Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Meltdown and Spectre patches
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Meltdown and Spectre patches
The kernel for wheezy has been fixed (for Meltdown) but jessie is still wanting, which is a bit strange.
https://security-tracker.debian.org/tra ... -2017-5754
https://security-tracker.debian.org/tra ... -2017-5754
deadbang
Re: Meltdown and Spectre patches
Yes, I came to the same conclusion.n_hologram wrote:@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo, but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.
And I'm under impression how deeply ignorant some replies were.
Re: Meltdown and Spectre patches
n_hologram, thanks for this info.n_hologram wrote:@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo, but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.
i'm trying to find some statement about whether 32bit (i686 in my case) actually need the patch?
the vanilla i686 kernel for jessie is NOT yet patched, but marked vulnerable on some debian bugtracker.
Re: Meltdown and Spectre patches
I've been reading around and yes, Itanium and Atom CPUs manufactured before 2013 are exempt from Meltdown.bw123 wrote:
I read another blurb somewhere or other that some of the atom processors might be exempt from one issue or the other. I have one of those on my netbook that I use online, so if anybody runs across any actual info that hasn't signed any non-disclosures or retaineded an attorney, or sells clicks as news, let me know...
Source:
https://meltdownattack.com/
https://techtalk.gfi.com/is-your-proces ... -meltdown/
https://www.theguardian.com/technology/ ... -explainer
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Meltdown and Spectre patches
No problem. It is my understanding that 32-bit is exploitable, but it's still unclear if there is a sensible way to mitigate it. I would be willing to compile a kernel myself if I knew what preventative features (if any) are necessary.debiman wrote: n_hologram, thanks for this info.
i'm trying to find some statement about whether 32bit (i686 in my case) actually need the patch?
the vanilla i686 kernel for jessie is NOT yet patched, but marked vulnerable on some debian bugtracker.
In similar news, I found this proof of concept, for anyone who wants to check their kernel against it: https://github.com/mniip/spectre-meltdown-poc
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
Re: Meltdown and Spectre patches
So As i think to understand, there are three kind of possible solutions,
- Browser isolation solutions
- Kernel isolation tablespace
- microcode firmware
I think any of them is in some way a valid solution, I will go for new microcode or for the new browsers ..I dont want to use a slowed kernel and downgrade my whole system performance.
- Browser isolation solutions
- Kernel isolation tablespace
- microcode firmware
I think any of them is in some way a valid solution, I will go for new microcode or for the new browsers ..I dont want to use a slowed kernel and downgrade my whole system performance.
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...
-
- Posts: 429
- Joined: 2007-12-14 23:16
- Has thanked: 12 times
- Been thanked: 13 times
Re: Meltdown and Spectre patches
The 3 solutions are ALL required to be 'more secure'. It's not a question of which one do you want to use.
antiX with runit - lean and mean.
https://antixlinux.com
https://antixlinux.com
Re: Meltdown and Spectre patches
The original topic was a good one I think, maybe the thread got off-topic but I don't see why it is posted in off-topic?n_hologram wrote:If any of this information is in error or outdated, please let me know.
The security tracker claims that there is a patched stretch kernel (4.9.65-3+deb9u2) to avoid meltdown, but as of this post, the packages page (along with apt-cache policy) suggests that the current version is at 4.9.65-3+deb9u1, with jessie-backport version at 4.9.65-3+deb9u1~bpo8+1 (the same thing). At the time of this posting, it appears that there is no patch for Spectre.
In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?
Unrelated: is there any information on how effective grsecurity might be for preventing this exploit?
Meltdown:
-fixed version: 4.9.65-3+deb9u2 (stretch)
https://security-tracker.debian.org/tra ... -2017-5754
Spectre:
-fixed version: none
https://security-tracker.debian.org/tra ... -2017-5753
The question asked that still gets me is, "In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?"
My answer would be, continue being careful what code/apps you install on your computer. Be aware that using or posting private information on a network has risks. My opinion is that no network is truly secure, but that's just an opinion. Passwords, credit card numbers, account information, medical history, other types of proprietary information can be "hacked" on a network, it happens to some real big players in IT. The best security money can buy seems to get penetrated somehow.
I don't think anybody should be scared, but just be aware. And thanks for the info on the topic so far, I have learned a lot.
resigned by AI ChatGPT
Re: Meltdown and Spectre patches
Schneier has posted an article on his blog.
https://www.schneier.com/
He says
https://www.schneier.com/
He says
Linux is of course generally much safer than Windows.For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Meltdown and Spectre patches
@bw123: I may have been unclear about what I said earlier: my comment was not directed at you, but rather at certain users (one in particular) who routinely intrude and derail -- often times successfully -- genuine security threads with meaningless trolling, often disguised in the form of commentary about how any security is too much security (or something of the ilk). Like, it's not wrong, nor is it completely off topic; however, unsurprisingly, it typically encourages more discussion about judgments, rather than research (and the research used in response is, also unsurprisingly, usually available through the first few hits of a superficial Google search); by contrast, threads like this are meant to encourage relevant, fact-based findings. Again, though, all of this was meant for (an)other user(s).
Unrelated, I updated my original post with some details.
Unrelated, I updated my original post with some details.
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Meltdown and Spectre patches
https://github.com/speed47/spectre-meltdown-checker
A script to check your vulnerabilities. There's a long way to go with Spectre.
Don't run random scripts without vetting them, though.
A script to check your vulnerabilities. There's a long way to go with Spectre.
Don't run random scripts without vetting them, though.
MX Linux packager and developer
Re: Meltdown and Spectre patches
I'm expecting for a new wave of "We make your PC great again! Click here to download our cure!" ads now mentioning mentioning Spectre and Meltdown.stevepusser wrote:Don't run random scripts without vetting them, though.
Hmmmm... they might already be there... I should disable my naïve adblocking...
"I have a natural instinct for science" — DJ Trump.
"Vrijdag voor VT100!" — Yeti.
"There is no PLANET-B!" — ???
"Vrijdag voor VT100!" — Yeti.
"There is no PLANET-B!" — ???
Re: Meltdown and Spectre patches
thanks again.n_hologram wrote:No problem. It is my understanding that 32-bit is exploitable, but it's still unclear if there is a sensible way to mitigate it.
the chosen answer does not suggest that there is any difference between 32 and 64 bit architectures wrt meltdown.
anyhow, i did another update on my debian jessie 32bit system, and now have this:
Code: Select all
uname -rv
3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08)
it would seem that my 32bit machine now has a kernel patched against meltdown.
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Meltdown and Spectre patches
Thanks for the info; good to know jessie/686 isn't left astray ^_^
Were you able to check it against the spectre-meltdown-checker that steve shared?
Were you able to check it against the spectre-meltdown-checker that steve shared?
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
Re: Meltdown and Spectre patches
For Opera Browsers, some mitigations.:
https://blogs.opera.com/security/2018/0 ... abilities/
https://blogs.opera.com/security/2018/0 ... abilities/
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...
Re: Meltdown and Spectre patches
Zenwalk linux is claiming firefox have "fixed" spectre and meltdown timing attacks for linux with firefox 58 ?
https://zenwalkgnulinux.blogspot.com.au/
https://zenwalkgnulinux.blogspot.com.au/
-
- df -h | grep > 20TiB
- Posts: 1418
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 79 times
- Been thanked: 191 times
Re: Meltdown and Spectre patches
Reduced the accuracy of timers available to javascript, like chrome has. A rather dirty workaround, not a fix.Seventh wrote:Zenwalk linux is claiming firefox have "fixed" spectre and meltdown timing attacks for linux with firefox 58
You can't really "fix" CPU sidechannel attacks in software, and there are plenty of other ways to generate a fast enough tick for cache timing analysis.
If one is concerned about a browser drive-by, disable javascript.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Re: Meltdown and Spectre patches
Im using for long (Head_on_a_Stick gave a a good contribution, Thanks to him here): Adblocking with /etc/hosts (I guess It can help against ad javacripts)
http://forums.debian.net/viewtopic.php?f=16&t=129202
It updates very often; all these people contribuite (I just hope they gone bad eventually )
# Last updated: Wed, 03 Jan 2018 at 18:00:26 GMT
http://forums.debian.net/viewtopic.php?f=16&t=129202
It updates very often; all these people contribuite (I just hope they gone bad eventually )
http://someonewhocares.org/hosts/zero/# Bill Allison, Harj Basi, Lance Russhing, Marshall Drew-Brook,
# Leigh Brasington, Scott Terbush, Cary Newfeldt, Kaye, Jeff
# Scrivener, Mark Hudson, Matt Bells, T. Kim Nguyen, Lino Demasi,
# Marcelo Volmaro, Troy Martin, Donald Kerns, B.Patten-Walsh,
# bobeangi, Chris Maniscalco, George Gilbert, Kim Nilsson, zeromus,
# Robert Petty, Rob Morrison, Clive Smith, Cecilia Varni, OleKing
# Cole, William Jones, Brian Small, Raj Tailor, Richard Heritage,
# Alan Harrison, Ordorica, Crimson, Joseph Cianci, sirapacz,
# Dvixen, Matthew Craig, Tobias Hessem, Kevin F. Quinn, Thomas
# Corthals, Chris McBee, Jaime A. Guerra, Anders Josefson,
# Simon Manderson, Spectre Ghost, Darren Tay, Dallas Eschenauer, Cecilia
# Varni, Adam P. Cole, George Lefkaditis, grzesiek, Adam Howard, Mike
# Bizon, Samuel P. Mallare, Leinweber, Walter Novak, Stephen Genus,
# Zube, Johny Provoost, Peter Grafton, Johann Burkard, Magus, Ron Karner,
# Fredrik Dahlman, Michele Cybula, Bernard Conlu, Riku B, Twillers,
# Shaika-Dzari, Vartkes Goetcherian, Michael McCown, Garth, Richard Nairn,
# Exzar Reed, Robert Gauthier, Floyd Wilder, Mark Drissel, Kenny Lyons,
# Paul Dunne, Tirath Pannu, Mike Lambert, Dan Kolcun, Daniel Aleksandersen,
# Chris Heegard, Miles Golding, Daniel Bisca, Frederic Begou, Charles
# Fordyce, Mark Lehrer, Sebastien Nadeau-Jean, Russell Gordon, Alexey
# Gopachenko, Stirling Pearson, Alan Segal, Bobin Joseph, Chris Wall, Sean
# Flesch, Brent Getz, Jerry Cain, Brian Micek, Lee Hancock, Kay Thiele,
# Kwan Ting Chan, Wladimir Labeikovsky, Lino Demasi, Bowie Bailey, Andreas
# Marschall, Michael Tompkins, Michael O'Donnell, José Lucas Teixeira
# de Oliveira, M. Ömer Gölgeli, and Anthony Gelibert for helping to build
# the hosts file.
# Russell O'Connor for OS/2 information
# kwadronaut for Windows 7 and Vista information
# John Mueller and Lawrence H Smith for Mac Pre-OSX information
# Jesse Baird for the Cisco IOS script
# Last updated: Wed, 03 Jan 2018 at 18:00:26 GMT
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...
Re: Meltdown and Spectre patches
i did now.n[i]hologram wrote:Thanks for the info; good to know jessie/686 isn't left astray ^[/i]^
Were you able to check it against the spectre-meltdown-checker that steve shared?
Code: Select all
$ dmesg | grep isolation
$ grep TABLE_ISOLATION /boot/config-$(uname -r)
$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) i686
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Meltdown and Spectre patches
This is exactly the crux of the 32-bit issue: no one knows. I'm going to email the patch developer later and ask what's going on.debiman wrote:as i said before, the kernel version surely is the patched one, but according to these outputs it does not apply to my 32bit intel processor?
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing