/init-bottom and loading ip_tables it hangs, showing a panic on usb-drives from time to time. https://share.mailbox.org/ajax/share/0af9382a020c6148ab0d0bf20c614d5ab1e0c91bf0f480f7/1/8/MzQ/MzQvMTA Booting without usb-devices, freezes without an error. Are you aware of any regressions? I'm using intel microcode 3.20170707.1~deb9u1 from stretch. What's the recommended microcode-version for this kernel? Thanks, Frank -- For those of you without hope, we have rooms with color TV, cable and air conditioning
[SECURITY] [DSA 4078-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4078-1 secur...@debian.org https://www.debian.org/security/Yves-Alexis Perez January 04, 2018 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2017-5754 Multiple researchers have discovered a vulnerability in Intel processors, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing `pti=off' to the kernel command line. We also identified a regression for ancient userspaces using the vsyscall interface, for example chroot and containers using (e)glibc 2.13 and older, including those based on Debian 7 or RHEL/CentOS 6. This regression will be fixed in a later update. The other vulnerabilities (named Spectre) published at the same time are not addressed in this update and will be fixed in a later update. For the oldstable distribution (jessie), this problem will be fixed in a separate update. For the stable distribution (stretch), this problem has been fixed in version 4.9.65-3+deb9u2. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlpOqZMACgkQ3rYcyPpX RFuTTQf/btBqg9/I3XlnJFyGAmd4eQolTcU5cfDJqNhD4TZoyMocghvw1kYtu7z9 bYVhwCRukJym8O8AXJOxvlcsP7g0ANXqVDHpzCN8byKYgzigVP9brfOu/zDa4uYY EYf8V3pc2QzNo5OV4G+sK5ZklkDnNIde+OxUfU0Otl9fUG2rS5JTFvaRgvGazlbb cN5wltoHD6DBeSRnfadwYPHQR5U+KAJNImh34Y6T73i7n5dGTnNhs6E7n0wlJL9O SQLwoqQeiDpcE7C4TZ1pb4AbFCZXaic+1ONbWy8D7erKNA7kV1U2LQDmPDw9kmua Lc5heEX026Xfdy83v6NAPwR+NU8stg== =GGyG -END PGP SIGNATURE-