Re: Question on CVE-2017-5754 on Debian 8.9

Hi, On Thu, 25 Jan 2018 22:43:57 + Michael Fothergill wrote: > ​Should it not be ARCH =​x86-64 rather than amd64. > > It is so confusing. Hmm, to be honest, I don't know. As I said, if you build for amd64 on an amd64 system, you don't need to care about that,

Re: Question on CVE-2017-5754 on Debian 8.9

On 25 January 2018 at 22:35, Michael Lange wrote: > Hi, > > On Thu, 25 Jan 2018 21:43:19 + > Michael Fothergill wrote: > > > > Not sure, but didn't you want the very latest 4.15rc for some > > > Meltdown/Spectre issues? Are these also in

Re: Question on CVE-2017-5754 on Debian 8.9

Hi, On Thu, 25 Jan 2018 21:43:19 + Michael Fothergill wrote: > > Not sure, but didn't you want the very latest 4.15rc for some > > Meltdown/Spectre issues? Are these also in 4.14.15? > > > > ​ > > > > ​I copied the config file from the boot directory for the

Re: Question on CVE-2017-5754 on Debian 8.9

On 25 January 2018 at 22:04, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > Dear All, > > I ran it again after deleting the .config file, copy the one /boot over > again > and running the yes """| oldconfig command and makekpkg > > and it ran and crashed again: > >

Re: Question on CVE-2017-5754 on Debian 8.9

On 2018-01-25 21:20:23 +0100, Jochen Spieker wrote: > You can use apt or aptitude for packages in experimental and I see no > reason against doing that. You do not even need to pin experimental. > Packages from experimental are automatically assigned priority 1, except > upgrades for packages that

Re: Question on CVE-2017-5754 on Debian 8.9

Dear All, I ran it again after deleting the .config file, copy the one /boot over again and running the yes """| oldconfig command and makekpkg and it ran and crashed again: https://pastebin.com/GJkEMVvc ​Should I have run make clean or something before repeating everything? Regards MF​

Re: Question on CVE-2017-5754 on Debian 8.9

On 2018-01-25 09:31:27 -0500, Greg Wooledge wrote: > On Thu, Jan 25, 2018 at 03:24:21PM +0100, Vincent Lefevre wrote: > > On 2018-01-24 11:19:36 -0500, Greg Wooledge wrote: > > > To use a package from experimental, you must download it directly, and > > > install it directly. You don't use apt or

Re: Question on CVE-2017-5754 on Debian 8.9

> Not sure, but didn't you want the very latest 4.15rc for some > Meltdown/Spectre issues? Are these also in 4.14.15? > > ​ > ​I copied the config file from the boot directory for the current 4.15.0 rc8 kernel as .config. I then ran make menuconfig and then realised I didn't need to change

Re: Question on CVE-2017-5754 on Debian 8.9

On Thu, 25 Jan 2018 17:12:48 + Michael Fothergill wrote: > My general strategy is as follows: > > 1. Download the latest stable kernel from the kernel archives; this is > 4.14.15 - I have done this. Not sure, but didn't you want the very latest 4.15rc for

Re: Question on CVE-2017-5754 on Debian 8.9

On 25 January 2018 at 19:25, Brian wrote: > On Thu 25 Jan 2018 at 18:15:29 +, Michael Fothergill wrote: > > > Also is fakeroot installed by default or do I need to install it > > separately? > > apt show fakeroot | grep -i priority > > What do you think? > > > Thanks

Re: Question on CVE-2017-5754 on Debian 8.9

Hi, On Thu, 25 Jan 2018 18:26:52 + Michael Fothergill wrote: > I have been looking at the web page here: > > https://wiki.debian.org/BuildADebianKernelPackage > > and noticed that the source file is supposed to be put in /usr/src it > says. > > It thinks the

Re: Question on CVE-2017-5754 on Debian 8.9

On 2018-01-25 21:20 +0100, Jochen Spieker wrote: > You can use apt or aptitude for packages in experimental and I see no > reason against doing that. You do not even need to pin experimental. > Packages from experimental are automatically assigned priority 1, except > upgrades for packages that

Re: Question on CVE-2017-5754 on Debian 8.9

Greg Wooledge: > > To use a package from experimental, you must download it directly, and > install it directly. You don't use apt or its cousins, unless it's > to backfill dependencies (apt-get -f install) from your actual release. Everything you wrote is correct but this paragraph. You can

Re: Question on CVE-2017-5754 on Debian 8.9

On Thu 25 Jan 2018 at 18:15:29 +, Michael Fothergill wrote: > Also is fakeroot installed by default or do I need to install it > separately? apt show fakeroot | grep -i priority What do you think? > Thanks for the hints here. Where are we going? It seems a long time getting there. :) --

Re: Question on CVE-2017-5754 on Debian 8.9

I have been looking at the web page here: https://wiki.debian.org/BuildADebianKernelPackage and noticed that the source file is supposed to be put in /usr/src it says. It thinks the file would have a format like this: *linux-source-x.x.tar.bz2* The file ​ I downloaded from the kernel.org

Re: Question on CVE-2017-5754 on Debian 8.9

On 25 January 2018 at 17:20, Michael Lange wrote: > On Thu, 25 Jan 2018 15:59:04 + > Michael Fothergill wrote: > > > ​I have become sid and installed a ton of dependencies from the > > experimental respository and finally installed gcc 8.

Re: Question on CVE-2017-5754 on Debian 8.9

On 25 January 2018 at 15:59, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > On 25 January 2018 at 13:14, Michael Fothergill < > michael.fotherg...@gmail.com> wrote: > >> >> >> On 25 January 2018 at 13:01, Greg Wooledge wrote: >> >>> On Thu, Jan 25, 2018 at

Re: Question on CVE-2017-5754 on Debian 8.9

On Thu, 25 Jan 2018 15:59:04 + Michael Fothergill wrote: > ​I have become sid and installed a ton of dependencies from the > experimental respository and finally installed gcc 8. Oh, from a quick glance it looked like half a dozen might suffice :-) > > After

Re: Question on CVE-2017-5754 on Debian 8.9

On 25 January 2018 at 13:14, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > On 25 January 2018 at 13:01, Greg Wooledge wrote: > >> On Thu, Jan 25, 2018 at 12:36:46PM +, Michael Fothergill wrote: >> > ​If I become sid and install the kernel correctly,

Re: Question on CVE-2017-5754 on Debian 8.9

On Thu 25 Jan 2018 at 09:31:27 (-0500), Greg Wooledge wrote: > On Thu, Jan 25, 2018 at 03:24:21PM +0100, Vincent Lefevre wrote: > > On 2018-01-24 11:19:36 -0500, Greg Wooledge wrote: > > > To use a package from experimental, you must download it directly, and > > > install it directly. You don't

Re: Question on CVE-2017-5754 on Debian 8.9

On Thu, Jan 25, 2018 at 03:24:21PM +0100, Vincent Lefevre wrote: > On 2018-01-24 11:19:36 -0500, Greg Wooledge wrote: > > To use a package from experimental, you must download it directly, and > > install it directly. You don't use apt or its cousins, unless it's > > to backfill dependencies

Re: Question on CVE-2017-5754 on Debian 8.9

On 2018-01-24 11:19:36 -0500, Greg Wooledge wrote: > To use a package from experimental, you must download it directly, and > install it directly. You don't use apt or its cousins, unless it's > to backfill dependencies (apt-get -f install) from your actual release. aptitude installs

Re: Question on CVE-2017-5754 on Debian 8.9

On 25 January 2018 at 13:01, Greg Wooledge wrote: > On Thu, Jan 25, 2018 at 12:36:46PM +, Michael Fothergill wrote: > > ​If I become sid and install the kernel correctly, could I go back to > being > > just buster (sounds like an energy drink) and carry on using the new

Re: Question on CVE-2017-5754 on Debian 8.9

On Thu, Jan 25, 2018 at 12:36:46PM +, Michael Fothergill wrote: > ​If I become sid and install the kernel correctly, could I go back to being > just buster (sounds like an energy drink) and carry on using the new kernel? No.

Re: Question on CVE-2017-5754 on Debian 8.9

>> > ​I tried installing gcc 8 on buster. It needs cpp8 which needs > ​libmrpfr6 > > ie this > > https://packages.debian.org/unstable/main/libmpfr6 > > which looks like its about being sid again.​ > > > ​I need to go to dependency rehab and sing the dem bones song again. > > Suggestions on

Re: Question on CVE-2017-5754 on Debian 8.9

On 25 January 2018 at 09:50, Michael Lange wrote: > Hi, > > On Thu, 25 Jan 2018 09:15:59 + > Michael Fothergill wrote: > > > > > > > > > > I have the same problem as in Gentoo. > > > > > > In order to install gcc 7.3 rc2 I think I would

Re: Question on CVE-2017-5754 on Debian 8.9

Hi, On Thu, 25 Jan 2018 09:15:59 + Michael Fothergill wrote: > > > > > > I have the same problem as in Gentoo. > > > > In order to install gcc 7.3 rc2 I think I would need to be sid. > > > > > > I don't think I want to be sid at present. > > > > ​But if I did

Re: Question on CVE-2017-5754 on Debian 8.9

> > > I have the same problem as in Gentoo. > > In order to install gcc 7.3 rc2 I think I would need to be sid. > > > I don't think I want to be sid at present. > ​But if I did want to be sid, would a source file like this suffice: ​ deb http://http.us.debian.org/debian/ unstable main contrib

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 22:32, Michael Lange wrote: > Hi, > > On Wed, 24 Jan 2018 20:07:07 + > Michael Fothergill wrote: > > (...) > > > ​I tried installing the headers file and it says I have dependency > > > problems:​ > > > > > > > > >

Re: Question on CVE-2017-5754 on Debian 8.9

Hi, On Wed, 24 Jan 2018 20:07:07 + Michael Fothergill wrote: (...) > > ​I tried installing the headers file and it says I have dependency > > problems:​ > > > > > > root@mikef-PC:/home/mikef/Downloads# dpkg -i > > linux-headers-4.15.0-rc8-all-

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 18:12, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > On 24 January 2018 at 18:00, Michael Fothergill < > michael.fotherg...@gmail.com> wrote: > >> >> >> >> >> >> >> W: Possible missing firmware /lib/firmware/rtl_nic/rtl8105e-1.fw for >> module r8169 >> >>

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 18:00, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > > > > > W: Possible missing firmware /lib/firmware/rtl_nic/rtl8105e-1.fw for > module r8169 > > > There is a gripe in there about the linux headers file not being installed > for it. > > There is a linux

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 17:38, Greg Wooledge wrote: > On Wed, Jan 24, 2018 at 04:51:35PM +, Michael Fothergill wrote: > > root@mikef-PC:/etc/apt# apt-get -t experimental install > > linux-headers-4.15.0-rc8-all-amd64 > > Reading package lists... Done > > > > ​and got the

Re: Question on CVE-2017-5754 on Debian 8.9

On Wed, Jan 24, 2018 at 10:06 AM, Nicholas Geovanis wrote: > Jonathon Dowland the Great Lutenist wrote: >> Sylvestre Ledru has uploaded the script to the Debian archive (package >> spectre-meltdown-checker in sid). I haven't checked but they might have >> made any

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 17:38, Greg Wooledge wrote: > On Wed, Jan 24, 2018 at 04:51:35PM +, Michael Fothergill wrote: > > root@mikef-PC:/etc/apt# apt-get -t experimental install > > linux-headers-4.15.0-rc8-all-amd64 > > Reading package lists... Done > > > > ​and got the

Re: Question on CVE-2017-5754 on Debian 8.9

On Wed, Jan 24, 2018 at 04:51:35PM +, Michael Fothergill wrote: > root@mikef-PC:/etc/apt# apt-get -t experimental install > linux-headers-4.15.0-rc8-all-amd64 > Reading package lists... Done > > ​and got the following error:​ > > > E: The value 'experimental' is invalid for

Re: Question on CVE-2017-5754 on Debian 8.9

On 2018-01-24 at 11:51, Michael Fothergill wrote: > ​I fired up Debian stretch here and ran the following:​ > > > ​r​ > oot@mikef-PC:/etc/apt# apt-get update > Ign:1 http://ftp.uk.debian.org/debian stretch InRelease > Hit:2 http://ftp.uk.debian.org/debian stretch Release > Hit:3

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 16:19, Greg Wooledge wrote: > On Wed, Jan 24, 2018 at 03:49:08PM +, Michael Fothergill wrote: > > If you can be sid and experimental together then I guess [...] > > Experimental is not a release. You can't "be experimental". It is > merely a place

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 16:19, Greg Wooledge wrote: > On Wed, Jan 24, 2018 at 03:49:08PM +, Michael Fothergill wrote: > > If you can be sid and experimental together then I guess [...] > > Experimental is not a release. You can't "be experimental". It is > merely a place

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 15:49, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > On 24 January 2018 at 14:15, Michael Fothergill < > michael.fotherg...@gmail.com> wrote: > >> >> >> On 24 January 2018 at 14:11, Vincent Lefevre wrote: >> >>> On 2018-01-24 14:44:18

Re: Question on CVE-2017-5754 on Debian 8.9

On Wed, Jan 24, 2018 at 03:49:08PM +, Michael Fothergill wrote: > If you can be sid and experimental together then I guess [...] Experimental is not a release. You can't "be experimental". It is merely a place where individual packages are uploaded, when they are considered "not ready to be

Re: Question on CVE-2017-5754 on Debian 8.9

Jonathon Dowland the Great Lutenist wrote: > Sylvestre Ledru has uploaded the script to the Debian archive (package > spectre-meltdown-checker in sid). I haven't checked but they might have > made any necessary alterations for it to perform properly on Debian > systems. It might be worth trying

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 14:15, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > On 24 January 2018 at 14:11, Vincent Lefevre wrote: > >> On 2018-01-24 14:44:18 +0100, Sven Hartge wrote: >> > Michael Fothergill wrote: >> > > On 24

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 14:11, Vincent Lefevre wrote: > On 2018-01-24 14:44:18 +0100, Sven Hartge wrote: > > Michael Fothergill wrote: > > > On 24 January 2018 at 12:58, Sven Hartge wrote: > > > > >> Michael Fothergill

Re: Question on CVE-2017-5754 on Debian 8.9

On 2018-01-24 14:44:18 +0100, Sven Hartge wrote: > Michael Fothergill wrote: > > On 24 January 2018 at 12:58, Sven Hartge wrote: > > >> Michael Fothergill wrote: > > >> > The link within the above one: > >>>

Re: Question on CVE-2017-5754 on Debian 8.9

Michael Fothergill wrote: > On 24 January 2018 at 12:58, Sven Hartge wrote: >> Michael Fothergill wrote: >> > The link within the above one: >>> https://gcc.gnu.org/ml/gcc/2018-01/msg00148.html >>> also has a link

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 12:58, Sven Hartge wrote: > Michael Fothergill wrote: > > > The link within the above one: > > https://gcc.gnu.org/ml/gcc/2018-01/msg00148.html > > also has a link to the ftp download for the release candidate version of >

Re: Question on CVE-2017-5754 on Debian 8.9

Michael Fothergill wrote: > The link within the above one: > https://gcc.gnu.org/ml/gcc/2018-01/msg00148.html > also has a link to the ftp download for the release candidate version of > gcc 7.3 ie 7.3.0rc1 which does actually work for spectre and retpoline.

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 11:52, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > On 24 January 2018 at 11:21, Michael Fothergill < > michael.fotherg...@gmail.com> wrote: > >> >> >> On 24 January 2018 at 10:53, Michael Fothergill < >> michael.fotherg...@gmail.com> wrote: >> >>> >>> >>>

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 11:21, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > On 24 January 2018 at 10:53, Michael Fothergill < > michael.fotherg...@gmail.com> wrote: > >> >> >> >>> >>> The neowin link above has a link to a Phoronix article[1], which >>> suggests you need GCC 8.0,

Re: Question on CVE-2017-5754 on Debian 8.9

On 24 January 2018 at 10:53, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > >> >> The neowin link above has a link to a Phoronix article[1], which >> suggests you need GCC 8.0, or maybe 7.3 if a backport succeeds. That was >> 9 days ago, of course ... Stretch only has 6.3, and

Re: Question on CVE-2017-5754 on Debian 8.9

> > The neowin link above has a link to a Phoronix article[1], which > suggests you need GCC 8.0, or maybe 7.3 if a backport succeeds. That was > 9 days ago, of course ... Stretch only has 6.3, and even sid only has > 7.2, so I don't see it hitting debian soon. > > Richard > > [1] >

Re: Question on CVE-2017-5754 on Debian 8.9

On Tue, Jan 23, 2018 at 05:07:15PM -0600, Nicholas Geovanis wrote: Sorry, should have added that the string "Linux version" also does not appear in the dmesg results after a reboot. So despite the check script's advice, a reboot doesn't change the results here. Sylvestre Ledru has uploaded the

Re: Question on CVE-2017-5754 on Debian 8.9

On 24/01/18 12:11, Michael Stone wrote: > Unless you took specific steps to disable kpti on a kernel that supports > it, it will be on. Only if the CPU needs it, I think. It's enabled on my i5, but not on my AMD or my atom. Richard (I'm on the list; please don't cc me) signature.asc

Re: Question on CVE-2017-5754 on Debian 8.9

On Tue, Jan 23, 2018 at 05:02:39PM -0600, Nicholas Geovanis wrote: So my question becomes: Is it just my server, or others too? And why me? dmesg reads a ring buffer; there are a limited number of entries, after which the oldest lines are dropped to make room for newer lines. Relying on

Re: Question on CVE-2017-5754 on Debian 8.9

Sorry, should have added that the string "Linux version" also does not appear in the dmesg results after a reboot. So despite the check script's advice, a reboot doesn't change the results here. On Tue, Jan 23, 2018 at 5:02 PM, Nicholas Geovanis wrote: > There was a newer

Re: Question on CVE-2017-5754 on Debian 8.9

There was a newer version of the script (about 4 hours newer), but the new version yields the same result. So I have a debian 8.6 machine for which this test in the script is failing: if ! dmesg | grep -qE '(^|\] )Linux version [0-9]'; then # dmesg truncated

Re: Question on CVE-2017-5754 on Debian 8.9

On 24/01/18 11:27, Michael Fothergill wrote: > > > > > > ​Hi there,  I am running kernel 4.14.14 under gentoo testing on an > AMD kaveri box. > > The version of GCC I am using is 7.2.  Whether that means the > reptoline patch is working for me I am not quite sure but it could

Re: Question on CVE-2017-5754 on Debian 8.9

>> > ​Hi there, I am running kernel 4.14.14 under gentoo testing on an AMD > kaveri box. > > The version of GCC I am using is 7.2. Whether that means the reptoline > patch is working for me I am not quite sure but it could be I guess. > > Someone who is smarter than the average bear has

Re: Question on CVE-2017-5754 on Debian 8.9

On 23 January 2018 at 21:16, Sven Hartge wrote: > Nicholas Geovanis wrote: > > > I've installed the patch for CVE-2017-5754 as well as the microcode > update: > > Well, Intel majorly fscked up their microcodes and strongly recommends > to revert to an

Re: Question on CVE-2017-5754 on Debian 8.9

Nicholas Geovanis wrote: > On Tue, Jan 23, 2018 at 3:16 PM, Sven Hartge wrote: >> Nicholas Geovanis wrote: >>> I've installed the patch for CVE-2017-5754 as well as the microcode update: >> So, right now, unless you have the

Re: Question on CVE-2017-5754 on Debian 8.9

On Tue, Jan 23, 2018 at 3:16 PM, Sven Hartge wrote: > Nicholas Geovanis wrote: > >> I've installed the patch for CVE-2017-5754 as well as the microcode update: > > So, right now, unless you have the latest bleeding edge kernel, compiled > with a

Re: Question on CVE-2017-5754 on Debian 8.9

Nicholas Geovanis wrote: > I've installed the patch for CVE-2017-5754 as well as the microcode update: Well, Intel majorly fscked up their microcodes and strongly recommends to revert to an earlier BIOS/UEFI firmware (if possible) and also advised all vendors shipping

Question on CVE-2017-5754 on Debian 8.9

I've installed the patch for CVE-2017-5754 as well as the microcode update: # uname -a Linux ftp51 3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux # dmesg | grep isolation [0.00] Kernel/User page tables isolation: enabled And yet, the widely-recommended test