Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package spectre-meltdown-checker for 
openSUSE:Factory checked in at 2026-07-09 22:21:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/spectre-meltdown-checker (Old)
 and      /work/SRC/openSUSE:Factory/.spectre-meltdown-checker.new.1991 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "spectre-meltdown-checker"

Thu Jul  9 22:21:53 2026 rev:14 rq:1364752 version:26.36.0602723

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/spectre-meltdown-checker/spectre-meltdown-checker.changes
        2024-02-16 21:43:01.743158062 +0100
+++ 
/work/SRC/openSUSE:Factory/.spectre-meltdown-checker.new.1991/spectre-meltdown-checker.changes
      2026-07-09 22:22:58.353492224 +0200
@@ -1,0 +2,225 @@
+Thu Jul  9 14:49:48 UTC 2026 - Marcus Meissner <[email protected]>
+
+- updated to v26.36.0602723
+  Release highlights:
+
+  This release brings some features to ARM64 hosts. They get
+  dedicated silicon-errata checks, a proper CPU details block, and
+  architecture-aware filtering so x86 hosts no longer show ARM64 noise
+  and vice-versa.
+
+  On the x86 side, MMIO Stale Data detection is now much more honest
+  about end-of-life Intel CPUs that Intel never officially assessed,
+  these are now reported as UNK (or VULN under --paranoid) instead of
+  a misleading "not affected".
+
+  The tool now better detects guest environments and warns you that the
+  microcode version reported by your hypervisor may be fake or stale, so
+  the "up-to-date microcode" check can't be trusted from inside the guest.
+
+  More detailed changelog:
+
+  - Add ARM64 silicon errata (issue #357)
+
+  Three speculation/security-relevant ARM64 errata families are now
+  detected. As these are tracked by vendor erratum IDs rather than CVEs, a
+  new CVE-0001-NNNN placeholder range has been reserved for vendor errata,
+  along with a new --errata <number> selector (alongside --variant/--cve):
+
+  -   Speculative AT TLB corruption (1165522 / 1319367 / 1319537 / 1530923)
+  -   Speculative unprivileged load (2966298 / 3117295)
+  -   MSR SSBS not self-synchronizing (3194386 and siblings)
+
+  CPU affectedness is determined per-core from the (implementer,
+  part, variant, revision) tuple in /proc/cpuinfo, matching the
+  kernel code. Kernel mitigation detection relies on the per-erratum
+  CONFIG_ARM64_ERRATUM_NNNN symbols, kernel image descriptor strings,
+  and dmesg (no sysfs exists for these).
+
+  Architecture-aware CVE filtering
+
+  - CVE_REGISTRY gains an optional fifth field tagging checks as x86-only or 
arm-only; untagged entries apply everywhere.
+  - Default "all CVEs" runs now skip checks irrelevant to the inspected
+    architecture across text, JSON, NRPE and Prometheus outputs (no more
+    ARM64 errata on x86 hosts, or x86 CVEs on ARM hosts).
+  - Explicit --cve / --variant / --errata selection bypasses the check, so 
manual queries still run anywhere.
+  - In --no-hw mode, the host CPU is ignored, supporting cross-arch offline 
analysis driven by --kernel/--config/--map.
+
+  Fixes to existing CVEs
+
+  - MMIO Stale Data (CVE-2022-21123 / 21125 / 21166) (#437):
+    EOL Intel CPUs that Intel never officially assessed (Sandy/Ivy
+    Bridge, Haswell/Broadwell client, pre-Goldmont Atom, etc.) are now
+    reported as UNK (or VULN under --paranoid) instead of a misleading
+    "not affected". This corrects the picture on kernels where   sysfs
+    wrongly says "Not affected" (pre-v6.0 and v6.16+) and aligns with the
+    kernel's X86_BUG_MMIO_UNKNOWN set. The BSD path was corrected too:
+    no BSD implements an MMIO mitigation, so affected CPUs now report VULN
+    (with an explain rationale) rather than "not yet implemented".
+
+  VM guest detection (issue #336)
+
+  - New is_running_as_guest() detects VM guests (KVM, VMware, ESXi, Hyper-V, 
VirtualBox…) via the hypervisor CPUID flag in /proc/cpuinfo.
+  - New "Running as VM guest: YES/NO" line in the CPU details block (x86 and 
ARM).
+  - A warning is now emitted after the microcode-is-latest check, advising you 
to verify microcode on the hypervisor host, since a guest can be shown a fake 
CPUID/microcode version.
+  - JSON output exposes this: system.guest_vm (bool), system.guest_vm_reason 
(string), and cpu_microcode.unreliable_in_vm (bool).
+
+  Output display
+
+  - ARM CPUs now get a proper CPU details block in check_cpu(): vendor, model 
name, implementer(s), part(s), architecture(s) and VM-guest status. Previously 
the x86-only early return left ARM hosts with no check_cpu() output at all.
+
+  Tooling
+
+  - New scripts/update_mcedb.sh (on test and source branches), so that the 
GitHub workflow can regenerate src/db/200_mcedb.sh daily.
+
+  Documentation
+
+  - Unsupported CVE list: added the Jump Conditional Code (JCC) Erratum
+    (issue #329), a microarchitectural correctness bug (Skylake to Cascade
+    Lake), not a speculative side channel, with no CVE, no sysfs/CPUID/MSR
+    indicator, hence out of scope.
+
+- Updated to v26.33.0420460
+
+  With this release and the 7 new supported CVEs, we're up to date
+  with all published CVEs since 2018 that are in the scope of this tool
+  (33 so far).
+
+  The batch output formats also got a substantial overhaul: JSON, NRPE
+  and prometheus output formats now better respect each format community
+  guidelines, as well as carrying way more information if you want or
+  need to have a clear overview of your server fleet.
+
+  Operating modes have been clarified. You'll be able to chose between
+  4 modes, depending on whether you want to inspect the running kernel,
+  a kernel image, the CPU hardware, or a combination. See the "operating
+  modes" section of the README for more information.
+
+  A new --extra option has been added, which runs some additional
+  checks that are not CVE vulnerabilities per se, but may still be of
+  interest. SLS has been implemented and falls into this category.
+
+  Affected Intel CPU list up to date as of 2026-04.
+
+  Last but not least, a dozen fixes/enhancements/refinements of preexisting 
CVE checks have been done, along with some more general robustness / corner 
case fixes.
+  More detailed changelog
+
+  New CVE checks
+
+  -   CVE-2025-54505 aka FPDSS (Floating-Point Divider Stale Data Leak)
+  -   CVE-2023-28746 ana RFDS (Register File Data Sampling)
+  -   CVE-2023-20588 aka AMD DIV0 (Division by Zero Speculative Data Leak)
+  -   CVE-2022-21123 / 21125 / 21166 aka MMIO Stale Data
+
+  New extra checks
+
+  -   SLS aka Straight-Line Speculation, supplementary
+
+  Fixes / enhancements to existing CVEs
+
+  -   Spectre V2 (CVE-2017-5715): Red Hat RSB Filling detection (#235)
+  -   Spectre 3a (CVE-2018-3640): improved ARM mitigation detection
+  -   L1TF/Foreshadow (CVE-2018-3615): better lockdown detection, drop 
cap_flush_cmd requirement (#296)
+  -   TAA (CVE-2019-11135): new 0x10F MSR for TSX-disabled CPUs (#414)
+  -   SRBDS (CVE-2020-0543): fix microcode mitigation misdetection (#492)
+  -   Inception/SRSO (CVE-2023-20569): detect IPBP "PB-Inception" (#500)
+  -   TSA (CVE-2024-36350/36357): no TSA CPUID lines on non-AMD
+  -   MDS: fix CPUs affected by MSBDS but not MDS (#351)
+  -   MDS (FreeBSD): software mitigation = OK unless --paranoid (#503)
+
+  Batch output
+
+  -   --batch json reworked completely, structured format (meta, system, cpu, 
vulnerabilities[]) + JSON Schema. Old format still available as --batch 
json-terse
+  -   --batch prometheus reworked completely, new smc_* metric names
+  -   --batch nrpe added more textual information
+
+  CLI / run modes
+
+  -   New --no-runtime and --no-hw replace implicit offline mode
+  -   --live deprecated (now the default)
+  -   New --extra flag (gates SLS and future supplementary checks)
+  -   --no-intel-db removed (Intel DB always used when available)
+
+  Intel Database
+
+  -   Affected CPU list refreshed to 2026-04
+  -   Hybrid CPU detection (H=1/H=0)
+  -   New mitigation codes: MS, HS, HM
+  -   Intel codename mapping for JSON/Prometheus output
+
+  Output display & robustness
+
+  -   Clearer CPU details and kernel info sections
+  -   x86 / ARM checks now guarded to the correct architecture
+  -   CPUID fallback to /proc/cpuinfo when CPUID unavailable (VMs)
+  -   MSR read/write: clearer errors, proper lockdown reporting
+  -   wrmsr now specifies the core number (#294)
+  -   Microcode version never defaults to 0x0 when unknown
+  -   exit_cleanup preserves the passed exit code
+  -   --allow-msr-write early-abort crash fixed
+  -   Better Busybox / unlzma compatibility (#432)
+  -   BSD ucode fallback uses proper AMD MSR
+
+  Unsupported-CVE docs (new entries)
+
+  - Plundervolt (CVE-2019-11157), CacheOut (CVE-2020-0549),
+    Platypus (CVE-2020-8694/8695), CVE-2020-24511/24512, AMD Prefetch
+    (CVE-2021-26318), Native BHI (CVE-2024-2201) + TLBleed, Blindside.
+
+- Updated to v26.26.0404682
+  Another big round of updates as I'm catching up with the recent CVEs.
+  New CVE/vulnerabilities detection
+  -   CVE-2022-29900 (Retbleed AMD - Arbitrary Speculative Code Execution with 
Return Instructions)
+  -   CVE-2022-29901 (Retbleed Intel / RSBA - RSB Alternate Behavior)
+  -   CVE-2024-28956 (ITS - Indirect Target Selection)
+  -   CVE-2025-40300 (VMScape)
+  -   CVE-2024-45332 (BTI - Branch Target Injection)
+
+  Enhancements to existing CVE detections
+  -   CVE-2023-23583 (Reptar): update known fixed microcode versions
+  -   CVE-2024-45332 (BPI): add known fixed microcode versions
+
+  Bug fixes
+  -   Fix sys_interface_check() not properly setting the caller's $msg 
variable in the latest release (#533)
+
+  New documented unsupported CVEs
+
+  Already covered by an existing CVE check:
+  -   CVE-2025-20623 - Shared Microarchitectural Predictor State (10th Gen 
Intel), covered by CVE-2024-45332 (BPI)
+  -   CVE-2025-24495 - Lion Cove BPU Initialization, covered by CVE-2024-28956 
(ITS)
+
+  No kernel or microcode mitigations to check:
+  -   CVE-2020-12965 - Transient Execution of Non-Canonical Accesses / SLAM 
(AMD)
+  -   CVE-2024-7881 - ARM Prefetcher Privilege Escalation
+
+  Not a transient/speculative execution vulnerability:
+  -   CVE-2023-31315 - SinkClose (AMD SMM Lock Bypass)
+  -   CVE-2024-56161 - EntrySign (AMD Microcode Signature Bypass)
+  -   CVE-2025-29943 - StackWarp (AMD SEV-SNP)
+
+- Updated to  v26.21.0401891
+
+  Okay, this one is a massive update. Or, is this an easter egg?
+
+  First and foremost, the least visible but probably the most important for 
the continued maintainability of this project: the script has been split into a 
structured source tree of smaller scripts snippets, that are then assembled to 
produce the final self-contained spectre-meltdown-checker.sh.
+
+  With all this, also comes a new version numbering scheme: vXX.YY.ZZZZZZZ, 
automatically updated by the CI. XX=year, YY=number_of_managed_CVEs, 
ZZZZZZZ=based_on_datetime_of_release.
+
+  Now, here is a clearly non-exhaustive list of changes (refer to the commit 
log for more):
+
+  -   feat: added CVE-2024-36350/CVE-2024-36357 (Transient Scheduler Attack / 
TSA) (fixes #509)
+  -   feat: added CVE-2023-23583 (Reptar)
+  -   enh: CVE-2023-20593 (Zenbleed): Mitigation detection added for BSD
+  -   enh: improvement under BSD for a few CVEs, identifying unaffected CPUs 
even if mitigation is not implemented in BSD
+  -   enh: CVE-2017-5753 (Spectre Variant 1): massive update to the detection 
logic, as this was the first CVE ever implemented in this script, and a lot 
changed since then, both in the understanding of Spectre V1 and in the kernels.
+  -   enh: CVE-2017-5715 (Spectre Variant 2): massive update here too, 
including adding detection for BHI
+  -   enh: enhanced VMM autodetection with more supported hypervisor binaries
+  -   fix: cap_rdcl_no, cap_gds_no, cap_tsa_*_no were not marking the current 
CPU as immune for their respective vulnerabilities
+  -   fix: CVE-2018-3620: false VULN status on kernels reporting CPU as 
unaffected when RDCL_NO couldn't be parsed
+  -   fix: CVE-2023-20569: logic errors from kernel_sro type change, old 
kernels incorrectly reporting mitigated via sysfs are now detected
+  -   fix: --sysfs-only path fixed for a handful of CVEs, started to document 
complete sysfs strings history from the kernel source code for reference
+  -   fix: read_msr: fixed handling of values > INT32_MAX (fixes #507)
+  -   fix: several tool uses replaced (sort -V, sed -r, cut -w, stat -c, date 
-d @) to ensure compatibility with BSD (fixes #525)
+  -   doc: a (hopefully) nicer README, I'll have to update the screenshots 
though
+
+-------------------------------------------------------------------

Old:
----
  v0.46.tar.gz

New:
----
  v26.36.0602723.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ spectre-meltdown-checker.spec ++++++
--- /var/tmp/diff_new_pack.VH8sFx/_old  2026-07-09 22:22:58.949512917 +0200
+++ /var/tmp/diff_new_pack.VH8sFx/_new  2026-07-09 22:22:58.953513057 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package spectre-meltdown-checker
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           spectre-meltdown-checker
-Version:        0.46
+Version:        26.36.0602723
 Release:        0
 Summary:        Spectre & Meltdown Vulnerability Checker
 License:        GPL-3.0-only

++++++ gpl-3.0-standalone.html ++++++
--- /var/tmp/diff_new_pack.VH8sFx/_old  2026-07-09 22:22:58.985514168 +0200
+++ /var/tmp/diff_new_pack.VH8sFx/_new  2026-07-09 22:22:58.989514306 +0200
@@ -17,7 +17,7 @@
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.</p>
 
-<h3><a name="preamble"></a>Preamble</h3>
+<h4 id="preamble">Preamble</h4>
 
 <p>The GNU General Public License is a free, copyleft license for
 software and other kinds of works.</p>
@@ -80,9 +80,9 @@
 <p>The precise terms and conditions for copying, distribution and
 modification follow.</p>
 
-<h3><a name="terms"></a>TERMS AND CONDITIONS</h3>
+<h4 id="terms">TERMS AND CONDITIONS</h4>
 
-<h4><a name="section0"></a>0. Definitions.</h4>
+<h5 id="section0">0. Definitions.</h5>
 
 <p>&ldquo;This License&rdquo; refers to version 3 of the GNU General Public 
License.</p>
 
@@ -121,7 +121,7 @@
 the interface presents a list of user commands or options, such as a
 menu, a prominent item in the list meets this criterion.</p>
 
-<h4><a name="section1"></a>1. Source Code.</h4>
+<h5 id="section1">1. Source Code.</h5>
 
 <p>The &ldquo;source code&rdquo; for a work means the preferred form of the 
work
 for making modifications to it.  &ldquo;Object code&rdquo; means any non-source
@@ -163,7 +163,7 @@
 <p>The Corresponding Source for a work in source code form is that
 same work.</p>
 
-<h4><a name="section2"></a>2. Basic Permissions.</h4>
+<h5 id="section2">2. Basic Permissions.</h5>
 
 <p>All rights granted under this License are granted for the term of
 copyright on the Program, and are irrevocable provided the stated
@@ -188,7 +188,7 @@
 the conditions stated below.  Sublicensing is not allowed; section 10
 makes it unnecessary.</p>
 
-<h4><a name="section3"></a>3. Protecting Users' Legal Rights From 
Anti-Circumvention Law.</h4>
+<h5 id="section3">3. Protecting Users' Legal Rights From Anti-Circumvention 
Law.</h5>
 
 <p>No covered work shall be deemed part of an effective technological
 measure under any applicable law fulfilling obligations under article
@@ -204,7 +204,7 @@
 users, your or third parties' legal rights to forbid circumvention of
 technological measures.</p>
 
-<h4><a name="section4"></a>4. Conveying Verbatim Copies.</h4>
+<h5 id="section4">4. Conveying Verbatim Copies.</h5>
 
 <p>You may convey verbatim copies of the Program's source code as you
 receive it, in any medium, provided that you conspicuously and
@@ -217,7 +217,7 @@
 <p>You may charge any price or no price for each copy that you convey,
 and you may offer support or warranty protection for a fee.</p>
 
-<h4><a name="section5"></a>5. Conveying Modified Source Versions.</h4>
+<h5 id="section5">5. Conveying Modified Source Versions.</h5>
 
 <p>You may convey a work based on the Program, or the modifications to
 produce it from the Program, in the form of source code under the
@@ -256,7 +256,7 @@
 in an aggregate does not cause this License to apply to the other
 parts of the aggregate.</p>
 
-<h4><a name="section6"></a>6. Conveying Non-Source Forms.</h4>
+<h5 id="section6">6. Conveying Non-Source Forms.</h5>
 
 <p>You may convey a covered work in object code form under the terms
 of sections 4 and 5, provided that you also convey the
@@ -356,7 +356,7 @@
 source code form), and must require no special password or key for
 unpacking, reading or copying.</p>
 
-<h4><a name="section7"></a>7. Additional Terms.</h4>
+<h5 id="section7">7. Additional Terms.</h5>
 
 <p>&ldquo;Additional permissions&rdquo; are terms that supplement the terms of 
this
 License by making exceptions from one or more of its conditions.
@@ -422,7 +422,7 @@
 form of a separately written license, or stated as exceptions;
 the above requirements apply either way.</p>
 
-<h4><a name="section8"></a>8. Termination.</h4>
+<h5 id="section8">8. Termination.</h5>
 
 <p>You may not propagate or modify a covered work except as expressly
 provided under this License.  Any attempt otherwise to propagate or
@@ -450,7 +450,7 @@
 reinstated, you do not qualify to receive new licenses for the same
 material under section 10.</p>
 
-<h4><a name="section9"></a>9. Acceptance Not Required for Having Copies.</h4>
+<h5 id="section9">9. Acceptance Not Required for Having Copies.</h5>
 
 <p>You are not required to accept this License in order to receive or
 run a copy of the Program.  Ancillary propagation of a covered work
@@ -461,7 +461,7 @@
 not accept this License.  Therefore, by modifying or propagating a
 covered work, you indicate your acceptance of this License to do so.</p>
 
-<h4><a name="section10"></a>10. Automatic Licensing of Downstream 
Recipients.</h4>
+<h5 id="section10">10. Automatic Licensing of Downstream Recipients.</h5>
 
 <p>Each time you convey a covered work, the recipient automatically
 receives a license from the original licensors, to run, modify and
@@ -486,7 +486,7 @@
 any patent claim is infringed by making, using, selling, offering for
 sale, or importing the Program or any portion of it.</p>
 
-<h4><a name="section11"></a>11. Patents.</h4>
+<h5 id="section11">11. Patents.</h5>
 
 <p>A &ldquo;contributor&rdquo; is a copyright holder who authorizes use under 
this
 License of the Program or a work on which the Program is based.  The
@@ -555,7 +555,7 @@
 any implied license or other defenses to infringement that may
 otherwise be available to you under applicable patent law.</p>
 
-<h4><a name="section12"></a>12. No Surrender of Others' Freedom.</h4>
+<h5 id="section12">12. No Surrender of Others' Freedom.</h5>
 
 <p>If conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
@@ -567,7 +567,7 @@
 the Program, the only way you could satisfy both those terms and this
 License would be to refrain entirely from conveying the Program.</p>
 
-<h4><a name="section13"></a>13. Use with the GNU Affero General Public 
License.</h4>
+<h5 id="section13">13. Use with the GNU Affero General Public License.</h5>
 
 <p>Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
@@ -578,7 +578,7 @@
 section 13, concerning interaction through a network will apply to the
 combination as such.</p>
 
-<h4><a name="section14"></a>14. Revised Versions of this License.</h4>
+<h5 id="section14">14. Revised Versions of this License.</h5>
 
 <p>The Free Software Foundation may publish revised and/or new versions of
 the GNU General Public License from time to time.  Such new versions will
@@ -604,7 +604,7 @@
 author or copyright holder as a result of your choosing to follow a
 later version.</p>
 
-<h4><a name="section15"></a>15. Disclaimer of Warranty.</h4>
+<h5 id="section15">15. Disclaimer of Warranty.</h5>
 
 <p>THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
 APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
@@ -615,7 +615,7 @@
 IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
 ALL NECESSARY SERVICING, REPAIR OR CORRECTION.</p>
 
-<h4><a name="section16"></a>16. Limitation of Liability.</h4>
+<h5 id="section16">16. Limitation of Liability.</h5>
 
 <p>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
@@ -627,7 +627,7 @@
 EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGES.</p>
 
-<h4><a name="section17"></a>17. Interpretation of Sections 15 and 16.</h4>
+<h5 id="section17">17. Interpretation of Sections 15 and 16.</h5>
 
 <p>If the disclaimer of warranty and limitation of liability provided
 above cannot be given local legal effect according to their terms,
@@ -638,7 +638,7 @@
 
 <p>END OF TERMS AND CONDITIONS</p>
 
-<h3><a name="howto"></a>How to Apply These Terms to Your New Programs</h3>
+<h4 id="howto">How to Apply These Terms to Your New Programs</h4>
 
 <p>If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it

++++++ v0.46.tar.gz -> v26.36.0602723.tar.gz ++++++
++++ 23044 lines of diff (skipped)

Reply via email to