Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Official Debian standpoint on Meltdown/Spectre
Official Debian standpoint on Meltdown/Spectre
Hi,
Is there any official information from Debian about ongoing (hopefully) work to mitigate the Meltdown/Spectre vulnerabilities? What would be sensible action (if any) to take while waiting for an official mitigation? I have of course updated my system to latest, but according to the test script, its still vulnerable and needs further actions.
What have you guys done (so far) to secure your systems?
Is there any official information from Debian about ongoing (hopefully) work to mitigate the Meltdown/Spectre vulnerabilities? What would be sensible action (if any) to take while waiting for an official mitigation? I have of course updated my system to latest, but according to the test script, its still vulnerable and needs further actions.
What have you guys done (so far) to secure your systems?
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Official Debian standpoint on Meltdown/Spectre
Please post the output of
EDIT: bug reports here:
https://security-tracker.debian.org/tra ... -2017-5753
https://security-tracker.debian.org/tra ... -2017-5754
https://security-tracker.debian.org/tra ... -2017-5715
Code: Select all
grep -r . /sys/devices/system/cpu/vulnerabilities
https://security-tracker.debian.org/tra ... -2017-5753
https://security-tracker.debian.org/tra ... -2017-5754
https://security-tracker.debian.org/tra ... -2017-5715
deadbang
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Official Debian standpoint on Meltdown/Spectre
Disable javascript and make sure that all of your packages are up to date.Dobeedoo wrote:What would be sensible action (if any) to take while waiting for an official mitigation?
deadbang
Re: Official Debian standpoint on Meltdown/Spectre
[quote="Head_on_a_Stick"]Please post the output of
I get the following after running the above command;
Code: Select all
grep -r . /sys/devices/system/cpu/vulnerabilities
Code: Select all
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Official Debian standpoint on Meltdown/Spectre
^ Thanks!
The only real way to protect yourself is to throw away all of your defective CPUs and switch to something open instead
https://riscv.org/
That's interesting, both Alpine Linux and Debian are using minimal generic ASM whereas Arch Linux is using full retpoline.Dobeedoo wrote:Code: Select all
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
The only real way to protect yourself is to throw away all of your defective CPUs and switch to something open instead
https://riscv.org/
deadbang
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 72 times
Re: Official Debian standpoint on Meltdown/Spectre
Burned all electronic devices with loads of fire and moved into my bunker.
Maybe you have to be using the latest compilers to get full retpoline support.
Maybe you have to be using the latest compilers to get full retpoline support.
MX Linux packager and developer
Re: Official Debian standpoint on Meltdown/Spectre
oh man I think they got nmy girly pics!!
Code: Select all
$ grep -r . /sys/devices/system/cpu/vulnerabilities
grep: /sys/devices/system/cpu/vulnerabilities: No such file or directory
b17@themini:/sys/devices/cpu$ uname -a
Linux themini 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
resigned by AI ChatGPT
Re: Official Debian standpoint on Meltdown/Spectre
LOL! That may be a little harsh, just bought a new one... but wonder if they'd take it back as defective, hehe... If I read the CVE's you posted links to correctly, they say "attack range: local", I suppose that means it can't be exploited from outside my computer/network (assuming my firewall does a descent job)?Head_on_a_Stick wrote:^ Thanks!That's interesting, both Alpine Linux and Debian are using minimal generic ASM whereas Arch Linux is using full retpoline.Dobeedoo wrote:Code: Select all
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
The only real way to protect yourself is to throw away all of your defective CPUs and switch to something open instead
https://riscv.org/
Re: Official Debian standpoint on Meltdown/Spectre
Yes, I realize there is no "fix", or at least no easy one. If I got things right, everything needs to be recompiled with retpoline support. I chose Debian for its security thinking and being one of the more stable distributions I know of, so not really worried, but a bit security minded.stevepusser wrote:Burned all electronic devices with loads of fire and moved into my bunker.
Maybe you have to be using the latest compilers to get full retpoline support.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Official Debian standpoint on Meltdown/Spectre
Yes, that's right but Firefox and Chrom{e,ium} and (and some video drivers, apparently) were able to be used as attack vectors (if javascript was enabled) but this did not apply to firefox-esr, which is nice.Dobeedoo wrote:If I read the CVE's you posted links to correctly, they say "attack range: local", I suppose that means it can't be exploited from outside my computer/network
deadbang
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Official Debian standpoint on Meltdown/Spectre
AMD machine?bw123 wrote:Code: Select all
$ grep -r . /sys/devices/system/cpu/vulnerabilities grep: /sys/devices/system/cpu/vulnerabilities: No such file or directory
deadbang
Re: Official Debian standpoint on Meltdown/Spectre
Both intel and amd lack a /sys/devices/system/cpu/vulnerabilities file or direcotry on 4.9.65-3+deb9u2 which is debian stretch latest stable kernel.Head_on_a_Stick wrote:AMD machine?bw123 wrote:Code: Select all
$ grep -r . /sys/devices/system/cpu/vulnerabilities grep: /sys/devices/system/cpu/vulnerabilities: No such file or directory
I don't know why you guys try and worry me so much, are you even using debian? Is this FUD? Is it SPAM? Are you just clueless or what? I don;t get it!!!!
resigned by AI ChatGPT
Re: Official Debian standpoint on Meltdown/Spectre
Nothing on my Debian setup, apart from lethargically invoking sudo apt update whenever I remember to.Dobeedoo wrote:What have you guys done (so far) to secure your systems?
My netbook [Slackware] runs an Atom N270 so is theoretically, and reportedly, immune. By reportedly, I mean that the output of spectre-meltdown-checker states such. Nevertheless, I still perform kernel updates when they are available.
Re: Official Debian standpoint on Meltdown/Spectre
I'm pedantic, but you probably already realise that.Lysander wrote: Nothing on my Debian setup, apart from lethargically invoking sudo apt update whenever I remember to.
I'm fairly sure you mean you invoke apt update and then apt upgrade if called for.
Just so lurkers and the inexperienced are clear.
On distros that I don't boot every time I do the update/upgrade dance as soon as I boot up so they are up to date and I don't forget and risk security. I'm pretty sure you could even script that if you chose to.
Thanks for indulging me, or complain if you want to, I respect your intelligence.
Re: Official Debian standpoint on Meltdown/Spectre
I think each case of pedantry has contextual validity. When it comes to Linux-learning, specificity is definitely a good thing.Thorny wrote:I'm pedantic, but you probably already realise that.
That is indeed what I mean, thanks for the clarification.Thorny wrote:I'm fairly sure you mean you invoke apt update and then apt upgrade if called for.
Just so lurkers and the inexperienced are clear.
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Official Debian standpoint on Meltdown/Spectre
Are you running a 32 or 64-bit kernel.Lysander wrote:My netbook [Slackware] runs an Atom N270 so is theoretically, and reportedly, immune. By reportedly, I mean that the output of spectre-meltdown-checker states such.
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
Re: Official Debian standpoint on Meltdown/Spectre
I believe the most important Debian-specific remediation's will involve what kernels are showing up where and when.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
Re: Official Debian standpoint on Meltdown/Spectre
The N270 is 32bit only, so I am running a 32bit smp.n_hologram wrote:Are you running a 32 or 64-bit kernel.
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Official Debian standpoint on Meltdown/Spectre
I forgot that several atom processors are invulnerable, so I'm assuming yours is one. If so, correct me if I'm wrong, but I'm not sure the kernel makes much of a difference.
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing