Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 2018-02-19 14:10:14 +, Brad Rogers wrote: > If anyone wants to check their (linux) system specifically for the > current state of spectre+meltdown mitigation on a given machine then > have a look here: > > https://github.com/speed47/spectre-meltdown-checker > > Really simple instructions

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Mon, 26 Feb 2018, Curt wrote: > What does that mean 'bugs : cpu_meltdown spectre_v1 spectre_v2 > exactly? It it is supposed to mean your processor has those defects. It does not say anything about the mitigation strategy being employed to avoid those defects. Obviously, that thing

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 2018-02-23, Reco wrote: > So it seems. New kernel came today with the usual 'apt update && apt > upgrade' routine: > > $ uname -r > 4.9.0-6-amd64 > > $ grep bug /proc/cpuinfo > bugs: cpu_meltdown spectre_v1 spectre_v2 > ... What does that mean 'bugs

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 23 February 2018 at 18:41, Michael Lange wrote: > On Fri, 23 Feb 2018 16:27:23 + > Michael Fothergill wrote: > > > > > ​Sure enough, looking at the spectre meltdown checker on the kernel I am > > using in gentoo > > shows the ​ > > > >

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Fri, 23 Feb 2018 16:27:23 + Michael Fothergill wrote: > > ​Sure enough, looking at the spectre meltdown checker on the kernel I am > using in gentoo > shows the ​ > > ​retpoline is enabled and that the vulnerability status is "not > vulnerable". > > ​It's

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Fri, 23 Feb 2018 16:40:00 + Michael Fothergill wrote: (...) > > * Mitigation 2 > > * Kernel compiled with retpoline option: YES > > * Kernel compiled with a retpoline-aware compiler: YES (kernel > > reports full retpoline compilation) > > > STATUS:

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 23 February 2018 at 16:28, Michael Lange wrote: > Hi, > > On Fri, 23 Feb 2018 16:52:12 +0100 > Felipe Salvador wrote: > > (...) > > > CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' > > > * Mitigated according to the /sys

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 23 February 2018 at 16:14, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > On 23 February 2018 at 14:14, Michael Fothergill < > michael.fotherg...@gmail.com> wrote: > >> >> >> On 23 February 2018 at 14:05, mlnl wrote: >> >>> Hi, >>> >>> > ​Can it be true? A

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi, On Fri, 23 Feb 2018 16:52:12 +0100 Felipe Salvador wrote: (...) > > CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' > > * Mitigated according to the /sys interface: YES (kernel confirms > > that the mitigation is active) > > * Mitigation 1 > >

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 23 February 2018 at 14:14, Michael Fothergill < michael.fotherg...@gmail.com> wrote: > > > On 23 February 2018 at 14:05, mlnl wrote: > >> Hi, >> >> > ​Can it be true? A version of gcc that runs on stretch that will >> > compile the latest fancy spectre fixes etc? >> >> with

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Fri, Feb 23, 2018 at 03:05:18PM +0100, mlnl wrote: > Hi, > > > ​Can it be true? A version of gcc that runs on stretch that will > > compile the latest fancy spectre fixes etc? > > with latest vanilla kernel 4.15.4 and updated gcc-6: > > CVE-2017-5753 [bounds check bypass] aka 'Spectre

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 23 February 2018 at 14:05, mlnl wrote: > Hi, > > > ​Can it be true? A version of gcc that runs on stretch that will > > compile the latest fancy spectre fixes etc? > > with latest vanilla kernel 4.15.4 and updated gcc-6: > > CVE-2017-5753 [bounds check bypass] aka 'Spectre

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 23 February 2018 at 14:08, Reco wrote: > Hi. > > On Fri, Feb 23, 2018 at 01:47:25PM +, Michael Fothergill wrote: > > On 23 February 2018 at 13:42, Reco wrote: > > > > > Hi. > > > > > > On Fri, Feb 23, 2018 at 01:14:16PM +,

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi. On Fri, Feb 23, 2018 at 01:47:25PM +, Michael Fothergill wrote: > On 23 February 2018 at 13:42, Reco wrote: > > > Hi. > > > > On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote: > > > On 23 February 2018 at 12:43, Reco

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi, > ​Can it be true? A version of gcc that runs on stretch that will > compile the latest fancy spectre fixes etc? with latest vanilla kernel 4.15.4 and updated gcc-6: CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Mitigated according to the /sys interface: YES (kernel

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 23 February 2018 at 13:42, Reco wrote: > Hi. > > On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote: > > On 23 February 2018 at 12:43, Reco wrote: > > > > > Hi. > > > > > > On Wed, Feb 21, 2018 at 06:46:05PM +0100,

apt vs apt-get (was: Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?)

Hi. On Fri, Feb 23, 2018 at 08:54:31AM -0500, Greg Wooledge wrote: > On Fri, Feb 23, 2018 at 04:42:01PM +0300, Reco wrote: > > So it seems. New kernel came today with the usual 'apt update && apt > > upgrade' routine: > > > > $ uname -r > > 4.9.0-6-amd64 > > You mean "apt (or apt-get)

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Fri, Feb 23, 2018 at 04:42:01PM +0300, Reco wrote: > So it seems. New kernel came today with the usual 'apt update && apt > upgrade' routine: > > $ uname -r > 4.9.0-6-amd64 You mean "apt (or apt-get) dist-upgrade", right? /me tries it on a different computer that hasn't dist-upgraded yet...

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi. On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote: > On 23 February 2018 at 12:43, Reco wrote: > > > Hi. > > > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote: > > > Hi, > > > > > > Do you have any clue on when the gcc

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 23 February 2018 at 12:43, Reco wrote: > Hi. > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote: > > Hi, > > > > Do you have any clue on when the gcc fix for stretch is to be released ? > > > > Actually the retpoline-compliant kernel is ready, and

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi. On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote: > Hi, > > Do you have any clue on when the gcc fix for stretch is to be released ? > > Actually the retpoline-compliant kernel is ready, and gcc fixes for stretch > seem to have already been implemented. So I dunno what

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 21 February 2018 at 17:46, Julien Aubin wrote: > Hi, > > Do you have any clue on when the gcc fix for stretch is to be released ? > > Actually the retpoline-compliant kernel is ready, and gcc fixes for > stretch seem to have already been implemented. So I dunno what is

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi, Do you have any clue on when the gcc fix for stretch is to be released ? Actually the retpoline-compliant kernel is ready, and gcc fixes for stretch seem to have already been implemented. So I dunno what is still blocking the release. :'( Thanks a lot.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi Stephen, On Tue, Feb 20, 2018 at 10:09:52AM +0100, Stephan Seitz wrote: > On Di, Feb 20, 2018 at 05:09:12 +, Andy Smith wrote: > >CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere > >yet, not even in Linux upstream. > > Are you sure? […] > >STATUS: NOT VULNERABLE

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 20 February 2018 at 10:01, Michael Lange wrote: > Hi, > > On Tue, 20 Feb 2018 08:05:19 + > Michael Fothergill wrote: > > > ​For me at any rate if the new version of gcc 4.9 makes it easier for a > > new user to get access to that

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Tue, Feb 20, 2018 at 04:52:45AM +, Andy Smith wrote: > Versions of gcc that have the retpoline feature backported into them > have already hit stable and oldstable (and maybe others; haven't > checked), Just oldstable, actually. Not stable yet.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi, On Tue, 20 Feb 2018 08:05:19 + Michael Fothergill wrote: > ​For me at any rate if the new version of gcc 4.9 makes it easier for a > new user to get access to that portion of Spectre vulnerability jointly > with the the availability of Meltdown as is, then

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Di, Feb 20, 2018 at 05:09:12 +, Andy Smith wrote: CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere yet, not even in Linux upstream. Are you sure? CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Mitigated according to the /sys interface: YES (kernel

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 20 February 2018 at 05:09, Andy Smith wrote: > Hello, > > On Mon, Feb 19, 2018 at 09:03:20PM +, Michael Fothergill wrote: > > On 19 February 2018 at 19:10, Michael Lange > wrote: > > > no, I meant to say that you were looking at the wrong place

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hello, On Mon, Feb 19, 2018 at 09:03:20PM +, Michael Fothergill wrote: > On 19 February 2018 at 19:10, Michael Lange wrote: > > no, I meant to say that you were looking at the wrong place if you wanted > > to see if the "spectre-2" fix has arrived in debian, for this

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hello, > On 19 February 2018 at 13:13, Turritopsis Dohrnii Teo En Ming < > tdteoenm...@gmail.com> wrote: > > > What are the patches that I can download and install to be protected > > against the Meltdown and Spectre security vulnerabilities? The linux-kernel-* packages in Debian stable already

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Monday 19 February 2018 15:43:16 Greg Wooledge wrote: > On Mon, Feb 19, 2018 at 03:27:36PM -0500, Gene Heskett wrote: > > On Monday 19 February 2018 13:31:46 Michael Lange wrote: > > > apt-get install spectre-meltdown-checker > > > > not available for stretch on arm64, why? > > Because this

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Mon, 19 Feb 2018 15:43:16 -0500 Greg Wooledge wrote: > On Mon, Feb 19, 2018 at 03:27:36PM -0500, Gene Heskett wrote: > > On Monday 19 February 2018 13:31:46 Michael Lange wrote: > > > apt-get install spectre-meltdown-checker > > not available for stretch on arm64, why? >

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 19 February 2018 at 19:10, Michael Lange wrote: > Hi, > > On Mon, 19 Feb 2018 18:46:15 + > Michael Fothergill wrote: > > > Are you saying that this link: > > ​ > > https://security-tracker.debian.org/tracker/CVE-2017-5753 > > > > ​which

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Mon, Feb 19, 2018 at 03:27:36PM -0500, Gene Heskett wrote: > On Monday 19 February 2018 13:31:46 Michael Lange wrote: > > apt-get install spectre-meltdown-checker > not available for stretch on arm64, why? Because this package did not exist at the time stretch was frozen. Nor even at the time

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Monday 19 February 2018 13:31:46 Michael Lange wrote: > Hi, > > On Mon, 19 Feb 2018 14:10:14 + > Brad Rogers wrote: > > (...) > > > If anyone wants to check their (linux) system specifically for the > > current state of spectre+meltdown mitigation on a given machine

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi, On Mon, 19 Feb 2018 18:46:15 + Michael Fothergill wrote: > Are you saying that this link: > ​ > https://security-tracker.debian.org/tracker/CVE-2017-5753 > > ​which looks like it should be going to a spectre 1 fix is actually a > discussion and tables etc

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Mon, 19 Feb 2018 19:31:46 +0100 Michael Lange wrote: Hello Michael, >With debian it is even simpler: >apt-get install spectre-meltdown-checker >sudo spectre-meltdown-checker I hadn't realised it was in the repos. -- Regards _ / ) "The blindingly

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 19 February 2018 at 18:24, Michael Lange wrote: > Hi, > > On Mon, 19 Feb 2018 16:40:19 + > Michael Fothergill wrote: > > > On 19 February 2018 at 14:10, Greg Wooledge wrote: > > > > > On Mon, Feb 19, 2018 at

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi, On Mon, 19 Feb 2018 14:10:14 + Brad Rogers wrote: (...) > If anyone wants to check their (linux) system specifically for the > current state of spectre+meltdown mitigation on a given machine then > have a look here: > >

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Mon, 19 Feb 2018 21:00:08 +0300 Reco wrote: > On Mon, Feb 19, 2018 at 05:24:18PM +, Michael Fothergill wrote: > > On 19 February 2018 at 17:03, Reco wrote: > > > > > Hi. > > > > > > On Mon, Feb 19, 2018 at 04:40:19PM +, Michael

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi, On Mon, 19 Feb 2018 16:40:19 + Michael Fothergill wrote: > On 19 February 2018 at 14:10, Greg Wooledge wrote: > > > On Mon, Feb 19, 2018 at 09:13:42PM +0800, Turritopsis Dohrnii Teo En > > Ming wrote: > > > What are the patches that I

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Mon, Feb 19, 2018 at 05:24:18PM +, Michael Fothergill wrote: > On 19 February 2018 at 17:03, Reco wrote: > > > Hi. > > > > On Mon, Feb 19, 2018 at 04:40:19PM +, Michael Fothergill wrote: > > > I had thought up to now that e.g. kernel 4.15.4-1 was new

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 19 February 2018 at 17:03, Reco wrote: > Hi. > > On Mon, Feb 19, 2018 at 04:40:19PM +, Michael Fothergill wrote: > > I had thought up to now that e.g. kernel 4.15.4-1 was new enough that if > > you compiled it with gcc 7.3 then the spectre fix would then

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

Hi. On Mon, Feb 19, 2018 at 04:40:19PM +, Michael Fothergill wrote: > I had thought up to now that e.g. kernel 4.15.4-1 was new enough that if > you compiled it with gcc 7.3 then the spectre fix would then work. Not unless you apply the retpoline patch to the gcc. For instance, just

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 19 February 2018 at 14:10, Greg Wooledge wrote: > On Mon, Feb 19, 2018 at 09:13:42PM +0800, Turritopsis Dohrnii Teo En Ming > wrote: > > What are the patches that I can download and install to be protected > > against the Meltdown and Spectre security vulnerabilities? > >

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Mon, Feb 19, 2018 at 01:23:25PM +, Michael Fothergill wrote: > >​Checkout the debian backports suite (kindly resourcefully suggested by >Andy Smith) >Easiest thing to do when requiring a newer kernel would be to check >the backports suite, so in this case in

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Mon, 19 Feb 2018 21:13:42 +0800 Turritopsis Dohrnii Teo En Ming wrote: Hello Turritopsis, >What are the patches that I can download and install to be protected >against the Meltdown and Spectre security vulnerabilities? First, you might want to check whether your

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On Mon, Feb 19, 2018 at 09:13:42PM +0800, Turritopsis Dohrnii Teo En Ming wrote: > What are the patches that I can download and install to be protected > against the Meltdown and Spectre security vulnerabilities? Meltdown patch went out a month ago. Spectre, see here:

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

On 19 February 2018 at 13:13, Turritopsis Dohrnii Teo En Ming < tdteoenm...@gmail.com> wrote: > What are the patches that I can download and install to be protected > against the Meltdown and Spectre security vulnerabilities? > > ===BEGIN SIGNATURE=== > > Turritopsis Dohrnii Teo En Ming's