I was missing such posts!
Thanks @abga. |
Quote:
Intel has actually released details and fixes for an entire list of vulnerabilities (Intel AMT , ME included) and a nice erratum called "Conditional Code Erratum", fixed by the latest microcode, affecting: Amber Lake, Cascade Lake, Coffee Lake, Comet Lake, Kaby Lake, Skylake and Whiskey Lake. Intel's list of vulnerabilities: https://www.intel.com/content/www/us...-sa-00241.html Blog entry: https://blogs.intel.com/technology/2...rm-update-ipu/ Mitigations for Jump Conditional Code Erratum - White Paper (apparently fixed by latest microcode): https://www.intel.com/content/dam/su...de-erratum.pdf |
Quote:
|
Hello,
Quote:
"slackpkg upgrade-all" is mandatory on slackware-current. On stable, it is better to just stick to "slackpkg upgrade patches". -- SeB |
Quote:
https://www.win-raid.com/f39-Intel-M...nt-Engine.html https://www.win-raid.com/t596f39-Int...tem-Tools.html This is how I managed to update my Intel ME version because my friends at ASUS had not yet decided to send me a new BIOS version. Now I am analyzing the risk of updating to the latest Intel ME version available in the link above. Thanks @abga seems to have it! |
Quote:
|
Quote:
And thanks Pat, for removing this updating problem. |
Quote:
https://www.intel.com/content/www/us...hnologies.html https://downloadcenter.intel.com/download/29057 https://downloadcenter.intel.com/download/28632 As for the latest CPU microcode from Intel, the SlackBuild is not yet updated but easy to adapt. - get the latest Intel microcode Code:
wget https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191112.tar.gz Code:
mv microcode-20191112.tar.gz Intel-Linux-Processor-Microcode-Data-Files-microcode-20191112.tar.gz - change VERSION=${VERSION:-20191112} in intel-microcode.SlackBuild - build and install/upgrade it |
Quote:
|
They were really fast: 20191112 Release -> 20191115 Release.
I wonder in what state of mind hardware manufacturers will be, if Intel keeps it that way! |
Well, get http://www.slackbuilds.org/repositor...tel-microcode/
Adapt the intel-microcode.SlackBuild --> VERSION=${VERSION:-20191115} And get&use the new microcode: Code:
wget https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz |
Potential DoS vulnerability affecting many Intel CPUs.
Machine Check Error on Page Size Change - CVE-2018-12207 https://software.intel.com/security-...-size-change-0 More details in the kernel thread: https://www.linuxquestions.org/quest...ml#post6059518 |
New Linux Vulnerability Lets Attackers Hijack VPN Connection
|
Quote:
The original report (link available in the bleepingcomputer article) has a response in which more details and some simple workarounds are available: Original report: https://seclists.org/oss-sec/2019/q4/122 Response: https://seclists.org/oss-sec/2019/q4/123 Quote:
https://linux.slashdot.org/story/19/...pn-connections Quote:
Besides, this is part of my standard (IPv4 & static routing) firewall header (it's been for ages): Code:
if [ -r /proc/sys/net/ipv4/conf/default/rp_filter ]; then Code:
if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then https://www.kernel.org/doc/Documenta.../ip-sysctl.txt |
Quote:
actually for Strong ES Model you need: Quote:
Quote:
Code:
sudo sysctl -p |
@Aeterna
Thanks for the tips! I do have the lines you suggested in my firewall header, but with some different, IMO, optimal values: Code:
echo 2 > /proc/sys/net/ipv4/conf/all/arp_ignore https://www.linuxquestions.org/quest...5/#post5963569 But I don't use it for networking stuff, only for system tweaks. I prefer to focus on the firewall instead (trying to not loose my head). ______ Up in #864 I quoted an excerpt from the seclists.org Response where an iptables line was suggested for mitigation. Checked the actual iptables manual: http://ipset.netfilter.org/iptables-....man.html#lbBX And learned (also successfully tested) that the actual syntax should be: Code:
/usr/sbin/iptables -A PREROUTING -t raw -m rpfilter --invert -j DROP P.S. - /proc/sys/net/ipv4/conf/*/rp_filter logic - TLDP - FIXME http://tldp.org/HOWTO/Adv-Routing-HO...ernel.rpf.html - RH Experts focusing on the default value https://access.redhat.com/documentat...ath_forwarding - The Urban Penguin's "PhD dissertation": https://www.theurbanpenguin.com/rp_f...inux-security/ |
@abga
even more good tips. I see :) eventually to consider (on the server I have (in addition to the above) ) Quote:
|
Quote:
How would one convert the above commands to block this new IPv4 security issue in the firewalld entries? Can they be put in to FirewallD Direct Configuration? Cheers, BrianA_MN |
@bamunds
You have two options, the first one, outside of the scope of firewalld, using the kernel sysctl interface, presented in the bottom of my post #864. The second, to import/migrate into firewalld the two (maybe only the IPv4 is required) iptables rules available in the second half of my post #866. I have no experience with firewalld and I suggest to look into the doc / search the net for how to achieve this. A starting point can be: https://serverfault.com/questions/91...s-to-firewalld |
Basically all the workarounds, these are workarounds and not fixes, presented for the CVE-2019-14899 - Inferring and hijacking VPN-tunneled TCP connections, together with Aeterna's sysctl additions, helping also with a potential ARP Flux, are enforcing a strong host model on the networking system. This is not a bad practice after all and it works in almost all networking scenarios (simple static routing(no policy routing or advanced routing)).
If in doubt, consult the RFC - sections 4.2.2.11, 4.3.2.7, 5.3.3.3 (etc) https://tools.ietf.org/html/rfc1812 Even on simple static routing setups for instance, by using "net.ipv4.conf.all.arp_ignore = 2" on your system, you can get into issues when talking to weird networking devices or an ARP proxy. Here is a concrete example: https://bugs.endian.com/view.php?id=1507 IMO, a proper fix should maybe get developed by the VPN providers, in their SW and only affecting the interface it uses. OpenVPN is closely watching this issue (whatever that means): "OpenVPN Inc. is keeping a close eye on the discussions currently ongoing, and possible solutions. Currently there is no evidence suggesting there is a flaw in the OpenVPN software itself." https://openvpn.net/security-advisor...nvpn-software/ And the Wireguard devs (Wireguard being that new VPN thingy that is going to make its way (already in 5.5.x?) into the kernel) are scratching their heads: https://lists.zx2c4.com/pipermail/wi...er/004679.html Side note on Wireguard: https://lwn.net/Articles/802376/ https://www.phoronix.com/scan.php?pa...ible-Linux-5.5 |
Is this thread no longer sticky?
|
I think for some reason they unstickied this one and kept this old and outdated one as the sticky...
|
Well, maybe it's time to start a new one, without any date & "outstanding" in the title, like:
[Slackware security] Live Vulnerabilities Announcements & Reports |
Hi,
Quote:
|
@Thom1b
Thanks! Noticed that already. It's all GazL's fault for calling it "active, and useful" :D Now this one that contains all the fresh stuff & details will get flushed down the toilet ... forum thread list and will soon vanish. I don't know if it's in the power of the mods, but I'd rather suggest to rename this thread, remove " outstanding 20140101 " from the title and keep it active & sticky. Or, rename it in: [Slackware security] Live Vulnerabilities Announcements & Reports - maybe other more suggestive name (I'm not a native English speaker and not very creative at this time (tired too)). |
Yep, sorry guys, looks like my desire to tidy up the stickies backfired and they clobbered the wrong one.
Mods, please can you. re-sticky this active thead: https://www.linuxquestions.org/quest...-a-4175489800/ and unsticky this dead one: https://www.linuxquestions.org/quest...ad-4175522182/ As for the title, it might be an idea to wait until Jan and start a new 2020 thread to use going forward, or start a new one when Slackware 15.0 releases. what do people think? |
Quote:
"[Slackware Security] Unresolved Vulnerability Announcements, Reports and Discussion" seems like an unambiguous title, if a little bit long. |
"[Slackware Security] Vulnerability Announcements, Reports and Discussion"
Since I hope a few become solved, that would be my vote |
Quote:
|
Thanks UnSpawn, much appreciated.
|
Quote:
|
Quote:
With "Live" I wanted to emphasize that the thread is active and "alive", that it should be used and monitored, but now I believe Tonus' formulation could be more suitable (with the plural for Discussion): "[Slackware Security] Vulnerability Announcements, Reports and Discussions" Glad it's back on sticky. :) |
Quote:
As such, "outstanding" and "unresolved" are appropriate. I prefer "unresolved" so as to avoid the multiple meanings "outstanding" has. |
Quote:
If we had the ability to edit the first post and keep track of currently known vulnerabilities that don't have patches (or even recent ones that had patches already pushed out), it would make more sense to leave it as outstanding or unresolved. But since I believe only moderators would have the ability to edit posts that old (and the topic name), we're stuck with the current name and OP. I suppose if someone wanted to be gung-ho and maintain a slack-docs article on current vulnerabilities, they could open a new thread for new vulnerabilities announcements/reportings and then in the first post, they could link the slack-docs article that tracks current/recent vulnerabilities and their status on various Slackware versions. I certainly don't have the time and inclination to manage that, but it would certainly be a nice resource if someone is able to tackle it. |
Kernel 4.4.210 fixes the following CVEs: CVE-2019-14615, CVE-2019-14895
https://cdn.kernel.org/pub/linux/ker...ngeLog-4.4.210 https://cdn.kernel.org/pub/linux/ker...4.4.210.tar.xz |
Those of you fellow Slackers running on newer Intel CPUs (manufactured since 2015, apparently) thinking that by applying all the latest microcodes and kernel patches, your systems are safe now, think again ....
The latest microcode patches Intel provided are not fully mitigating the already discovered CPU flaws. https://www.intel.com/content/www/us...-sa-00329.html CVE-2020-0549 - called CacheOut by the University of Michigan and L1DES (L1D Eviction Sampling) by Intel https://cacheoutattack.com/ https://mdsattacks.com/#ridl-nng https://software.intel.com/security-...ction-sampling CVE-2020-0548 - called VRS (Vector Register Sampling) https://software.intel.com/security-...ister-sampling There are no mitigations available ATM, microcode updates should fix them both. No info about future kernel patches. Some articles on the subject: https://www.wired.com/story/intel-zo...ive-execution/ https://www.phoronix.com/scan.php?pa...e-Data-Leakage |
Quote:
|
And when you think of it, Linus called the first Intel patches "COMPLETE AND UTTER GARBAGE".
https://lkml.org/lkml/2018/1/21/192 Poor guy was punished and had to abide to this: https://git.kernel.org/pub/scm/linux...4093c54469c11f But he deserved it, he was "utterly" wrong in the first place, forgot to add the word PERPETUAL in front of his original expression ;) I'm only running on Intels and never considered AMD in the last 15 years or more. Will start to look more closely at their mobile CPUs from now on, since I'm loosing confidence in Intel's commitment in properly resolving their issues. My last experience with AMD on laptops was: really bad thermal issues, overheating, CPUs literally burning out (including MB), they wouldn't last more than 1-2 years of normal usage. I hope that changed now. |
New vulnerability published affecting Intel SGX enabled CPUs. Firmware (microcode update) mitigation will be available and binutils is patching itself:
https://sourceware.org/pipermail/bin...ch/110175.html https://lviattack.eu/ "LVI is a new class of transient-execution attacks exploiting microarchitectural flaws in modern processors to inject attacker data into a victim program and steal sensitive data and keys from Intel SGX, a secure vault in Intel processors for your personal data." Intel's advisory: https://www.intel.com/content/www/us...-sa-00334.html CVE entry: https://cve.mitre.org/cgi-bin/cvenam...=CVE-2020-0551 |
Chrome Security Issues
It appears that Chrome (Chromium) has some vulnerabilities. In that last couple of days (March 31st) it has been recommended to upgrade to 80.0.3987.162 due to several important security issues.
https://www.us-cert.gov/ncas/current...updates-chrome I pulled down Alien Bob's Chromium a couple of weeks ago and it was at 80.0.3987.149. Those that follow Chrome more closely can add detail about these vulnerabilities. I only use Alien Bob's Chromium for websites that demand its features. (Thanks Eric!) Although not a Slackware specific issue I'm posting this to inform members of this forum. EDIT: More detail... https://www.cisecurity.org/advisory/...tion_2020-044/ |
A new security hole in some of the Intel Core i7, Core i9 and Xeon CPUs, called SRBDS, CVE-2020-0543.
Mitigated apparently only through microcode updates. Details (I stopped analyzing them, don't really feel the need to become an expert in CPU design... ): https://www.vusec.net/projects/crosstalk/ https://www.intel.com/content/www/us...-sa-00320.html Extra, the usual AMT, plus some SSD, BIOS and "Innovation Engine Build and Signing Tool" (interesting name): https://www.intel.com/content/www/us...-sa-00295.html https://www.intel.com/content/www/us...-sa-00266.html https://www.intel.com/content/www/us...-sa-00322.html https://www.intel.com/content/www/us...-sa-00366.html P.S. Actually, according to Intel, many more CPU families are affected by the vulnerability. I was only reading the vusec article when I composed the post. Full list here: https://software.intel.com/security-...duct-cpu-model |
Quote:
Code:
./spectre-meltdown-checker.sh -v Quote:
Quote:
|
Quote:
And, I suppose you're referring to 5.4.46. That contains : Quote:
Whereas, for the stable Slackware 14.2, the 4.4.217 kernel doesn't appear to contain the SRBDS code yet, but only 4.4.227 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.227 |
Quote:
Quote:
Code:
$cat /sys/devices/system/cpu/vulnerabilities/srbds Code:
"Vulnerable" |
Multiple GRUB2 vulnerabilities - BootHole
Quoting a message from Daniel Kiper on the grub-devel mailing list:
Quote:
So if you enable Secure Boot read the message from Daniel. PS I assume that all the 28 patches will be applied in grub-2.06, so just upgrading will address the mentioned CVEs. As an aside work on this issue probably delayed the release of this new version, meanwhile several non-security patches wait to be committed but the first RC can now appear within a few weeks, I think. EDIT: good guess ;) Le 29/07/2020 à 19:46, Daniel Kiper a écrit : > I think this link [1] will explain my long absence... Sorry about that. > > I am going to go back to GRUB work next week. I will triage all the patches > and take all (obvious) fixes. Then I will release rc1 ASAP... All new features > will be taken after 2.06 release. > > Daniel > > [1] https://lists.gnu.org/archive/html/g.../msg00034.html PPS The scope of this vulnerability is a lot wider than only GRUB2 as it can encompass a lot of systems using it or not to boot, including Windows. Read There’s a Hole in the Boot to know why and how. |
There appears to be some serious security issues with xorg.
https://www.phoronix.com/scan.php?pa...CVE-2020-14344 Quote:
|
GnuPG 2.2.23 released
|
FreeType 2.10.4, is now available.
Quote:
https://sourceforge.net/projects/fre...etype2/2.10.4/ Quote:
|
If you are running an Intel processor you might wnat to read this post in the kernel thread,
https://www.linuxquestions.org/quest...ml#post6184145 |
Mutt 2.0.2 was released on November 20, 2020. This is an important bug-fix release, addressing CVE-2020-28896.
https://gitlab.com/muttmua/mutt/-/co...2863756ebbf59a https://gitlab.com/muttmua/mutt/raw/stable/UPDATING ftp://ftp.mutt.org/pub/mutt/mutt-2.0.2.tar.gz |
All times are GMT -5. The time now is 04:14 PM. |