Debian Security Advisory
November 03, 2014 12:54AM
Update your wget package.

http://permalink.gmane.org/gmane.linux.debian.user.security.announce/3224

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 1 time(s). Last edit at 11/03/2014 12:54AM by bodhi.
Re: Debian Security Advisory
April 28, 2015 12:45AM
FYI,

CVE-2014-9715

Quote

    It was found that the netfilter connection tracking subsystem used
    too small a type as an offset within each connection's data
    structure, following a bug fix in Linux 3.2.33 and 3.6.  In some
    configurations, this would lead to memory corruption and crashes
    (even without malicious traffic).  This could potentially also
    result in violation of the netfilter policy or remote code
    execution.

    This can be mitigated by disabling connection tracking accounting:
        sysctl net.netfilter.nf_conntrack_acct=0

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
January 20, 2016 10:42AM
Update your OpenSSH.

https://lists.debian.org/debian-security-announce/2016/msg00015.html

Quote

The Qualys Security team discovered two vulnerabilities in the roaming
code of the OpenSSH client (an implementation of the SSH protocol
suite).

SSH roaming enables a client, in case an SSH connection breaks
unexpectedly, to resume it at a later time, provided the server also
supports it.

The OpenSSH server doesn't support roaming, but the OpenSSH client
supports it (even though it's not documented) and it's enabled by
default.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
January 20, 2016 12:00PM
@bodhi
Thanks - update script running
Re: Debian Security Advisory
March 02, 2016 11:12PM
Re: Debian Security Advisory
April 18, 2016 01:23PM
Quote

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3550-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 15, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssh
CVE ID : CVE-2015-8325

Shayan Sadigh discovered a vulnerability in OpenSSH: If PAM support is
enabled and the sshd PAM configuration is configured to read user-
specified environment variables and the "UseLogin" option is enabled, a
local user may escalate her privileges to root.

In Debian "UseLogin" is not enabled by default.

For the oldstable distribution (wheezy), this problem has been fixed
in version 6.0p1-4+deb7u4.

For the stable distribution (jessie), this problem has been fixed in
version 6.7p1-5+deb8u2.

For the unstable distribution (sid), this problem has been fixed in
version 1:7.2p2-3.

We recommend that you upgrade your openssh packages.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
April 26, 2016 03:39AM
Thanks for this topic @bodhi

I think you'd better PIN this one on top if you're willing to keep us updated each time something major comes up ;)
Re: Debian Security Advisory
April 26, 2016 07:05PM
JohnnyUSA Wrote:
-------------------------------------------------------
> Thanks for this topic @bodhi
>
> I think you'd better PIN this one on top if you're
> willing to keep us updated each time something
> major comes up ;)

I subscribed to the mailing list. But I don't want to be blamed for missing announcements that are important to only to some :) hence it is not sticky thread.

Anybody who feels certain security news is important to the way we use these boxes, please feel free to post in this thread.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
May 04, 2016 12:35AM
Quote

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3566-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
May 03, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108
CVE-2016-2109 CVE-2016-2176

Several vulnerabilities were discovered in OpenSSL, a Secure Socket Layer
toolkit.

CVE-2016-2105

Guido Vranken discovered that an overflow can occur in the function
EVP_EncodeUpdate(), used for Base64 encoding, if an attacker can
supply a large amount of data. This could lead to a heap corruption.

CVE-2016-2106

Guido Vranken discovered that an overflow can occur in the function
EVP_EncryptUpdate() if an attacker can supply a large amount of data.
This could lead to a heap corruption.

CVE-2016-2107

Juraj Somorovsky discovered a padding oracle in the AES CBC cipher
implementation based on the AES-NI instruction set. This could allow
an attacker to decrypt TLS traffic encrypted with one of the cipher
suites based on AES CBC.

CVE-2016-2108

David Benjamin from Google discovered that two separate bugs in the
ASN.1 encoder, related to handling of negative zero integer values
and large universal tags, could lead to an out-of-bounds write.

CVE-2016-2109

Brian Carpenter discovered that when ASN.1 data is read from a BIO
using functions such as d2i_CMS_bio(), a short invalid encoding can
casuse allocation of large amounts of memory potentially consuming
excessive resources or exhausting memory.

CVE-2016-2176

Guido Vranken discovered that ASN.1 Strings that are over 1024 bytes
can cause an overread in applications using the X509_NAME_oneline()
function on EBCDIC systems. This could result in arbitrary stack data
being returned in the buffer.

Additional information about these issues can be found in the OpenSSL
security advisory at https://www.openssl.org/news/secadv/20160503.txt

For the stable distribution (jessie), these problems have been fixed in
version 1.0.1k-3+deb8u5.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.2h-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
May 15, 2016 10:59PM
Re: Debian Security Advisory
August 07, 2016 06:36PM
Quote

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3626-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 24, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssh
CVE ID : CVE-2016-6210
Debian Bug : 831902

Eddie Harari reported that the OpenSSH SSH daemon allows user
enumeration through timing differences when trying to authenticate
users. When sshd tries to authenticate a non-existing user, it will pick
up a fixed fake password structure with a hash based on the Blowfish
algorithm. If real users passwords are hashed using SHA256/SHA512, then
a remote attacker can take advantage of this flaw by sending large
passwords, receiving shorter response times from the server for
non-existing users.

For the stable distribution (jessie), this problem has been fixed in
version 1:6.7p1-5+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 1:7.2p2-6.

We recommend that you upgrade your openssh packages.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
August 17, 2016 05:55PM
Here is the topic in the news:

http://forum.doozan.com/read.php?8,29543,29543#msg-29543

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 1 time(s). Last edit at 08/17/2016 05:55PM by bodhi.
Re: Debian Security Advisory
September 24, 2016 04:56AM
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3673-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 23, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
Debian Bug : 838652 838659

It was discovered that the original patch applied for CVE-2016-2182 in
DSA-3673-1 was incomplete, causing a regression when parsing
certificates. Updated packages are now available to address this
problem.

For the stable distribution (jessie), this problem has been fixed in
version 1.0.1t-1+deb8u5.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


- -------------------------------------------------------------------------
Debian Security Advisory DSA-3673-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 22, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180
CVE-2016-2181 CVE-2016-2182 CVE-2016-2183 CVE-2016-6302
CVE-2016-6303 CVE-2016-6304 CVE-2016-6306

Several vulnerabilities were discovered in OpenSSL:

CVE-2016-2177

Guido Vranken discovered that OpenSSL uses undefined pointer
arithmetic. Additional information can be found at
https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/

CVE-2016-2178

Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing
leak in the DSA code.

CVE-2016-2179 / CVE-2016-2181

Quan Luo and the OCAP audit team discovered denial of service
vulnerabilities in DTLS.

CVE-2016-2180 / CVE-2016-2182 / CVE-2016-6303

Shi Lei discovered an out-of-bounds memory read in
TS_OBJ_print_bio() and an out-of-bounds write in BN_bn2dec()
and MDC2_Update().

CVE-2016-2183

DES-based cipher suites are demoted from the HIGH group to MEDIUM
as a mitigation for the SWEET32 attack.

CVE-2016-6302

Shi Lei discovered that the use of SHA512 in TLS session tickets
is susceptible to denial of service.

CVE-2016-6304

Shi Lei discovered that excessively large OCSP status request may
result in denial of service via memory exhaustion.

CVE-2016-6306

Shi Lei discovered that missing message length validation when parsing
certificates may potentially result in denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 1.0.1t-1+deb8u4.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
October 25, 2016 10:13PM
Re: Debian Security Advisory
November 02, 2016 02:18AM
Re: Debian Security Advisory
May 30, 2017 12:03AM
Samba

Quote

Debian Security Advisory DSA-3860-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 24, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : samba
CVE ID : CVE-2017-7494

steelo discovered a remote code execution vulnerability in Samba, a
SMB/CIFS file, print, and login server for Unix. A malicious client with
access to a writable share, can take advantage of this flaw by uploading
a shared library and then cause the server to load and execute it.

For the stable distribution (jessie), this problem has been fixed in
version 2:4.2.14+dfsg-0+deb8u6.

We recommend that you upgrade your samba packages.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
October 17, 2017 01:10AM
Very important for those who use Wifi on any computers, including these plugs. Update your Debian wpa package, now. Or just do apt-get upgrade to pick up the latest wpa related packages.


Quote

-----------------------------------------------------------------
Debian Security Advisory DSA-3999-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
October 16, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wpa
CVE ID : CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080
CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088

Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered
multiple vulnerabilities in the WPA protocol, used for authentication in
wireless networks. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).

An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.

More information can be found in the researchers's paper, Key Reinstallation
Attacks: Forcing Nonce Reuse in WPA2.

CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way
handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key
handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation
Request and reinstalling the pairwise key while processing it
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey
(TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a
Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when
processing a Wireless Network Management (WNM) Sleep Mode
Response frame

For the oldstable distribution (jessie), these problems have been fixed
in version 2.3-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.

For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.

We recommend that you upgrade your wpa packages.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 1 time(s). Last edit at 10/17/2017 01:16AM by bodhi.
Re: Debian Security Advisory
October 17, 2017 02:22AM
bodhi Wrote:
-------------------------------------------------------
> Very important for those who use
> Wifi on any computers, including these plugs.
> Update your Debian wpa package, now. Or just do
> apt-get upgrade to pick up the latest wpa related
> packages.

>
>
>
Quote

-----------------------------------------------------------------
> Debian Security Advisory DSA-3999-1
> security@debian.org
> https://www.debian.org/security/
> Yves-Alexis Perez
> October 16, 2017
> https://www.debian.org/security/faq
> -
> -------------------------------------------------------------------------
>
> Package : wpa
> CVE ID : CVE-2017-13077 CVE-2017-13078
> CVE-2017-13079 CVE-2017-13080
> CVE-2017-13081 CVE-2017-13082
> CVE-2017-13086 CVE-2017-13087
> CVE-2017-13088
>
> Mathy Vanhoef of the imec-DistriNet research group
> of KU Leuven discovered
> multiple vulnerabilities in the WPA protocol, used
> for authentication in
> wireless networks. Those vulnerabilities applies
> to both the access point
> (implemented in hostapd) and the station
> (implemented in wpa_supplicant).
>
> An attacker exploiting the vulnerabilities could
> force the vulnerable system to
> reuse cryptographic session keys, enabling a range
> of cryptographic attacks
> against the ciphers used in WPA1 and WPA2.
>
> More information can be found in the researchers's
> paper, Key Reinstallation
> Attacks: Forcing Nonce Reuse in WPA2.
>
> CVE-2017-13077: reinstallation of the pairwise key
> in the Four-way handshake
> CVE-2017-13078: reinstallation of the group key in
> the Four-way handshake
> CVE-2017-13079: reinstallation of the integrity
> group key in the Four-way
> handshake
> CVE-2017-13080: reinstallation of the group key in
> the Group Key handshake
> CVE-2017-13081: reinstallation of the integrity
> group key in the Group Key
> handshake
> CVE-2017-13082: accepting a retransmitted Fast BSS
> Transition Reassociation
> Request and reinstalling the
> pairwise key while processing it
> CVE-2017-13086: reinstallation of the Tunneled
> Direct-Link Setup (TDLS) PeerKey
> (TPK) key in the TDLS handshake
> CVE-2017-13087: reinstallation of the group key
> (GTK) when processing a
> Wireless Network Management (WNM)
> Sleep Mode Response frame
> CVE-2017-13088: reinstallation of the integrity
> group key (IGTK) when
> processing a Wireless Network
> Management (WNM) Sleep Mode
> Response frame
>
> For the oldstable distribution (jessie), these
> problems have been fixed
> in version 2.3-1+deb8u5.
>
> For the stable distribution (stretch), these
> problems have been fixed in
> version 2:2.4-1+deb9u1.
>
> For the testing distribution (buster), these
> problems have been fixed
> in version 2:2.4-1.1.
>
> For the unstable distribution (sid), these
> problems have been fixed in
> version 2:2.4-1.1.
>
> We recommend that you upgrade your wpa
> packages.


interesting read. https://www.krackattacks.com may want to disable wifi on android devices also since probability of patch is very unlikely to be rolled out by OEM's/carriers.
Re: Debian Security Advisory
October 17, 2017 03:35AM
> interesting read.
> https://www.krackattacks.com
> may want to disable wifi on android devices also
> since probability of patch is very unlikely to be
> rolled out by OEM's/carriers.

That's the importance in tracking the mainline distro like we try to keep up with Debian. The OEM Android devices, same as OpenWrt/LEDE distro to certain extent, is far behind in security patches.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
October 17, 2017 04:43AM
bodhi Wrote:
-------------------------------------------------------
The OEM
> Android devices, same as OpenWrt/LEDE distro to
> certain extent, is far behind in security patches.

LEDE has a patch... https://forum.lede-project.org/t/critical-wifi-vulnerability-found-krack/7450/2
Re: Debian Security Advisory
October 17, 2017 01:51PM
Gravelrash Wrote:
-------------------------------------------------------
> bodhi Wrote:
> -------------------------------------------------------
> The OEM
> > Android devices, same as OpenWrt/LEDE distro to
> > certain extent, is far behind in security
> patches.
>
> LEDE has a patch...
> https://forum.lede-project.org/t/critical-wifi-vulnerability-found-krack/7450/2

That's good news! seems like there has been a culture change with this distro since LEDE.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
October 28, 2017 05:31PM
Update your wget packge.


Quote

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4008-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wget
CVE ID : CVE-2017-13089 CVE-2017-13090

Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen
discovered two buffer overflows in the HTTP protocol handler of the Wget
download tool, which could result in the execution of arbitrary code
when connecting to a malicious HTTP server.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.16-1+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 1.18-5+deb9u1.

We recommend that you upgrade your wget packages.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
November 03, 2017 09:14PM
Quote

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4018-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 04, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2017-3735 CVE-2017-3736

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3735

It was discovered that OpenSSL is prone to a one-byte buffer
overread while parsing a malformed IPAddressFamily extension in an
X.509 certificate.

Details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20170828.txt

CVE-2017-3736

It was discovered that OpenSSL contains a carry propagation bug in
the x86_64 Montgomery squaring procedure.

Details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20171102.txt

For the oldstable distribution (jessie), CVE-2017-3735 has been fixed in
version 1.0.1t-1+deb8u7. The oldstable distribution is not affected by
CVE-2017-3736.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.0f-3+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.0g-1.

We recommend that you upgrade your openssl packages

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
January 04, 2018 11:26PM
Regarding Meltdown and Spectre processor bugs on Intel processor: https://lwn.net/Articles/742999/

Debian Security announcement:

Quote

[SECURITY] [DSA 4078-1] linux security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 4078-1] linux security update
From: Yves-Alexis Perez <corsac@debian.org>
Date: Thu, 04 Jan 2018 23:25:28 +0100
Message-id: <[????] 5a4ea9d8.a035b.2e03da61@scapa.corsac.net>
Reply-to: debian-security-announce-request@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4078-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
January 04, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-5754

Multiple researchers have discovered a vulnerability in Intel processors,
enabling an attacker controlling an unprivileged process to read memory from
arbitrary addresses, including from the kernel and all other processes running
on the system.

This specific attack has been named Meltdown and is addressed in the Linux
kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table
Isolation, enforcing a near complete separation of the kernel and userspace
address maps and preventing the attack. This solution might have a performance
impact, and can be disabled at boot time by passing `pti=off' to the kernel
command line.

We also identified a regression for ancient userspaces using the vsyscall
interface, for example chroot and containers using (e)glibc 2.13 and older,
including those based on Debian 7 or RHEL/CentOS 6. This regression will be
fixed in a later update.

The other vulnerabilities (named Spectre) published at the same time are not
addressed in this update and will be fixed in a later update.


These processor bug fixes will bring some kernel changes for ARM too.

I will release a new kernel in about 2 week from now (or whenever needed after).

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 1 time(s). Last edit at 01/04/2018 11:41PM by bodhi.
Re: Debian Security Advisory
January 05, 2018 01:50AM
bodhi Wrote:
-------------------------------------------------------
> Regarding Meltdown and Spectre processor bugs on
> Intel processor: https://lwn.net/Articles/742999/
>
> Debian Security announcement:
>
>
Quote

[SECURITY] [DSA 4078-1] linux security
> update
>
> To: debian-security-announce@lists.debian.org
> Subject: [SECURITY] [DSA 4078-1] linux security
> update
> From: Yves-Alexis Perez <corsac@debian.org>
> Date: Thu, 04 Jan 2018 23:25:28 +0100
> Message-id: <[????]
> 5a4ea9d8.a035b.2e03da61@scapa.corsac.net>
> Reply-to:
> debian-security-announce-request@lists.debian.org
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> -
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-4078-1
> security@debian.org
> https://www.debian.org/security/
> Yves-Alexis Perez
> January 04, 2018
> https://www.debian.org/security/faq
> -
> -------------------------------------------------------------------------
>
> Package : linux
> CVE ID : CVE-2017-5754
>
> Multiple researchers have discovered a
> vulnerability in Intel processors,
> enabling an attacker controlling an unprivileged
> process to read memory from
> arbitrary addresses, including from the kernel and
> all other processes running
> on the system.
>
> This specific attack has been named Meltdown and
> is addressed in the Linux
> kernel for the Intel x86-64 architecture by a
> patch set named Kernel Page Table
> Isolation, enforcing a near complete separation of
> the kernel and userspace
> address maps and preventing the attack. This
> solution might have a performance
> impact, and can be disabled at boot time by
> passing `pti=off' to the kernel
> command line.
>
> We also identified a regression for ancient
> userspaces using the vsyscall
> interface, for example chroot and containers using
> (e)glibc 2.13 and older,
> including those based on Debian 7 or RHEL/CentOS
> 6. This regression will be
> fixed in a later update.
>
> The other vulnerabilities (named Spectre)
> published at the same time are not
> addressed in this update and will be fixed in a
> later update.
>
>
> These processor bug fixes will bring some kernel
> changes for ARM too.
>
> I will release a new kernel in about 2 week from
> now (or whenever needed after).

Here is what I have found on arm chips so far.

https://developer.arm.com/support/security-update

Edit to add:

I don't see anything in the pipe for arm older than cortex.

https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/

https://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc.git/

Perhaps speculation wasn't even a glint in arms eye back then ;)



Edited 2 time(s). Last edit at 01/05/2018 03:49AM by feas.
Re: Debian Security Advisory
January 05, 2018 02:46AM
Thanks feas!

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
January 07, 2018 01:47AM
From all the information I've been reading it appears that what is being called Meltdown only affects Intel and a few as yet rare ARM 64 chips. The Spectre issue is more widespread but shouldn't affect any of the ARM5 chips, so Kirkwood won't be affected.

Ray
Re: Debian Security Advisory
January 07, 2018 01:56AM
rayknight Wrote:
-------------------------------------------------------
> From all the information I've been reading it
> appears that what is being called Meltdown only
> affects Intel and a few as yet rare ARM 64 chips.
> The Spectre issue is more widespread but shouldn't
> affect any of the ARM5 chips, so Kirkwood won't be
> affected.
>
> Ray

Yes Kirkwood is too old so it is a given that it is not affected.

There are many of ARM 32 being affected. Cortex A9 (eg. our MVEBU Armada 38x) is one of those. Therefore I will have new release kenel out ASAP when I can get back to my development rig.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
January 07, 2018 02:10AM
> Perhaps speculation wasn't even a glint in arms
> eye back then ;)

Right :)

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)
Re: Debian Security Advisory
January 09, 2018 09:45PM
FYI,

https://downloadcenter.intel.com/product/873/Processors

Not sure if we should run both this and the linux kernel updates.
Author:

Your Email:


Subject:


Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.
Message: