Univention Bugzilla – Bug 46029
linux: Multiple security issues (4.2)
Last modified: 2018-02-26 09:47:34 CET
* cpu: speculative execution bounds-check bypass (CVE-2017-5753) * cpu: speculative execution branch target injection (CVE-2017-5715)CVE-2017-5715 Will probably require this: - linux kernel update - µcode update for Intel and AMD - gcc update - qemu update - libvirtupdate After that backport for UCS-4.1 +++ This bug was initially created as a clone of Bug #45981 +++
r17967 | Bug #46029: linux-4.9.77 Package: linux Version: 4.9.30-2A~4.2.0.201801171800 Branch: ucs_4.2-0 Scope: errata4.2-3
df63acc77c Bug #46029: Update to linux-4.9.77-ucs108 Package: univention-kernel-image-signed Version: 3.0.2-12A~4.2.0.201801181650 Version: 3.0.2-13A~4.2.0.201801181701 Branch: ucs_4.2-0 Scope: errata4.2-3 71c1a0b71f Bug #46029: Update to linux-4.9.77-ucs108 Package: univention-kernel-image Version: 10.0.0-11A~4.2.0.201801181659 Branch: ucs_4.2-0 Scope: errata4.2-3 repo-admin -U -p intel-microcode -d sid -r 4.2 -s errata4.2-3 build-package-ng -r 4.2 -s errata4.2-3 -p intel-microcode -b ~ucs4.2 Package: intel-microcode Version: 3.20180108.1~ucs4.2A~4.2.0.201801181821 Branch: ucs_4.2-0 Scope: errata4.2-3 99f486c00c Bug #46029: linux -4.9.77 + intel-microcode doc/errata/staging/intel-microcode.yaml | 15 +++++++++++++++ doc/errata/staging/linux.yaml | 16 ++++++++++++++++ doc/errata/staging/univention-kernel-image-signed.yaml | 16 ++++++++++++++++ doc/errata/staging/univention-kernel-image.yaml | 16 ++++++++++++++++ TODO: Compile again with patched gcc
r17973 | Bug #46029: linux-4.9.78 Package: linux Version: 4.9.30-2A~4.2.0.201801250930 Branch: ucs_4.2-0-errata4.2-3 Scope: errata4.2-3 7944b7a084 Bug #46029: Update to linux-4.9.78-ucs108 Package: univention-kernel-image-signed Version: 3.0.2-14A~4.2.0.201801251601 Branch: ucs_4.2-0 Scope: errata4.2-3 WIP: r17985 | Bug #46029: gcc-4.9 cpu: speculative execution branch target injection (CVE-2017-5715) [Spectre 2] SKIP: intel-microcode - Intel recalled that update, waiting for new one TODO: qemu, libvirt d42541e27e Bug #46029: linux-4.9.78
OK: amd64 @ KVM + OVMF (UEFI-SB) OK: amd64 @ KVM + SeaBIOS OK: amd64 @ xen1 OK: vimdiff <(./linux-dmesg-norm 4.9.0-ucs107-amd64) <(./linux-dmesg-norm 4.9.0-ucs108-amd64) OK: /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
Bug #18000: Bug #46029: gcc-4.9 rename patch :-( Package: gcc-4.9 Version: 4.9.2-10A~4.2.0.201801281259 Branch: ucs_4.2-0 Scope: errata4.2-3 ETA: 13h for i386 + 13h for amd64 TODO: After that rebuild Linux kernel again.
Package: linux Version: 4.9.30-2A~4.2.0.201801290155 Branch: ucs_4.2-0 Scope: errata4.2-3 6f1cbc9a80 Bug #46029 kernel: Rebuild with new gcc-4.9 for retpoline Package: univention-kernel-image-signed Version: 3.0.2-15A~4.2.0.201801290947 Branch: ucs_4.2-0 Scope: errata4.2-3 abec58879c Bug #46029: gcc-4.9 QA: OK: /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline OK: amd64 @ kvm with SeaBIOS OK: amd64 @ kvm with OVMF-SecureBoot OK: amd64 @ xen1
c847674176 Bug #46029: linux-4.9.78 YAML
Verified: * Package update: Ok * GenuineIntel dmesg: > Spectre V2 mitigation: Mitigation: Full generic retpoline * AuthenticAMD dmesg: > Spectre V2 mitigation: Mitigation: Full AMD retpoline > Spectre V2 mitigation: Filling RSB on context switch * Secureboot: Ok * Advisories: Ok
<http://errata.software-univention.de/ucs/4.2/267.html> <http://errata.software-univention.de/ucs/4.2/268.html> <http://errata.software-univention.de/ucs/4.2/269.html> <http://errata.software-univention.de/ucs/4.2/270.html>
r18025 | Bug #46209: linux-4.9.84 Package: linux Version: 4.9.30-2A~4.2.0.201802251630 Branch: ucs_4.2-0 Scope: errata4.2-3
c0a60a76b0 Bug #46029: Update to linux-4.9.84-ucs109 Package: univention-kernel-image-signed Version: 3.0.2-19A~4.2.0.201802260839 Branch: ucs_4.2-0 Scope: errata4.2-3 f06a6b5c96 Bug #46029: Update to linux-4.9.84-ucs109 YAML doc/errata/staging/linux.yaml | 4 ++-- doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++-- doc/errata/staging/univention-kernel-image.yaml | 2 +- OK: amd64 @ xen1 OK: amd64 @ kvm+SeaBIOS OK: amd64 @ kvm+OVMF+Secure-Boot OK: dmesg OK: grep . /sys/devices/system/cpu/vulnerabilities/*
(In reply to Philipp Hahn from comment #10) > r18025 | Bug #46209: linux-4.9.84 Wrong bug, correct is Bug #46209