Univention Bugzilla – Bug 49476
linux: Multiple issues (4.4)
Last modified: 2019-05-15 14:52:36 CEST
New Debian linux 4.9.168-1+deb9u2 fixes: This update addresses the following issues: * Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126) * Micro-architectural Load Port Data Sampling - Information Leak (MLPDS) (CVE-2018-12127) * Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130) * Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (CVE-2019-11091)
--- mirror/ftp/4.4/unmaintained/component/4.4-0-errata/source/univention-kernel-image-signed_5.0.0-2A~4.4.0.201904301047.dsc +++ apt/ucs_4.4-0-errata4.4-0/source/univention-kernel-image-signed_5.0.0-3A~4.4.0.201905151019.dsc @@ -1,8 +1,12 @@ -5.0.0-2A~4.4.0.201904301047 [Tue, 30 Apr 2019 10:47:38 +0200] Univention builddaemon <buildd@univention.de>: +5.0.0-3A~4.4.0.201905151019 [Wed, 15 May 2019 10:19:55 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package +5.0.0-3 [Wed, 15 May 2019 10:18:00 +0200] Philipp Hahn <hahn@univention.de>: + + * Bug #49476: Update to linux-4.9.168-1+deb9u2 + 5.0.0-2 [Tue, 30 Apr 2019 09:02:54 +0200] Philipp Hahn <hahn@univention.de>: - * Bug #49364: Update to linux-4.9.168-1 + * Bug #49377: Update to linux-4.9.168-1 <http://10.200.17.11/4.4-0/#620945926114612164>
--- mirror/ftp/4.4/unmaintained/component/4.4-0-errata/source/linux_4.9.168-1.dsc +++ apt/ucs_4.4-0-errata4.4-0/source/linux_4.9.168-1+deb9u2.dsc @@ -1,3 +1,100 @@ +4.9.168-1+deb9u2 [Mon, 13 May 2019 21:59:18 +0100] Ben Hutchings <ben@decadent.org.uk>: + + [ Salvatore Bonaccorso ] + * Revert "block/loop: Use global lock for ioctl() operation." + (Closes: #928125) + +4.9.168-1+deb9u1 [Mon, 13 May 2019 21:51:01 +0100] Ben Hutchings <ben@decadent.org.uk>: + + * [x86] Update speculation mitigations: + - x86/MCE: Save microcode revision in machine check records + - x86/cpufeatures: Hide AMD-specific speculation flags + - x86/bugs: Add AMD's variant of SSB_NO + - x86/bugs: Add AMD's SPEC_CTRL MSR usage + - x86/bugs: Switch the selection of mitigation from CPU vendor to CPU + features + - x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR + - x86/microcode/intel: Add a helper which gives the microcode revision + - x86/microcode/intel: Check microcode revision before updating sibling + threads + - x86/microcode: Make sure boot_cpu_data.microcode is up-to-date + - x86/microcode: Update the new microcode revision unconditionally + - x86/mm: Use WRITE_ONCE() when setting PTEs + - bitops: avoid integer overflow in GENMASK(_ULL) + - x86/speculation: Simplify the CPU bug detection logic + - locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a + new <linux/bits.h> file + - x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation + - x86/cpu: Sanitize FAM6_ATOM naming + - Documentation/l1tf: Fix small spelling typo + - x86/speculation: Apply IBPB more strictly to avoid cross-process data + leak + - x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation + - x86/speculation: Propagate information about RSB filling mitigation to + sysfs + - x86/speculation/l1tf: Drop the swap storage limit restriction when + l1tf=off + - x86/speculation: Update the TIF_SSBD comment + - x86/speculation: Clean up spectre_v2_parse_cmdline() + - x86/speculation: Remove unnecessary ret variable in cpu_show_common() + - x86/speculation: Move STIPB/IBPB string conditionals out of + cpu_show_common() + - x86/speculation: Disable STIBP when enhanced IBRS is in use + - x86/speculation: Rename SSBD update functions + - x86/speculation: Reorganize speculation control MSRs update + - x86/Kconfig: Select SCHED_SMT if SMP enabled + - sched: Add sched_smt_active() + - x86/speculation: Rework SMT state change + - x86/l1tf: Show actual SMT state + - x86/speculation: Reorder the spec_v2 code + - x86/speculation: Mark string arrays const correctly + - x86/speculataion: Mark command line parser data __initdata + - x86/speculation: Unify conditional spectre v2 print functions + - x86/speculation: Add command line control for indirect branch speculation + - x86/speculation: Prepare for per task indirect branch speculation control + - x86/process: Consolidate and simplify switch_to_xtra() code + - x86/speculation: Avoid __switch_to_xtra() calls + - x86/speculation: Prepare for conditional IBPB in switch_mm() + - x86/speculation: Split out TIF update + - x86/speculation: Prepare arch_smt_update() for PRCTL mode + - x86/speculation: Prevent stale SPEC_CTRL msr content + - x86/speculation: Add prctl() control for indirect branch speculation + - x86/speculation: Enable prctl mode for spectre_v2_user + - x86/speculation: Add seccomp Spectre v2 user space protection mode + - x86/speculation: Provide IBPB always command line options + - kvm: x86: Report STIBP on GET_SUPPORTED_CPUID + - x86/msr-index: Cleanup bit defines + - x86/speculation: Consolidate CPU whitelists + - Documentation: Move L1TF to separate directory + - cpu/speculation: Add 'mitigations=' cmdline option + - x86/speculation: Support 'mitigations=' cmdline option + - x86/speculation/mds: Add 'mitigations=' support for MDS + - x86/cpu/bugs: Use __initconst for 'const' init data + * [x86] Mitigate Microarchitectural Data Sampling (MDS) vulnerabilities + (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091): + - x86/speculation/mds: Add basic bug infrastructure for MDS + - x86/speculation/mds: Add BUG_MSBDS_ONLY + - x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests + - x86/speculation/mds: Add mds_clear_cpu_buffers() + - x86/speculation/mds: Clear CPU buffers on exit to user + - x86/kvm/vmx: Add MDS protection when L1D Flush is not active + - x86/speculation/mds: Conditionally clear CPU buffers on idle entry + - x86/speculation/mds: Add mitigation control for MDS + - x86/speculation/mds: Add sysfs reporting for MDS + - x86/speculation/mds: Add mitigation mode VMWERV + - Documentation: Add MDS vulnerability documentation + - x86/speculation/mds: Add mds=full,nosmt cmdline option + - x86/speculation: Move arch_smt_update() call to after mitigation decisions + - x86/speculation/mds: Add SMT warning message + - x86/speculation/mds: Fix comment + - x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off + - x86/mds: Add MDSUM variant to the MDS documentation + - Documentation: Correct the possible MDS sysfs values + - x86/speculation/mds: Fix documentation typo + * [x86] msr-index: Remove dependency on <linux/bits.h> + * [rt] Update patches to apply on top of the speculation mitigation changes + * [x86] mce, tlb: Ignore ABI changes + 4.9.168-1 [Fri, 12 Apr 2019 15:52:49 +0200] Salvatore Bonaccorso <carnil@debian.org>: * New upstream stable update: <http://10.200.17.11/4.4-0/#620945926114612164>
[4.4-0] a1671ff2dd Bug #49476: Update to linux-4.9.168-1+deb9u2 .../debian/changelog | 6 ++++++ .../univention-kernel-image-signed/debian/control | 4 ++-- .../vmlinuz-4.9.0-9-amd64.efi.signed | Bin 4249200 -> 4253296 bytes 3 files changed, 8 insertions(+), 2 deletions(-) Package: univention-kernel-image-signed Version: 5.0.0-3A~4.4.0.201905151019 Branch: ucs_4.4-0 Scope: errata4.4-0 OK: apt install linux-image-4.9.0-9-amd64-signed=5.0.0-3A~4.4.0.201905151019 linux-image-4.9.0-9-amd64=4.9.168-1+deb9u2 OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB cat /sys/kernel/security/securelevel OK: amd64 @ xen16 OK: apt install linux-image-4.9.0-9-686-pae=4.9.168-1+deb9u2 OK: i386 @ kvm OK: uname -a OK: diff <(exec ./linux-dmesg-norm 4.9.0-9-amd64) <(exec ./linux-dmesg-norm 4.9.0-9-amd64.2) MDS: Vulnerable: Clear CPU buffers attempted, no microcode ~OK: cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown OK: http://10.200.17.11/4.4-0/#620945926114612164
<http://errata.software-univention.de/ucs/4.4/97.html> <http://errata.software-univention.de/ucs/4.4/98.html>