Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package spectre-meltdown-checker for
openSUSE:Factory checked in at 2026-07-09 22:21:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/spectre-meltdown-checker (Old)
and /work/SRC/openSUSE:Factory/.spectre-meltdown-checker.new.1991 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spectre-meltdown-checker"
Thu Jul 9 22:21:53 2026 rev:14 rq:1364752 version:26.36.0602723
Changes:
--------
---
/work/SRC/openSUSE:Factory/spectre-meltdown-checker/spectre-meltdown-checker.changes
2024-02-16 21:43:01.743158062 +0100
+++
/work/SRC/openSUSE:Factory/.spectre-meltdown-checker.new.1991/spectre-meltdown-checker.changes
2026-07-09 22:22:58.353492224 +0200
@@ -1,0 +2,225 @@
+Thu Jul 9 14:49:48 UTC 2026 - Marcus Meissner <[email protected]>
+
+- updated to v26.36.0602723
+ Release highlights:
+
+ This release brings some features to ARM64 hosts. They get
+ dedicated silicon-errata checks, a proper CPU details block, and
+ architecture-aware filtering so x86 hosts no longer show ARM64 noise
+ and vice-versa.
+
+ On the x86 side, MMIO Stale Data detection is now much more honest
+ about end-of-life Intel CPUs that Intel never officially assessed,
+ these are now reported as UNK (or VULN under --paranoid) instead of
+ a misleading "not affected".
+
+ The tool now better detects guest environments and warns you that the
+ microcode version reported by your hypervisor may be fake or stale, so
+ the "up-to-date microcode" check can't be trusted from inside the guest.
+
+ More detailed changelog:
+
+ - Add ARM64 silicon errata (issue #357)
+
+ Three speculation/security-relevant ARM64 errata families are now
+ detected. As these are tracked by vendor erratum IDs rather than CVEs, a
+ new CVE-0001-NNNN placeholder range has been reserved for vendor errata,
+ along with a new --errata <number> selector (alongside --variant/--cve):
+
+ - Speculative AT TLB corruption (1165522 / 1319367 / 1319537 / 1530923)
+ - Speculative unprivileged load (2966298 / 3117295)
+ - MSR SSBS not self-synchronizing (3194386 and siblings)
+
+ CPU affectedness is determined per-core from the (implementer,
+ part, variant, revision) tuple in /proc/cpuinfo, matching the
+ kernel code. Kernel mitigation detection relies on the per-erratum
+ CONFIG_ARM64_ERRATUM_NNNN symbols, kernel image descriptor strings,
+ and dmesg (no sysfs exists for these).
+
+ Architecture-aware CVE filtering
+
+ - CVE_REGISTRY gains an optional fifth field tagging checks as x86-only or
arm-only; untagged entries apply everywhere.
+ - Default "all CVEs" runs now skip checks irrelevant to the inspected
+ architecture across text, JSON, NRPE and Prometheus outputs (no more
+ ARM64 errata on x86 hosts, or x86 CVEs on ARM hosts).
+ - Explicit --cve / --variant / --errata selection bypasses the check, so
manual queries still run anywhere.
+ - In --no-hw mode, the host CPU is ignored, supporting cross-arch offline
analysis driven by --kernel/--config/--map.
+
+ Fixes to existing CVEs
+
+ - MMIO Stale Data (CVE-2022-21123 / 21125 / 21166) (#437):
+ EOL Intel CPUs that Intel never officially assessed (Sandy/Ivy
+ Bridge, Haswell/Broadwell client, pre-Goldmont Atom, etc.) are now
+ reported as UNK (or VULN under --paranoid) instead of a misleading
+ "not affected". This corrects the picture on kernels where sysfs
+ wrongly says "Not affected" (pre-v6.0 and v6.16+) and aligns with the
+ kernel's X86_BUG_MMIO_UNKNOWN set. The BSD path was corrected too:
+ no BSD implements an MMIO mitigation, so affected CPUs now report VULN
+ (with an explain rationale) rather than "not yet implemented".
+
+ VM guest detection (issue #336)
+
+ - New is_running_as_guest() detects VM guests (KVM, VMware, ESXi, Hyper-V,
VirtualBox…) via the hypervisor CPUID flag in /proc/cpuinfo.
+ - New "Running as VM guest: YES/NO" line in the CPU details block (x86 and
ARM).
+ - A warning is now emitted after the microcode-is-latest check, advising you
to verify microcode on the hypervisor host, since a guest can be shown a fake
CPUID/microcode version.
+ - JSON output exposes this: system.guest_vm (bool), system.guest_vm_reason
(string), and cpu_microcode.unreliable_in_vm (bool).
+
+ Output display
+
+ - ARM CPUs now get a proper CPU details block in check_cpu(): vendor, model
name, implementer(s), part(s), architecture(s) and VM-guest status. Previously
the x86-only early return left ARM hosts with no check_cpu() output at all.
+
+ Tooling
+
+ - New scripts/update_mcedb.sh (on test and source branches), so that the
GitHub workflow can regenerate src/db/200_mcedb.sh daily.
+
+ Documentation
+
+ - Unsupported CVE list: added the Jump Conditional Code (JCC) Erratum
+ (issue #329), a microarchitectural correctness bug (Skylake to Cascade
+ Lake), not a speculative side channel, with no CVE, no sysfs/CPUID/MSR
+ indicator, hence out of scope.
+
+- Updated to v26.33.0420460
+
+ With this release and the 7 new supported CVEs, we're up to date
+ with all published CVEs since 2018 that are in the scope of this tool
+ (33 so far).
+
+ The batch output formats also got a substantial overhaul: JSON, NRPE
+ and prometheus output formats now better respect each format community
+ guidelines, as well as carrying way more information if you want or
+ need to have a clear overview of your server fleet.
+
+ Operating modes have been clarified. You'll be able to chose between
+ 4 modes, depending on whether you want to inspect the running kernel,
+ a kernel image, the CPU hardware, or a combination. See the "operating
+ modes" section of the README for more information.
+
+ A new --extra option has been added, which runs some additional
+ checks that are not CVE vulnerabilities per se, but may still be of
+ interest. SLS has been implemented and falls into this category.
+
+ Affected Intel CPU list up to date as of 2026-04.
+
+ Last but not least, a dozen fixes/enhancements/refinements of preexisting
CVE checks have been done, along with some more general robustness / corner
case fixes.
+ More detailed changelog
+
+ New CVE checks
+
+ - CVE-2025-54505 aka FPDSS (Floating-Point Divider Stale Data Leak)
+ - CVE-2023-28746 ana RFDS (Register File Data Sampling)
+ - CVE-2023-20588 aka AMD DIV0 (Division by Zero Speculative Data Leak)
+ - CVE-2022-21123 / 21125 / 21166 aka MMIO Stale Data
+
+ New extra checks
+
+ - SLS aka Straight-Line Speculation, supplementary
+
+ Fixes / enhancements to existing CVEs
+
+ - Spectre V2 (CVE-2017-5715): Red Hat RSB Filling detection (#235)
+ - Spectre 3a (CVE-2018-3640): improved ARM mitigation detection
+ - L1TF/Foreshadow (CVE-2018-3615): better lockdown detection, drop
cap_flush_cmd requirement (#296)
+ - TAA (CVE-2019-11135): new 0x10F MSR for TSX-disabled CPUs (#414)
+ - SRBDS (CVE-2020-0543): fix microcode mitigation misdetection (#492)
+ - Inception/SRSO (CVE-2023-20569): detect IPBP "PB-Inception" (#500)
+ - TSA (CVE-2024-36350/36357): no TSA CPUID lines on non-AMD
+ - MDS: fix CPUs affected by MSBDS but not MDS (#351)
+ - MDS (FreeBSD): software mitigation = OK unless --paranoid (#503)
+
+ Batch output
+
+ - --batch json reworked completely, structured format (meta, system, cpu,
vulnerabilities[]) + JSON Schema. Old format still available as --batch
json-terse
+ - --batch prometheus reworked completely, new smc_* metric names
+ - --batch nrpe added more textual information
+
+ CLI / run modes
+
+ - New --no-runtime and --no-hw replace implicit offline mode
+ - --live deprecated (now the default)
+ - New --extra flag (gates SLS and future supplementary checks)
+ - --no-intel-db removed (Intel DB always used when available)
+
+ Intel Database
+
+ - Affected CPU list refreshed to 2026-04
+ - Hybrid CPU detection (H=1/H=0)
+ - New mitigation codes: MS, HS, HM
+ - Intel codename mapping for JSON/Prometheus output
+
+ Output display & robustness
+
+ - Clearer CPU details and kernel info sections
+ - x86 / ARM checks now guarded to the correct architecture
+ - CPUID fallback to /proc/cpuinfo when CPUID unavailable (VMs)
+ - MSR read/write: clearer errors, proper lockdown reporting
+ - wrmsr now specifies the core number (#294)
+ - Microcode version never defaults to 0x0 when unknown
+ - exit_cleanup preserves the passed exit code
+ - --allow-msr-write early-abort crash fixed
+ - Better Busybox / unlzma compatibility (#432)
+ - BSD ucode fallback uses proper AMD MSR
+
+ Unsupported-CVE docs (new entries)
+
+ - Plundervolt (CVE-2019-11157), CacheOut (CVE-2020-0549),
+ Platypus (CVE-2020-8694/8695), CVE-2020-24511/24512, AMD Prefetch
+ (CVE-2021-26318), Native BHI (CVE-2024-2201) + TLBleed, Blindside.
+
+- Updated to v26.26.0404682
+ Another big round of updates as I'm catching up with the recent CVEs.
+ New CVE/vulnerabilities detection
+ - CVE-2022-29900 (Retbleed AMD - Arbitrary Speculative Code Execution with
Return Instructions)
+ - CVE-2022-29901 (Retbleed Intel / RSBA - RSB Alternate Behavior)
+ - CVE-2024-28956 (ITS - Indirect Target Selection)
+ - CVE-2025-40300 (VMScape)
+ - CVE-2024-45332 (BTI - Branch Target Injection)
+
+ Enhancements to existing CVE detections
+ - CVE-2023-23583 (Reptar): update known fixed microcode versions
+ - CVE-2024-45332 (BPI): add known fixed microcode versions
+
+ Bug fixes
+ - Fix sys_interface_check() not properly setting the caller's $msg
variable in the latest release (#533)
+
+ New documented unsupported CVEs
+
+ Already covered by an existing CVE check:
+ - CVE-2025-20623 - Shared Microarchitectural Predictor State (10th Gen
Intel), covered by CVE-2024-45332 (BPI)
+ - CVE-2025-24495 - Lion Cove BPU Initialization, covered by CVE-2024-28956
(ITS)
+
+ No kernel or microcode mitigations to check:
+ - CVE-2020-12965 - Transient Execution of Non-Canonical Accesses / SLAM
(AMD)
+ - CVE-2024-7881 - ARM Prefetcher Privilege Escalation
+
+ Not a transient/speculative execution vulnerability:
+ - CVE-2023-31315 - SinkClose (AMD SMM Lock Bypass)
+ - CVE-2024-56161 - EntrySign (AMD Microcode Signature Bypass)
+ - CVE-2025-29943 - StackWarp (AMD SEV-SNP)
+
+- Updated to v26.21.0401891
+
+ Okay, this one is a massive update. Or, is this an easter egg?
+
+ First and foremost, the least visible but probably the most important for
the continued maintainability of this project: the script has been split into a
structured source tree of smaller scripts snippets, that are then assembled to
produce the final self-contained spectre-meltdown-checker.sh.
+
+ With all this, also comes a new version numbering scheme: vXX.YY.ZZZZZZZ,
automatically updated by the CI. XX=year, YY=number_of_managed_CVEs,
ZZZZZZZ=based_on_datetime_of_release.
+
+ Now, here is a clearly non-exhaustive list of changes (refer to the commit
log for more):
+
+ - feat: added CVE-2024-36350/CVE-2024-36357 (Transient Scheduler Attack /
TSA) (fixes #509)
+ - feat: added CVE-2023-23583 (Reptar)
+ - enh: CVE-2023-20593 (Zenbleed): Mitigation detection added for BSD
+ - enh: improvement under BSD for a few CVEs, identifying unaffected CPUs
even if mitigation is not implemented in BSD
+ - enh: CVE-2017-5753 (Spectre Variant 1): massive update to the detection
logic, as this was the first CVE ever implemented in this script, and a lot
changed since then, both in the understanding of Spectre V1 and in the kernels.
+ - enh: CVE-2017-5715 (Spectre Variant 2): massive update here too,
including adding detection for BHI
+ - enh: enhanced VMM autodetection with more supported hypervisor binaries
+ - fix: cap_rdcl_no, cap_gds_no, cap_tsa_*_no were not marking the current
CPU as immune for their respective vulnerabilities
+ - fix: CVE-2018-3620: false VULN status on kernels reporting CPU as
unaffected when RDCL_NO couldn't be parsed
+ - fix: CVE-2023-20569: logic errors from kernel_sro type change, old
kernels incorrectly reporting mitigated via sysfs are now detected
+ - fix: --sysfs-only path fixed for a handful of CVEs, started to document
complete sysfs strings history from the kernel source code for reference
+ - fix: read_msr: fixed handling of values > INT32_MAX (fixes #507)
+ - fix: several tool uses replaced (sort -V, sed -r, cut -w, stat -c, date
-d @) to ensure compatibility with BSD (fixes #525)
+ - doc: a (hopefully) nicer README, I'll have to update the screenshots
though
+
+-------------------------------------------------------------------
Old:
----
v0.46.tar.gz
New:
----
v26.36.0602723.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ spectre-meltdown-checker.spec ++++++
--- /var/tmp/diff_new_pack.VH8sFx/_old 2026-07-09 22:22:58.949512917 +0200
+++ /var/tmp/diff_new_pack.VH8sFx/_new 2026-07-09 22:22:58.953513057 +0200
@@ -1,7 +1,7 @@
#
# spec file for package spectre-meltdown-checker
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: spectre-meltdown-checker
-Version: 0.46
+Version: 26.36.0602723
Release: 0
Summary: Spectre & Meltdown Vulnerability Checker
License: GPL-3.0-only
++++++ gpl-3.0-standalone.html ++++++
--- /var/tmp/diff_new_pack.VH8sFx/_old 2026-07-09 22:22:58.985514168 +0200
+++ /var/tmp/diff_new_pack.VH8sFx/_new 2026-07-09 22:22:58.989514306 +0200
@@ -17,7 +17,7 @@
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.</p>
-<h3><a name="preamble"></a>Preamble</h3>
+<h4 id="preamble">Preamble</h4>
<p>The GNU General Public License is a free, copyleft license for
software and other kinds of works.</p>
@@ -80,9 +80,9 @@
<p>The precise terms and conditions for copying, distribution and
modification follow.</p>
-<h3><a name="terms"></a>TERMS AND CONDITIONS</h3>
+<h4 id="terms">TERMS AND CONDITIONS</h4>
-<h4><a name="section0"></a>0. Definitions.</h4>
+<h5 id="section0">0. Definitions.</h5>
<p>“This License” refers to version 3 of the GNU General Public
License.</p>
@@ -121,7 +121,7 @@
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.</p>
-<h4><a name="section1"></a>1. Source Code.</h4>
+<h5 id="section1">1. Source Code.</h5>
<p>The “source code” for a work means the preferred form of the
work
for making modifications to it. “Object code” means any non-source
@@ -163,7 +163,7 @@
<p>The Corresponding Source for a work in source code form is that
same work.</p>
-<h4><a name="section2"></a>2. Basic Permissions.</h4>
+<h5 id="section2">2. Basic Permissions.</h5>
<p>All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
@@ -188,7 +188,7 @@
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.</p>
-<h4><a name="section3"></a>3. Protecting Users' Legal Rights From
Anti-Circumvention Law.</h4>
+<h5 id="section3">3. Protecting Users' Legal Rights From Anti-Circumvention
Law.</h5>
<p>No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
@@ -204,7 +204,7 @@
users, your or third parties' legal rights to forbid circumvention of
technological measures.</p>
-<h4><a name="section4"></a>4. Conveying Verbatim Copies.</h4>
+<h5 id="section4">4. Conveying Verbatim Copies.</h5>
<p>You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
@@ -217,7 +217,7 @@
<p>You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.</p>
-<h4><a name="section5"></a>5. Conveying Modified Source Versions.</h4>
+<h5 id="section5">5. Conveying Modified Source Versions.</h5>
<p>You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
@@ -256,7 +256,7 @@
in an aggregate does not cause this License to apply to the other
parts of the aggregate.</p>
-<h4><a name="section6"></a>6. Conveying Non-Source Forms.</h4>
+<h5 id="section6">6. Conveying Non-Source Forms.</h5>
<p>You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
@@ -356,7 +356,7 @@
source code form), and must require no special password or key for
unpacking, reading or copying.</p>
-<h4><a name="section7"></a>7. Additional Terms.</h4>
+<h5 id="section7">7. Additional Terms.</h5>
<p>“Additional permissions” are terms that supplement the terms of
this
License by making exceptions from one or more of its conditions.
@@ -422,7 +422,7 @@
form of a separately written license, or stated as exceptions;
the above requirements apply either way.</p>
-<h4><a name="section8"></a>8. Termination.</h4>
+<h5 id="section8">8. Termination.</h5>
<p>You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
@@ -450,7 +450,7 @@
reinstated, you do not qualify to receive new licenses for the same
material under section 10.</p>
-<h4><a name="section9"></a>9. Acceptance Not Required for Having Copies.</h4>
+<h5 id="section9">9. Acceptance Not Required for Having Copies.</h5>
<p>You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
@@ -461,7 +461,7 @@
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.</p>
-<h4><a name="section10"></a>10. Automatic Licensing of Downstream
Recipients.</h4>
+<h5 id="section10">10. Automatic Licensing of Downstream Recipients.</h5>
<p>Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
@@ -486,7 +486,7 @@
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.</p>
-<h4><a name="section11"></a>11. Patents.</h4>
+<h5 id="section11">11. Patents.</h5>
<p>A “contributor” is a copyright holder who authorizes use under
this
License of the Program or a work on which the Program is based. The
@@ -555,7 +555,7 @@
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.</p>
-<h4><a name="section12"></a>12. No Surrender of Others' Freedom.</h4>
+<h5 id="section12">12. No Surrender of Others' Freedom.</h5>
<p>If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
@@ -567,7 +567,7 @@
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.</p>
-<h4><a name="section13"></a>13. Use with the GNU Affero General Public
License.</h4>
+<h5 id="section13">13. Use with the GNU Affero General Public License.</h5>
<p>Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
@@ -578,7 +578,7 @@
section 13, concerning interaction through a network will apply to the
combination as such.</p>
-<h4><a name="section14"></a>14. Revised Versions of this License.</h4>
+<h5 id="section14">14. Revised Versions of this License.</h5>
<p>The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
@@ -604,7 +604,7 @@
author or copyright holder as a result of your choosing to follow a
later version.</p>
-<h4><a name="section15"></a>15. Disclaimer of Warranty.</h4>
+<h5 id="section15">15. Disclaimer of Warranty.</h5>
<p>THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
@@ -615,7 +615,7 @@
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.</p>
-<h4><a name="section16"></a>16. Limitation of Liability.</h4>
+<h5 id="section16">16. Limitation of Liability.</h5>
<p>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
@@ -627,7 +627,7 @@
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.</p>
-<h4><a name="section17"></a>17. Interpretation of Sections 15 and 16.</h4>
+<h5 id="section17">17. Interpretation of Sections 15 and 16.</h5>
<p>If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
@@ -638,7 +638,7 @@
<p>END OF TERMS AND CONDITIONS</p>
-<h3><a name="howto"></a>How to Apply These Terms to Your New Programs</h3>
+<h4 id="howto">How to Apply These Terms to Your New Programs</h4>
<p>If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
++++++ v0.46.tar.gz -> v26.36.0602723.tar.gz ++++++
++++ 23044 lines of diff (skipped)