[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2017-5715

On 3/25/22 19:19, Leandro Cunha wrote:
> Hi,
> 
> On Fri, Mar 25, 2022 at 4:19 AM Georgi Naplatanov <gosho@oles.biz> wrote:
>>
>> On 3/25/22 03:24, Leandro Cunha wrote:
>>> Hi,
>>>
>>> On Wed, Mar 23, 2022 at 6:18 PM Georgi Naplatanov <gosho@oles.biz> wrote:
>>>>
>>>> On 3/23/22 22:43, Leandro Cunha wrote:
>>>>> Hi,
>>>>>
>>>>> On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov <gosho@oles.biz> wrote:
>>>>>>
>>>>>> On 3/23/22 18:35, piorunz wrote:
>>>>>>> On 23/03/2022 15:41, Leandro Cunha wrote:
>>>>>>>
>>>>>>>> Please, take into consideration what is in the link and you can
>>>>>>>> consult through
>>>>>>>> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715
>>>>>>>
>>>>>>> Leandro,
>>>>>>> I've been on this website before I posted with spectre-meltdown-checker
>>>>>>> results. I have vulnerable status just like author of this topic. I am
>>>>>>> on intel-microcode 3.20210608.2, and by the look of it, this bug
>>>>>>> supposed to be fixed in:
>>>>>>>
>>>>>>> "intel-microcode: Some microcode updates to partially adress
>>>>>>> CVE-2017-5715 included in 3.20171215.1
>>>>>>> Further updates in 3.20180312.1"
>>>>>>>
>>>>>>> So my version of microcode is 3-4 years newer than that.
>>>>>>>
>>>>>>> Is it microcode problem, or spectre-meltdown-checker displaying wrong
>>>>>>> information, or something else entirely?
>>>>>>>
>>>>>>
>>>>>> I want to mention that on the same computer with kernel Debian 5.10.92-2
>>>>>>
>>>>>> spectre-meltdown-checker
>>>>>>
>>>>>> reports that the system is not vulnerable to CVE-2017-5715
>>>>>>
>>>>>> Kind regards
>>>>>> Georgi
>>>>>>
>>>>>
>>>>> This script is reporting an already patched CVE as vulnerable.
>>>>
>>>>
>>>> Are you sure this behavior on 5.10.103-1 is not some kind of regression?
>>>> What is the evidence that vulnerability is still fixed?
>>>>
>>>>
>>>> Kind regards
>>>> Georgi
>>>>
>>>
>>> When replying to your email I was aware of the script issue that was reporting
>>> several already resolved CVEs as unresolved. As Salvatore sent the issue link.
>>> But it seems to me that this problem was solved 7 days ago, it would be
>>> interesting if there was an update or a backport to stable.
>>>
>>
>> Hi Leandro,
>>
>> I also think that an update would be nice.
>>
>> Kind regards
>> Georgi
>>
> 
> I applied a patch from upstream and repackaged it from unstable.
> And this CVE is displayed as resolved.
> 

Thank you, Leandro!

I guess that the patch will appear in Debian stable (11.4), right?

Kind regards
Georgi
Reply to: