Official Debian standpoint on Meltdown/Spectre

Here you can discuss every aspect of Debian. Note: not for support requests!

Official Debian standpoint on Meltdown/Spectre

Postby Dobeedoo » 2018-02-07 19:16

Hi,
Is there any official information from Debian about ongoing (hopefully) work to mitigate the Meltdown/Spectre vulnerabilities? What would be sensible action (if any) to take while waiting for an official mitigation? I have of course updated my system to latest, but according to the test script, its still vulnerable and needs further actions.

What have you guys done (so far) to secure your systems?
Dobeedoo
 
Posts: 24
Joined: 2018-01-24 05:50

Re: Official Debian standpoint on Meltdown/Spectre

Postby Head_on_a_Stick » 2018-02-07 19:17

I suffer from depression and may lash out occasionally, try not to take it personally.
User avatar
Head_on_a_Stick
 
Posts: 8180
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Official Debian standpoint on Meltdown/Spectre

Postby Head_on_a_Stick » 2018-02-07 19:20

Dobeedoo wrote:What would be sensible action (if any) to take while waiting for an official mitigation?

Disable javascript and make sure that all of your packages are up to date.
I suffer from depression and may lash out occasionally, try not to take it personally.
User avatar
Head_on_a_Stick
 
Posts: 8180
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Official Debian standpoint on Meltdown/Spectre

Postby bw123 » 2018-02-07 19:22

Dobeedoo wrote:Hi,
<snip>
What have you guys done (so far) to secure your systems?


I moved all my ASCII nudes to an external drive.
User avatar
bw123
 
Posts: 3532
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Official Debian standpoint on Meltdown/Spectre

Postby Dobeedoo » 2018-02-07 19:29

[quote="Head_on_a_Stick"]Please post the output of
Code: Select all
grep -r . /sys/devices/system/cpu/vulnerabilities

I get the following after running the above command;
Code: Select all
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
Dobeedoo
 
Posts: 24
Joined: 2018-01-24 05:50

Re: Official Debian standpoint on Meltdown/Spectre

Postby Head_on_a_Stick » 2018-02-07 19:32

^ Thanks!
Dobeedoo wrote:
Code: Select all
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline

That's interesting, both Alpine Linux and Debian are using minimal generic ASM whereas Arch Linux is using full retpoline.

The only real way to protect yourself is to throw away all of your defective CPUs and switch to something open instead :D

:arrow: https://riscv.org/
I suffer from depression and may lash out occasionally, try not to take it personally.
User avatar
Head_on_a_Stick
 
Posts: 8180
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Official Debian standpoint on Meltdown/Spectre

Postby stevepusser » 2018-02-07 19:32

Burned all electronic devices with loads of fire and moved into my bunker.

Maybe you have to be using the latest compilers to get full retpoline support.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Flightgear 2018.2.2, Pale Moon 28.2.0, wine-staging 3.20, GIMP 2.10.8, Cinnamon 3.8, Midori 6.0
User avatar
stevepusser
 
Posts: 10136
Joined: 2009-10-06 05:53

Re: Official Debian standpoint on Meltdown/Spectre

Postby bw123 » 2018-02-07 19:35

oh man I think they got nmy girly pics!!

Code: Select all
$ grep -r . /sys/devices/system/cpu/vulnerabilities
grep: /sys/devices/system/cpu/vulnerabilities: No such file or directory
b17@themini:/sys/devices/cpu$ uname -a
Linux themini 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux

User avatar
bw123
 
Posts: 3532
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Official Debian standpoint on Meltdown/Spectre

Postby Dobeedoo » 2018-02-07 19:40

Head_on_a_Stick wrote:^ Thanks!
Dobeedoo wrote:
Code: Select all
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline

That's interesting, both Alpine Linux and Debian are using minimal generic ASM whereas Arch Linux is using full retpoline.

The only real way to protect yourself is to throw away all of your defective CPUs and switch to something open instead :D

:arrow: https://riscv.org/


LOL! That may be a little harsh, just bought a new one... but wonder if they'd take it back as defective, hehe... :) If I read the CVE's you posted links to correctly, they say "attack range: local", I suppose that means it can't be exploited from outside my computer/network (assuming my firewall does a descent job)?
Dobeedoo
 
Posts: 24
Joined: 2018-01-24 05:50

Re: Official Debian standpoint on Meltdown/Spectre

Postby Dobeedoo » 2018-02-07 19:46

stevepusser wrote:Burned all electronic devices with loads of fire and moved into my bunker.

Maybe you have to be using the latest compilers to get full retpoline support.

Yes, I realize there is no "fix", or at least no easy one. If I got things right, everything needs to be recompiled with retpoline support. I chose Debian for its security thinking and being one of the more stable distributions I know of, so not really worried, but a bit security minded.
Dobeedoo
 
Posts: 24
Joined: 2018-01-24 05:50

Re: Official Debian standpoint on Meltdown/Spectre

Postby Head_on_a_Stick » 2018-02-07 19:53

Dobeedoo wrote:If I read the CVE's you posted links to correctly, they say "attack range: local", I suppose that means it can't be exploited from outside my computer/network

Yes, that's right but Firefox and Chrom{e,ium} and (and some video drivers, apparently) were able to be used as attack vectors (if javascript was enabled) but this did not apply to firefox-esr, which is nice.
I suffer from depression and may lash out occasionally, try not to take it personally.
User avatar
Head_on_a_Stick
 
Posts: 8180
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Official Debian standpoint on Meltdown/Spectre

Postby Head_on_a_Stick » 2018-02-07 19:56

bw123 wrote:
Code: Select all
$ grep -r . /sys/devices/system/cpu/vulnerabilities
grep: /sys/devices/system/cpu/vulnerabilities: No such file or directory

AMD machine?
I suffer from depression and may lash out occasionally, try not to take it personally.
User avatar
Head_on_a_Stick
 
Posts: 8180
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Official Debian standpoint on Meltdown/Spectre

Postby bw123 » 2018-02-07 20:01

Head_on_a_Stick wrote:
bw123 wrote:
Code: Select all
$ grep -r . /sys/devices/system/cpu/vulnerabilities
grep: /sys/devices/system/cpu/vulnerabilities: No such file or directory

AMD machine?


Both intel and amd lack a /sys/devices/system/cpu/vulnerabilities file or direcotry on 4.9.65-3+deb9u2 which is debian stretch latest stable kernel.

I don't know why you guys try and worry me so much, are you even using debian? Is this FUD? Is it SPAM? Are you just clueless or what? I don;t get it!!!!
User avatar
bw123
 
Posts: 3532
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Official Debian standpoint on Meltdown/Spectre

Postby Lysander » 2018-02-08 10:24

Dobeedoo wrote:What have you guys done (so far) to secure your systems?


Nothing on my Debian setup, apart from lethargically invoking sudo apt update whenever I remember to.

My netbook [Slackware] runs an Atom N270 so is theoretically, and reportedly, immune. By reportedly, I mean that the output of spectre-meltdown-checker states such. Nevertheless, I still perform kernel updates when they are available.
User avatar
Lysander
 
Posts: 558
Joined: 2017-02-23 10:07
Location: London

Re: Official Debian standpoint on Meltdown/Spectre

Postby Thorny » 2018-02-08 10:39

Lysander wrote:Nothing on my Debian setup, apart from lethargically invoking sudo apt update whenever I remember to.

I'm pedantic, but you probably already realise that. :-)

I'm fairly sure you mean you invoke apt update and then apt upgrade if called for.
Just so lurkers and the inexperienced are clear.

On distros that I don't boot every time I do the update/upgrade dance as soon as I boot up so they are up to date and I don't forget and risk security. I'm pretty sure you could even script that if you chose to.

Thanks for indulging me, or complain if you want to, I respect your intelligence.
User avatar
Thorny
 
Posts: 542
Joined: 2011-02-27 13:40

Next

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable