If you haven't had enough from the previous Intel CPU bugs, you might want to consider the following 3 fresh ones:
https://www.theregister.co.uk/2018/0...al_fault_bugs/ https://www.intel.com/content/www/us...-sa-00161.html " Recommendations: Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop platform firmware and software updates that can help protect systems from these methods. " CVEs: https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3615 https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3620 https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3646 |
I removed twice some details I provided originally in the previous post just because there was work in progress in understanding and mitigating the issues reported there. I considered keeping the post factual and informative.
Lately RedHat published some details about these vulnerabilities (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646) and are stating, without mentioning the exact CVE (sloppy work), that only CVE-2018-3615 - the one related solely to the Intel SGX - needs a microcode update: https://access.redhat.com/security/vulnerabilities/L1TF "There are three pieces to this vulnerability. The first affects only Intel “SGX” secure enclaves and is mitigated through microcode updates independently of the operating system. " and: "CVE-2018-3620 is the CVE identifier assigned to the operating system vulnerability for this issue. CVE-2018-3646 is the CVE identifier assigned to the virtualization aspect of the flaw. This issue is referred to as L1 Terminal Fault (L1TF) by the larger industry and as “Foreshadow” by the security researcher." Which reads that only CVE-2018-3620 needs to be mitigated by the kernel ATM, CVE-2018-3646 being only the "virtualization aspect of the flaw". |
There is lots of information about L1 Terminal Fault available in the kernel sources: linux-4.18.1/Documentation/admin-guide/l1tf.rst or https://github.com/torvalds/linux/bl...guide/l1tf.rst
|
Quote:
https://www.intel.com/content/www/us...-sa-00161.html As for AMD and ARM, I'd keep an open mind: https://foreshadowattack.eu/ " What about other processors (AMD/ARM)? The original Foreshadow attack affects most SGX-enabled Intel processors. As SGX is currently present only in Intel CPUs, we are unaware of Foreshadow affecting other CPU vendors. To the best of our understanding, Foreshadow-NG only affects Intel processors. However, we are still working to better understand the implications of Foreshadow-NG and this answer might change as the situation develops. " Regarding the microcode updates for the mitigation of CVE-2018-3615 and maybe other, older, Intel SGX related issues, Intel published some info and benchmarks. Again, without being specific, they mention the microcode updates released earlier this year as sufficient for the mitigation. https://www.intel.com/content/www/us...logy/l1tf.html "The microcode updates released earlier this year when coupled with operating system and hypervisor software available from our industry partners, ensure consumers, IT professionals and cloud service providers have access to the protections they need. Intel recommends people keep their systems up to date to protect against the evolving threat landscape." |
Looks like serious problems with Ghostscript have been found, although no patches as yet (some mitigations here).
|
According to https://www.kb.cert.org/vuls/id/332928 , the patches are available now.
As I tried to apply, we also need the following patch: http://git.ghostscript.com/?p=ghostp...iff;h=0b6cd191 And we have to apply the patches in the following order: http://git.ghostscript.com/?p=ghostp...ain;h=b326a716 http://git.ghostscript.com/?p=ghostp...ain;h=c3476dde http://git.ghostscript.com/?p=ghostp...ain;h=0d390118 http://git.ghostscript.com/?p=ghostp...ain;h=a054156d http://git.ghostscript.com/?p=ghostp...ain;h=0edd3d6c http://git.ghostscript.com/?p=ghostp...ain;h=78911a01 http://git.ghostscript.com/?p=ghostp...ain;h=b575e1ec http://git.ghostscript.com/?p=ghostp...ain;h=0b6cd191 http://git.ghostscript.com/?p=ghostp...ain;h=c432131c http://git.ghostscript.com/?p=ghostp...ain;h=241d9111 http://git.ghostscript.com/?p=ghostp...ain;h=8e9ce501 http://git.ghostscript.com/?p=ghostp...ain;h=5516c614 http://git.ghostscript.com/?p=ghostp...ain;h=e01e77a3 |
Quote:
https://cdn.kernel.org/pub/linux/ker...ngeLog-4.4.153 https://github.com/torvalds/linux/co...2d2b416c87e011 The doc at kernel.org about the L1TF / Foreshadow mitigation an the related kernel boot parameters: https://www.kernel.org/doc/html/late...lt-mitigations Plus, some interesting benchmarks related to the L1TF fixes (and not only): https://www.phoronix.com/scan.php?pa...rly-look&num=1 https://www.phoronix.com/scan.php?pa...dow-xeon&num=1 https://www.phoronix.com/scan.php?pa...igations&num=1 https://www.phoronix.com/scan.php?pa...icrocode&num=3 |
Not sure what I'm not missing.
From Tue Aug 28 22:05:19 UTC 2018 Stable ChangeLog for x86_64
"To see the status of CPU vulnerability mitigations on your system, look at the files in: /sys/devices/system/cpu/vulnerabilities" I did and found these files: l1tf, meltdown, spec_store_bypass, spectre_v1, spectre_v2 spec_store_bypass says "Vulnerable" magicm in this post ran spectre-meltdown-checker.sh, so I did and found Checking for vulnerabilities on current system Kernel is Linux 4.4.153 #1 SMP Tue Aug 28 16:08:22 CDT 2018 x86_64 CPU is Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz CVE-2018-3640 [rogue system register read] aka 'Variant 3a' * CPU microcode mitigates the vulnerability: NO > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability) CVE-2018-3639 [speculative store bypass] aka 'Variant 4' * Mitigated according to the /sys interface: NO (Vulnerable) * Kernel supports speculation store bypass: YES (found in /proc/self/status) > STATUS: VULNERABLE (Your CPU doesn't support SSBD) I did SBo intel-microcode SlackBuild as magicm did but CVE-2018-3640 says same thing. I see /lib/firmware/intel-ucode/, "intel-microcode (20180807)" SBo didn't address my cpu? EDIT: SBo says "INITRD /boot/intel-ucode.cpio,/boot/initrd-generic.gz" is that when doing mkinitrd? Looks like some CVE are handled by distribution as did slackware for l1tf and some CVE by end-user. I don't know much about handling CVE, I'm trying to learn and understand now. |
It looks like you don't have the latest microcode for your CPU, thus no microcode mitigations for CVE-2018-3639, CVE-2018-3640 and maybe also none for the CVEs related to L1TF / Foreshadow.
Your older Ivy Bridge CPU is Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz should have the latest microcode 0x20, that's according to the latest Intel Microcode Revision Guidance - August 8 2018 - Page 10: https://www.intel.com/content/dam/ww...e-guidance.pdf Check what the Intel microcode updater is reporting in dmesg and let's move to this more appropriate thread: https://www.linuxquestions.org/quest...4/#post5888824 |
Thanks abga, unfortunately I'm a little busy right now, will get to other thread when I have time.
|
I'm all set, followed what zakame did in this post.
|
Quote:
https://www.blackhat.com/us-18/brief...x86-cpus-10194 https://www.youtube.com/watch?v=_eSAF_qT_FY |
There will always be security exploiter creators, how else do virus companies stay in business?
|
curl-7.61.1 is released with security fix.
https://curl.haxx.se/download/curl-7.61.1.tar.xz https://curl.haxx.se/download/curl-7.61.1.tar.xz.asc Quote:
|
Ghostscript 9.24 breaks printing on Slackware 14.2
Quote:
Is this a problem with the installation process or does it mean a rebuild of Waterfox and wait for AlienBob to rebuild Chromium? The interesting thing is that Konqueror had no problem with printing with the Ghostscript 9.24 in place. System setting. Slackware 64 14.2 multilib and 4.14.67 kernel with HP Laserjet 3380 and HPLIP-3.16.5 version. Ghostscript 9.24 generates error from localhost:631 for print jobs is "Filter Failed". Suggestions appreciated. Cheers, BrianA_MN 9-9-18 Upgraded to patched 9.24 from official patches and everything is back to working. Thanks PV. |
All times are GMT -5. The time now is 08:11 AM. |