Re: rhash_1.4.1-1 is ready for upload
Hi Samuel, >> Could you, please, give me DM upload rights for rhash? > Done! Thanks for your work! Thank you very much for this and for DM advocacy! :) Best wishes, Aleksey OpenPGP_signature Description: OpenPGP digital signature
Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
On 1/9/21 9:48 AM, Christoph Pflügler wrote: On 08.01.21 23:40, Michael Stone wrote: On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote: On 08.01.21 22:34, Michael Stone wrote: On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote: Installing package intel-microcode in Debian 10 (Buster) mitigates most vulnerabilities as per spectre-meltdown-checker. However, CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated after reboot, with spectre-meltdown-checker --explain (executed as su) pointing to missing microcode upgrades. According to the Debian package description of intel-microcode, the two vulnerabilities are fixed in the current version of the package. This occurs in exactly the same way on two different machines, one with an i5-3320M CPU and another one with an E3-1235L v5. If I remember correctly, I was all green as per spectre-meltdown-checker in Debian 9 (Stretch). What version of intel-microcode do you have installed? intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed from Debian non-free repository With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the checker reports green for those checks on my test system. Do you have the latest spectre-meltdown-checker, and are you running it as root? If I run the current version as an unprivileged user those checks come up red (presumably because it can't read the cpu registers it is trying to read). spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from Debian repository. Yes, I executed it as root (su -> -> spectre-meltdown-checker). I get exactly the same results running it as an unprivileged user. This is what spectre-meltdown-checker, run as root, shows for the two CVEs: CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' * CPU microcode mitigates the vulnerability: N/A > STATUS: VULNERABLE (your CPU supports SGX and the microcode is not up to date) CVE-2018-3640 aka 'Variant 3a, rogue system register read' * CPU microcode mitigates the vulnerability: NO > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability) Linux version is also 4.19.0-13-amd64. Both my instances are (almost) fresh installations (GNOME) based on recently released debian-10.7.0-amd64-netinst.iso. I can confirm spectre-meltdown-checker reporting CVE-2018-3640 is not being mitigated by intel-microcode on a NUC6CAYS system, full-updated Bullseye/Sid. This is a Celeron system. However, the same intel-microcode version on same OS does mitigate this vulnerability on NUC5i7RYH and NUC8i3BEH systems.
Re: Request to review and upload librtr 0.6.3-2
Dear Francisco, On 08.01.21 17:56, Francisco Vilmar Cardoso Ruviaro wrote: On 1/8/21 9:23 AM, Raphael Hertzog wrote: He also pointed towards a possible upstream fix. Do you want to look into backporting this? I tried to get the latest version (0.7.0+git20201012.93724e4), applied the patch https://github.com/rtrlib/rtrlib/pull/260/commits/f81b70bf03a52b2e25f7154062c538dc050b3571 yet the bug continues. Unfortunately I was not successful. along with the mentioned patch you also have to add "pkg-config" to the build deps. Have you considered this for your test? Best regards, Peter
Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
On 08.01.21 23:40, Michael Stone wrote: On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote: On 08.01.21 22:34, Michael Stone wrote: On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote: Installing package intel-microcode in Debian 10 (Buster) mitigates most vulnerabilities as per spectre-meltdown-checker. However, CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated after reboot, with spectre-meltdown-checker --explain (executed as su) pointing to missing microcode upgrades. According to the Debian package description of intel-microcode, the two vulnerabilities are fixed in the current version of the package. This occurs in exactly the same way on two different machines, one with an i5-3320M CPU and another one with an E3-1235L v5. If I remember correctly, I was all green as per spectre-meltdown-checker in Debian 9 (Stretch). What version of intel-microcode do you have installed? intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed from Debian non-free repository With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the checker reports green for those checks on my test system. Do you have the latest spectre-meltdown-checker, and are you running it as root? If I run the current version as an unprivileged user those checks come up red (presumably because it can't read the cpu registers it is trying to read). spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from Debian repository. Yes, I executed it as root (su -> -> spectre-meltdown-checker). I get exactly the same results running it as an unprivileged user. This is what spectre-meltdown-checker, run as root, shows for the two CVEs: CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' * CPU microcode mitigates the vulnerability: N/A > STATUS: VULNERABLE (your CPU supports SGX and the microcode is not up to date) CVE-2018-3640 aka 'Variant 3a, rogue system register read' * CPU microcode mitigates the vulnerability: NO > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability) Linux version is also 4.19.0-13-amd64. Both my instances are (almost) fresh installations (GNOME) based on recently released debian-10.7.0-amd64-netinst.iso.
