|
Additional exploits published for Intel (et al?) processors:
http://tinyurl.com/yclkz4l3 Quote:
|
Quote:
https://www.heise.de/ct/artikel/Excl...s-4040648.html It's all kept secret until on the 7th of May, that's the next patch day from Redmond. P.S. There's a follow-up on the original article, which contains the official reaction (quoted) from Intel & AMD, ARM did not reply. The original positions from Intel&AMD are to be found in English at the end of the article: https://www.heise.de/security/meldun...n-4039302.html |
A short update/follow-up on the Spectre-NG vulnerabilities:
https://www.heise.de/security/meldun...n-4043790.html The article is only available in German and you can use a translation service on it. At least for me German is a native language and I can help with a short summary on the main points: It's reported that Intel had asked for a postponing of the release of the technical information & patches, for at least 2 weeks. They're planning a coordinated release of technical information for at least two of the Spectre-NG vulnerabilities together with microcode updates on the 21th of May 2018. But not even this new date is fixed, as Intel apparently asked for another extension until on the 10th of July 2018. The amount of affected CPUs is "enormous", covering not only the Core-i CPUs and their Xeon derivatives, at least from when they first appeared (nehalem 2010), but also Atom/Pentium/Celeron CPUs released since 2013. For the mitigation of the more dangerous Spectre-NG vulnerabilities, mainly related to VMs, Intel is planning additional patches in the form of microcode updates + software patches for the 14th of August 2018. I'm wondering where Heise Online took all this info and why are they the only ones owning it, pretty much all the other tech publications cite them. Personally, I trust them, I consider them serious and following (one of my daily reads) them myself for a very long tine. https://en.wikipedia.org/wiki/Heinz_Heise |
|
Freetype 2.9.1 is released, with fixes to some vulnerabilities.
http://cve.mitre.org/cgi-bin/cvename...=CVE-2018-6942 https://sourceforge.net/projects/fre...eetype2/2.9.1/ |
Quote:
|
Quote:
http://lists.nongnu.org/archive/html.../msg00078.html |
curl-7.60.0 is released with security fixes.
Quote:
Quote:
|
A short update on the "SpectreNG" vulnerabilities:
Variant 3 (CVE-2017-5754) Subvariant 3a (CVE-2018-3640) Variant 4 (CVE-2018-3639) Intel's announcement: https://newsroom.intel.com/editorial...nnel-analysis/ Affected CPUs (Intel): https://www.intel.com/content/www/us...-sa-00115.html The German IT publication, the one that disclosed SpectreNG some weeks ago, states that Intel has already microcode updates available, but they are in beta-stage and these updates will be deployed through HW manufacturers (BIOS) as well as OS level images in the following months.(use some translation service): https://www.heise.de/security/meldun...n-4051900.html ARM on the subject: https://developer.arm.com/support/ar...-vulnerability RedHat on Variant 4: https://access.redhat.com/security/vulnerabilities/ssbd P.S. A comprehensive article in English: https://www.theregister.co.uk/2018/0...rosoft_google/ |
Another vector demonstrated for exploiting the Rowhammer vulnerability:
https://thehackernews.com/2018/05/re...ttack.html?m=1 Quote:
|
Git 2.17.1 fixes CVE-2018-11233 / CVE-2018-11235 (potential aribtrary code execution).
|
it has been pushed to current on May 31
|
libgcrypt 1.7.10 and 1.8.3 are released with security fixes :
https://gnupg.org/ftp/gcrypt/libgcry...10.tar.bz2.sig https://gnupg.org/ftp/gcrypt/libgcry...1.7.10.tar.bz2 https://gnupg.org/ftp/gcrypt/libgcry....3.tar.bz2.sig https://gnupg.org/ftp/gcrypt/libgcry...-1.8.3.tar.bz2 Quote:
|
Another episode in the series of Intel CPU bugs - LazyFP vulnerability: Exploiting lazy FPU state switching, affecting apparently only Intel processors.
Intel SA-0014 CVE-2018-3665 https://www.intel.com/content/www/us...-sa-00145.html https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3665 More technical details: http://blog.cyberus-technology.de/po...erability.html Quote:
Quote:
Quote:
The Linux Kernel patch that defaults eagerfpu=on on all CPUs, thus mitigating this issue, is applied starting with the kernel version v4.6-rc1 : https://github.com/torvalds/linux/co...c557d997d46a19 |
linux-4.4.138 includes a fix for CVE-2018-3665: "x86/fpu: Disable AVX when eagerfpu is off"
https://cdn.kernel.org/pub/linux/ker...ngeLog-4.4.138 I wouldn't mind an official 4.4.138 patch for 14.2 (which would likely also be applicable to 14.1 -- I've been updating my 14.1 systems with 14.2 kernels for a while now). |
| All times are GMT -5. The time now is 03:14 PM. |