Meltdown and Spectre patches

If it doesn't relate to Debian, but you still want to share it, please do it here

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-08 06:04

The kernel for wheezy has been fixed (for Meltdown) but jessie is still wanting, which is a bit strange.

https://security-tracker.debian.org/tra ... -2017-5754
"To be free is nothing, to become free is everything." — Hegel
User avatar
Head_on_a_Stick
 
Posts: 7005
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby rinatik » 2018-01-08 06:17

n_hologram wrote:@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo, but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.

Yes, I came to the same conclusion.
And I'm under impression how deeply ignorant some replies were.
rinatik
 
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

Postby debiman » 2018-01-08 06:45

n_hologram wrote:@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo, but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.

n_hologram, thanks for this info.

i'm trying to find some statement about whether 32bit (i686 in my case) actually need the patch?

the vanilla i686 kernel for jessie is NOT yet patched, but marked vulnerable on some debian bugtracker.
User avatar
debiman
 
Posts: 1773
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

Postby Lysander » 2018-01-08 10:02

bw123 wrote:
I read another blurb somewhere or other that some of the atom processors might be exempt from one issue or the other. I have one of those on my netbook that I use online, so if anybody runs across any actual info that hasn't signed any non-disclosures or retaineded an attorney, or sells clicks as news, let me know...


I've been reading around and yes, Itanium and Atom CPUs manufactured before 2013 are exempt from Meltdown.

Source:
https://meltdownattack.com/
https://techtalk.gfi.com/is-your-proces ... -meltdown/
https://www.theguardian.com/technology/ ... -explainer
User avatar
Lysander
 
Posts: 406
Joined: 2017-02-23 10:07
Location: London

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-08 12:24

debiman wrote:n_hologram, thanks for this info.
i'm trying to find some statement about whether 32bit (i686 in my case) actually need the patch?
the vanilla i686 kernel for jessie is NOT yet patched, but marked vulnerable on some debian bugtracker.

No problem. It is my understanding that 32-bit is exploitable, but it's still unclear if there is a sensible way to mitigate it. I would be willing to compile a kernel myself if I knew what preventative features (if any) are necessary.
In similar news, I found this proof of concept, for anyone who wants to check their kernel against it: https://github.com/mniip/spectre-meltdown-poc
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
n_hologram
 
Posts: 281
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby bester69 » 2018-01-08 17:33

So As i think to understand, there are three kind of possible solutions,
- Browser isolation solutions
- Kernel isolation tablespace
- microcode firmware

I think any of them is in some way a valid solution, I will go for new microcode or for the new browsers ..I dont want to use a slowed kernel and downgrade my whole system performance.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1034
Joined: 2015-04-02 13:15

Re: Meltdown and Spectre patches

Postby anticapitalista » 2018-01-08 17:37

The 3 solutions are ALL required to be 'more secure'. It's not a question of which one do you want to use.
antiX "Killah P" - lean and mean.
http://antix.mepis.org
anticapitalista
 
Posts: 310
Joined: 2007-12-14 23:16

Re: Meltdown and Spectre patches

Postby bw123 » 2018-01-08 22:08

n_hologram wrote:If any of this information is in error or outdated, please let me know.

The security tracker claims that there is a patched stretch kernel (4.9.65-3+deb9u2) to avoid meltdown, but as of this post, the packages page (along with apt-cache policy) suggests that the current version is at 4.9.65-3+deb9u1, with jessie-backport version at 4.9.65-3+deb9u1~bpo8+1 (the same thing). At the time of this posting, it appears that there is no patch for Spectre.

In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?

Unrelated: is there any information on how effective grsecurity might be for preventing this exploit?

Meltdown:
-fixed version: 4.9.65-3+deb9u2 (stretch)
https://security-tracker.debian.org/tra ... -2017-5754

Spectre:
-fixed version: none
https://security-tracker.debian.org/tra ... -2017-5753


The original topic was a good one I think, maybe the thread got off-topic but I don't see why it is posted in off-topic?

The question asked that still gets me is, "In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?"

My answer would be, continue being careful what code/apps you install on your computer. Be aware that using or posting private information on a network has risks. My opinion is that no network is truly secure, but that's just an opinion. Passwords, credit card numbers, account information, medical history, other types of proprietary information can be "hacked" on a network, it happens to some real big players in IT. The best security money can buy seems to get penetrated somehow.

I don't think anybody should be scared, but just be aware. And thanks for the info on the topic so far, I have learned a lot.
User avatar
bw123
 
Posts: 2625
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Meltdown and Spectre patches

Postby PeterB » 2018-01-09 15:13

Schneier has posted an article on his blog.
https://www.schneier.com/

He says
For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.


Linux is of course generally much safer than Windows.
PeterB
 
Posts: 109
Joined: 2010-10-03 16:53

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-09 20:12

@bw123: I may have been unclear about what I said earlier: my comment was not directed at you, but rather at certain users (one in particular) who routinely intrude and derail -- often times successfully -- genuine security threads with meaningless trolling, often disguised in the form of commentary about how any security is too much security (or something of the ilk). Like, it's not wrong, nor is it completely off topic; however, unsurprisingly, it typically encourages more discussion about judgments, rather than research (and the research used in response is, also unsurprisingly, usually available through the first few hits of a superficial Google search); by contrast, threads like this are meant to encourage relevant, fact-based findings. Again, though, all of this was meant for (an)other user(s).

Unrelated, I updated my original post with some details.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
n_hologram
 
Posts: 281
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby stevepusser » 2018-01-10 02:45

https://github.com/speed47/spectre-meltdown-checker

A script to check your vulnerabilities. There's a long way to go with Spectre.

Don't run random scripts without vetting them, though.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Krita 3.3.2.1, Pale Moon 27.7.0, Audacity 2.2.0, mpv 0.27.0, Corebird 1.7.3, Firefox 57.0.4, QMPlay2 17.12.31
User avatar
stevepusser
 
Posts: 9062
Joined: 2009-10-06 05:53

Re: Meltdown and Spectre patches

Postby yeti » 2018-01-10 03:04

stevepusser wrote:Don't run random scripts without vetting them, though.
I'm expecting for a new wave of "We make your PC great again! Click here to download our cure!" ads now mentioning mentioning Spectre and Meltdown.

Hmmmm... they might already be there... I should disable my naïve adblocking... ;-)
"They may have computers, and other weapons of mass destruction." — Janet Reno
"Logic, my dear Zoe, merely enables one to be wrong with authority." — The 2nd Doctor
"Don't we all wait for SOMETHING-ELSE-1.0?" — yeti
User avatar
yeti
 
Posts: 41
Joined: 2009-03-30 14:22
Location: Wrong Planet.

Re: Meltdown and Spectre patches

Postby debiman » 2018-01-10 07:27

n_hologram wrote:No problem. It is my understanding that 32-bit is exploitable, but it's still unclear if there is a sensible way to mitigate it.

thanks again.
the chosen answer does not suggest that there is any difference between 32 and 64 bit architectures wrt meltdown.

anyhow, i did another update on my debian jessie 32bit system, and now have this:
Code: Select all
uname -rv
3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08)

compared to: https://security-tracker.debian.org/tra ... -2017-5754
it would seem that my 32bit machine now has a kernel patched against meltdown.
User avatar
debiman
 
Posts: 1773
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-10 12:51

Thanks for the info; good to know jessie/686 isn't left astray ^_^
Were you able to check it against the spectre-meltdown-checker that steve shared?
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
n_hologram
 
Posts: 281
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby bester69 » 2018-01-10 13:20

For Opera Browsers, some mitigations.:
https://blogs.opera.com/security/2018/0 ... abilities/
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1034
Joined: 2015-04-02 13:15

PreviousNext

Return to Offtopic

Who is online

Users browsing this forum: deborah-and-ian and 4 guests

fashionable