Bug 46029

Summary:	linux: Multiple security issues (4.2)
Product:	UCS	Reporter:	Philipp Hahn <hahn>
Component:	Security updates	Assignee:	Philipp Hahn <hahn>
Status:	CLOSED FIXED	QA Contact:	Arvid Requate <requate>
Severity:	normal
Priority:	P2	CC:	birkefeld, damrose, gohmann, hahn, honzzze, requate, scheinig, stoeckigt
Version:	UCS 4.2
Target Milestone:	UCS 4.2-3-errata
Hardware:	Other
OS:	Linux
URL:	https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html?m=1
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:	Yes
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:	2018010521000309	Bug group (optional):	Security
Max CVSS v3 score:	8.2 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)
Bug Depends on:
Bug Blocks:	46188

Description Philipp Hahn

2018-01-15 10:49:54 CET

* cpu: speculative execution bounds-check bypass (CVE-2017-5753)
* cpu: speculative execution branch target injection (CVE-2017-5715)CVE-2017-5715

Will probably require this:
- linux kernel update
- µcode update for Intel and AMD
- gcc update
- qemu update
- libvirtupdate

After that backport for UCS-4.1

+++ This bug was initially created as a clone of Bug #45981 +++

Comment 1 Philipp Hahn

2018-01-17 18:08:44 CET

r17967 | Bug #46029: linux-4.9.77

Package: linux
Version: 4.9.30-2A~4.2.0.201801171800
Branch: ucs_4.2-0
Scope: errata4.2-3

Comment 2 Philipp Hahn

2018-01-18 18:51:32 CET

df63acc77c Bug #46029: Update to linux-4.9.77-ucs108

Package: univention-kernel-image-signed
Version: 3.0.2-12A~4.2.0.201801181650
Version: 3.0.2-13A~4.2.0.201801181701
Branch: ucs_4.2-0
Scope: errata4.2-3

71c1a0b71f Bug #46029: Update to linux-4.9.77-ucs108

Package: univention-kernel-image
Version: 10.0.0-11A~4.2.0.201801181659
Branch: ucs_4.2-0
Scope: errata4.2-3

repo-admin -U -p intel-microcode -d sid -r 4.2 -s errata4.2-3
build-package-ng -r 4.2 -s errata4.2-3 -p intel-microcode -b ~ucs4.2

Package: intel-microcode
Version: 3.20180108.1~ucs4.2A~4.2.0.201801181821
Branch: ucs_4.2-0
Scope: errata4.2-3

99f486c00c Bug #46029: linux -4.9.77 + intel-microcode
 doc/errata/staging/intel-microcode.yaml                | 15 +++++++++++++++
 doc/errata/staging/linux.yaml                          | 16 ++++++++++++++++
 doc/errata/staging/univention-kernel-image-signed.yaml | 16 ++++++++++++++++
 doc/errata/staging/univention-kernel-image.yaml        | 16 ++++++++++++++++

TODO: Compile again with patched gcc

Comment 3 Philipp Hahn

2018-01-25 16:22:30 CET

r17973 | Bug #46029: linux-4.9.78

Package: linux
Version: 4.9.30-2A~4.2.0.201801250930
Branch: ucs_4.2-0-errata4.2-3
Scope: errata4.2-3

7944b7a084 Bug #46029: Update to linux-4.9.78-ucs108

Package: univention-kernel-image-signed
Version: 3.0.2-14A~4.2.0.201801251601
Branch: ucs_4.2-0
Scope: errata4.2-3

WIP: r17985 | Bug #46029: gcc-4.9 cpu: speculative execution branch target injection (CVE-2017-5715) [Spectre 2]
SKIP: intel-microcode - Intel recalled that update, waiting for new one
TODO: qemu, libvirt

d42541e27e Bug #46029: linux-4.9.78

Comment 4 Philipp Hahn

2018-01-25 16:34:19 CET

OK: amd64 @ KVM + OVMF (UEFI-SB)
OK: amd64 @ KVM + SeaBIOS
OK: amd64 @ xen1

OK: vimdiff <(./linux-dmesg-norm 4.9.0-ucs107-amd64) <(./linux-dmesg-norm 4.9.0-ucs108-amd64)
OK: /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline

Comment 5 Philipp Hahn

2018-01-28 13:04:28 CET

Bug #18000: Bug #46029: gcc-4.9
 rename patch :-(

Package: gcc-4.9
Version: 4.9.2-10A~4.2.0.201801281259
Branch: ucs_4.2-0
Scope: errata4.2-3

ETA: 13h for i386 + 13h for amd64
TODO: After that rebuild Linux kernel again.

Comment 6 Philipp Hahn

2018-01-29 10:22:28 CET

Package: linux
Version: 4.9.30-2A~4.2.0.201801290155
Branch: ucs_4.2-0
Scope: errata4.2-3

6f1cbc9a80 Bug #46029 kernel: Rebuild with new gcc-4.9 for retpoline

Package: univention-kernel-image-signed
Version: 3.0.2-15A~4.2.0.201801290947
Branch: ucs_4.2-0
Scope: errata4.2-3

abec58879c Bug #46029: gcc-4.9

QA:
OK: /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
OK: amd64 @ kvm with SeaBIOS
OK: amd64 @ kvm with OVMF-SecureBoot
OK: amd64 @ xen1

Comment 7 Philipp Hahn

2018-01-29 15:11:09 CET

c847674176 Bug #46029: linux-4.9.78 YAML

Comment 8 Arvid Requate

2018-01-29 15:21:53 CET

Verified:

* Package update: Ok
* GenuineIntel dmesg:
  > Spectre V2 mitigation: Mitigation: Full generic retpoline
* AuthenticAMD dmesg: 
  > Spectre V2 mitigation: Mitigation: Full AMD retpoline
  > Spectre V2 mitigation: Filling RSB on context switch
* Secureboot: Ok
* Advisories: Ok

Comment 9 Arvid Requate

2018-01-29 17:14:04 CET

<http://errata.software-univention.de/ucs/4.2/267.html>
<http://errata.software-univention.de/ucs/4.2/268.html>
<http://errata.software-univention.de/ucs/4.2/269.html>
<http://errata.software-univention.de/ucs/4.2/270.html>

Comment 10 Philipp Hahn

2018-02-25 21:02:28 CET

r18025 | Bug #46209: linux-4.9.84

Package: linux
Version: 4.9.30-2A~4.2.0.201802251630
Branch: ucs_4.2-0
Scope: errata4.2-3

Comment 11 Philipp Hahn

2018-02-26 09:08:20 CET

c0a60a76b0 Bug #46029: Update to linux-4.9.84-ucs109

Package: univention-kernel-image-signed
Version: 3.0.2-19A~4.2.0.201802260839
Branch: ucs_4.2-0
Scope: errata4.2-3

f06a6b5c96 Bug #46029: Update to linux-4.9.84-ucs109 YAML
 doc/errata/staging/linux.yaml                          | 4 ++--
 doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++--
 doc/errata/staging/univention-kernel-image.yaml        | 2 +-

OK: amd64 @ xen1
OK: amd64 @ kvm+SeaBIOS
OK: amd64 @ kvm+OVMF+Secure-Boot
OK: dmesg
OK: grep . /sys/devices/system/cpu/vulnerabilities/*

Comment 12 Philipp Hahn

2018-02-26 09:47:34 CET

(In reply to Philipp Hahn from comment #10)
> r18025 | Bug #46209: linux-4.9.84

Wrong bug, correct is Bug #46209