Re: CVE-2017-5715
Hi,
On Wed, Mar 23, 2022 at 6:18 PM Georgi Naplatanov <gosho@oles.biz> wrote:
>
> On 3/23/22 22:43, Leandro Cunha wrote:
> > Hi,
> >
> > On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov <gosho@oles.biz> wrote:
> >>
> >> On 3/23/22 18:35, piorunz wrote:
> >>> On 23/03/2022 15:41, Leandro Cunha wrote:
> >>>
> >>>> Please, take into consideration what is in the link and you can
> >>>> consult through
> >>>> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715
> >>>
> >>> Leandro,
> >>> I've been on this website before I posted with spectre-meltdown-checker
> >>> results. I have vulnerable status just like author of this topic. I am
> >>> on intel-microcode 3.20210608.2, and by the look of it, this bug
> >>> supposed to be fixed in:
> >>>
> >>> "intel-microcode: Some microcode updates to partially adress
> >>> CVE-2017-5715 included in 3.20171215.1
> >>> Further updates in 3.20180312.1"
> >>>
> >>> So my version of microcode is 3-4 years newer than that.
> >>>
> >>> Is it microcode problem, or spectre-meltdown-checker displaying wrong
> >>> information, or something else entirely?
> >>>
> >>
> >> I want to mention that on the same computer with kernel Debian 5.10.92-2
> >>
> >> spectre-meltdown-checker
> >>
> >> reports that the system is not vulnerable to CVE-2017-5715
> >>
> >> Kind regards
> >> Georgi
> >>
> >
> > This script is reporting an already patched CVE as vulnerable.
>
>
> Are you sure this behavior on 5.10.103-1 is not some kind of regression?
> What is the evidence that vulnerability is still fixed?
>
>
> Kind regards
> Georgi
>
When replying to your email I was aware of the script issue that was reporting
several already resolved CVEs as unresolved. As Salvatore sent the issue link.
But it seems to me that this problem was solved 7 days ago, it would be
interesting if there was an update or a backport to stable.
--
Cheers,
Leandro Cunha
Software Engineer and Debian Contributor
Reply to: