Apparently, OpenBSD has got rid of Intel HyperThreading due to Spectre. (It's no problem to get rid of it on amd64, I've had this disabled in my kernels for couple of years now)
|
Quote:
https://www.theregister.co.uk/2018/0...yperthreading/ https://www.theregister.co.uk/2018/0...key_data_leak/ The details will be revealed in a few days at the BlackHat 2018 conference: https://www.blackhat.com/us-18/brief...t-enough-10149 |
bind-9.10.8 is released with security fixes.
Quote:
|
curl-7.61.0 is released with one security fix:
Quote:
|
New Spectre Variant dubbed Bounds Check Bypass Store - CVE-2018-3693
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3693 Intel's Security Advisory: https://01.org/security/advisories/intel-oss-10002 Research Paper: https://people.csail.mit.edu/vlk/spectre11.pdf It looks to be a sub-variant of: CVE-2017-5753 aka Spectre Variant 1 Not yet listed in the capabilities of the spectre-meltdown-checker: https://github.com/speed47/spectre-meltdown-checker Intel's latest white paper release suggest SW mitigation (kernel): https://software.intel.com/sites/def...hite-Paper.pdf |
mutt 1.10.1 released
With important security fixes. Quoting the message from Kevin J. McCarthy on the mutt-announce mailing list:
Quote:
|
Details about a new Spectre variant has just been released, it's called SpectreRSB and targets the CPU Return Stack Buffer (RSB), has no CVE assigned yet and Intel states that it's related to Spectre variant 2 - CVE-2017-5715
https://www.bleepingcomputer.com/new...ed-spectrersb/ "Researchers said they reported the issue to Intel, but also to AMD and ARM. Researchers say they only tested SpectreRSB on Intel CPUs, but because AMD and ARM processors also use RSBs to predict return addresses, they are, most likely, affected as well. Red Hat is also investigating the issue." https://www.theregister.co.uk/2018/0..._stack_buffer/ |
mariadb-10.0.36 is released with many security fixes.
https://mariadb.com/kb/en/mdb-10036-rn/ |
Linux kernel (versions 4.9+) is vulnerable to DoS attacks through specially modified TCP packets.
CVE-2018-5390 Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-5390 Kernel patch: https://git.kernel.org/pub/scm/linux...689a478f82e72e Some details from Akamai: https://blogs.akamai.com/2018/08/lin...erability.html & from CERT: https://www.kb.cert.org/vuls/id/962459 |
Quote:
|
Quote:
ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt |
Quote:
|
Quote:
On security patches you don't really need to check the kernel changelog for a specific version because they are applied to all vulnerable branches (backported too). ;) I believe the value of my original post and this discussion is to make Slackers running -current aware that they should upgrade their kernel to the latest available on Slackware mirrors ASAP. |
bind-9.10.8-P1, 9.12.2-P1 are released with security fix.
Quote:
|
Quote:
https://www.blackhat.com/us-18/brief...-is-not-enough The video presentation (pretty bad quality): http://www.eweek.com/security/tlblee...d-at-black-hat And the research paper, stating that it was only tested on Intel CPUs and that the ARM Trust-Zone processes might be also vurnerable: https://www.vusec.net/wp-content/upl...r-preprint.pdf Quote from the Conclusion: " In this paper, we have shown that TLB activity monitoring not only offers a practical new side channel, but also that it bypasses all the state-of-the-art cache side-channel defenses. Since the operation of the TLB is a fundamental hardware property, mitigating TLBleed is challenging. " And the mitigation looks to be ATM disabling hyper-threading or running the sensitive process on an isolated core: "The simplest way to mitigate TLBleed is by disabling hyperthreads or by ensuring in the operating system that sensitive processes execute in isolation on a core" Disabling hyper-threading might have a high performance impact, up to 30% according to Wiki: https://en.wikipedia.org/wiki/Hypert...ormance_claims I couldn't find any position from Intel on the subject yet, but then, recalling how meltdown&spectre were initially handled (pre-disclosure), I guess it'll take some time: https://www.theregister.co.uk/2018/0...e_cert_timing/ |
All times are GMT -5. The time now is 12:57 AM. |