Bug 46029 - linux: Multiple security issues (4.2)
linux: Multiple security issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P2 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
https://security.googleblog.com/2018/...
:
Depends on:
Blocks: 46188
  Show dependency treegraph
 
Reported: 2018-01-15 10:49 CET by Philipp Hahn
Modified: 2018-02-26 09:47 CET (History)
8 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018010521000309
Bug group (optional): Security
Max CVSS v3 score: 8.2 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-01-15 10:49:54 CET
* cpu: speculative execution bounds-check bypass (CVE-2017-5753)
* cpu: speculative execution branch target injection (CVE-2017-5715)CVE-2017-5715

Will probably require this:
- linux kernel update
- µcode update for Intel and AMD
- gcc update
- qemu update
- libvirtupdate

After that backport for UCS-4.1

+++ This bug was initially created as a clone of Bug #45981 +++
Comment 1 Philipp Hahn univentionstaff 2018-01-17 18:08:44 CET
r17967 | Bug #46029: linux-4.9.77

Package: linux
Version: 4.9.30-2A~4.2.0.201801171800
Branch: ucs_4.2-0
Scope: errata4.2-3
Comment 2 Philipp Hahn univentionstaff 2018-01-18 18:51:32 CET
df63acc77c Bug #46029: Update to linux-4.9.77-ucs108

Package: univention-kernel-image-signed
Version: 3.0.2-12A~4.2.0.201801181650
Version: 3.0.2-13A~4.2.0.201801181701
Branch: ucs_4.2-0
Scope: errata4.2-3

71c1a0b71f Bug #46029: Update to linux-4.9.77-ucs108

Package: univention-kernel-image
Version: 10.0.0-11A~4.2.0.201801181659
Branch: ucs_4.2-0
Scope: errata4.2-3

repo-admin -U -p intel-microcode -d sid -r 4.2 -s errata4.2-3
build-package-ng -r 4.2 -s errata4.2-3 -p intel-microcode -b ~ucs4.2

Package: intel-microcode
Version: 3.20180108.1~ucs4.2A~4.2.0.201801181821
Branch: ucs_4.2-0
Scope: errata4.2-3

99f486c00c Bug #46029: linux -4.9.77 + intel-microcode
 doc/errata/staging/intel-microcode.yaml                | 15 +++++++++++++++
 doc/errata/staging/linux.yaml                          | 16 ++++++++++++++++
 doc/errata/staging/univention-kernel-image-signed.yaml | 16 ++++++++++++++++
 doc/errata/staging/univention-kernel-image.yaml        | 16 ++++++++++++++++

TODO: Compile again with patched gcc
Comment 3 Philipp Hahn univentionstaff 2018-01-25 16:22:30 CET
r17973 | Bug #46029: linux-4.9.78

Package: linux
Version: 4.9.30-2A~4.2.0.201801250930
Branch: ucs_4.2-0-errata4.2-3
Scope: errata4.2-3

7944b7a084 Bug #46029: Update to linux-4.9.78-ucs108

Package: univention-kernel-image-signed
Version: 3.0.2-14A~4.2.0.201801251601
Branch: ucs_4.2-0
Scope: errata4.2-3

WIP: r17985 | Bug #46029: gcc-4.9 cpu: speculative execution branch target injection (CVE-2017-5715) [Spectre 2]
SKIP: intel-microcode - Intel recalled that update, waiting for new one
TODO: qemu, libvirt

d42541e27e Bug #46029: linux-4.9.78
Comment 4 Philipp Hahn univentionstaff 2018-01-25 16:34:19 CET
OK: amd64 @ KVM + OVMF (UEFI-SB)
OK: amd64 @ KVM + SeaBIOS
OK: amd64 @ xen1

OK: vimdiff <(./linux-dmesg-norm 4.9.0-ucs107-amd64) <(./linux-dmesg-norm 4.9.0-ucs108-amd64)
OK: /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
Comment 5 Philipp Hahn univentionstaff 2018-01-28 13:04:28 CET
Bug #18000: Bug #46029: gcc-4.9
 rename patch :-(

Package: gcc-4.9
Version: 4.9.2-10A~4.2.0.201801281259
Branch: ucs_4.2-0
Scope: errata4.2-3

ETA: 13h for i386 + 13h for amd64
TODO: After that rebuild Linux kernel again.
Comment 6 Philipp Hahn univentionstaff 2018-01-29 10:22:28 CET
Package: linux
Version: 4.9.30-2A~4.2.0.201801290155
Branch: ucs_4.2-0
Scope: errata4.2-3

6f1cbc9a80 Bug #46029 kernel: Rebuild with new gcc-4.9 for retpoline

Package: univention-kernel-image-signed
Version: 3.0.2-15A~4.2.0.201801290947
Branch: ucs_4.2-0
Scope: errata4.2-3

abec58879c Bug #46029: gcc-4.9

QA:
OK: /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
OK: amd64 @ kvm with SeaBIOS
OK: amd64 @ kvm with OVMF-SecureBoot
OK: amd64 @ xen1
Comment 7 Philipp Hahn univentionstaff 2018-01-29 15:11:09 CET
c847674176 Bug #46029: linux-4.9.78 YAML
Comment 8 Arvid Requate univentionstaff 2018-01-29 15:21:53 CET
Verified:

* Package update: Ok
* GenuineIntel dmesg:
  > Spectre V2 mitigation: Mitigation: Full generic retpoline
* AuthenticAMD dmesg: 
  > Spectre V2 mitigation: Mitigation: Full AMD retpoline
  > Spectre V2 mitigation: Filling RSB on context switch
* Secureboot: Ok
* Advisories: Ok
Comment 10 Philipp Hahn univentionstaff 2018-02-25 21:02:28 CET
r18025 | Bug #46209: linux-4.9.84

Package: linux
Version: 4.9.30-2A~4.2.0.201802251630
Branch: ucs_4.2-0
Scope: errata4.2-3
Comment 11 Philipp Hahn univentionstaff 2018-02-26 09:08:20 CET
c0a60a76b0 Bug #46029: Update to linux-4.9.84-ucs109

Package: univention-kernel-image-signed
Version: 3.0.2-19A~4.2.0.201802260839
Branch: ucs_4.2-0
Scope: errata4.2-3

f06a6b5c96 Bug #46029: Update to linux-4.9.84-ucs109 YAML
 doc/errata/staging/linux.yaml                          | 4 ++--
 doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++--
 doc/errata/staging/univention-kernel-image.yaml        | 2 +-

OK: amd64 @ xen1
OK: amd64 @ kvm+SeaBIOS
OK: amd64 @ kvm+OVMF+Secure-Boot
OK: dmesg
OK: grep . /sys/devices/system/cpu/vulnerabilities/*
Comment 12 Philipp Hahn univentionstaff 2018-02-26 09:47:34 CET
(In reply to Philipp Hahn from comment #10)
> r18025 | Bug #46209: linux-4.9.84

Wrong bug, correct is Bug #46209