[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2017-5715

Hi all,

On Fri, Mar 25, 2022 at 02:57:12PM -0300, Leandro Cunha wrote:
> Hi,
> 
> On Fri, Mar 25, 2022 at 2:38 PM Georgi Naplatanov <gosho@oles.biz> wrote:
> >
> > On 3/25/22 19:19, Leandro Cunha wrote:
> > > Hi,
> > >
> > > On Fri, Mar 25, 2022 at 4:19 AM Georgi Naplatanov <gosho@oles.biz> wrote:
> > >>
> > >> On 3/25/22 03:24, Leandro Cunha wrote:
> > >>> Hi,
> > >>>
> > >>> On Wed, Mar 23, 2022 at 6:18 PM Georgi Naplatanov <gosho@oles.biz> wrote:
> > >>>>
> > >>>> On 3/23/22 22:43, Leandro Cunha wrote:
> > >>>>> Hi,
> > >>>>>
> > >>>>> On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov <gosho@oles.biz> wrote:
> > >>>>>>
> > >>>>>> On 3/23/22 18:35, piorunz wrote:
> > >>>>>>> On 23/03/2022 15:41, Leandro Cunha wrote:
> > >>>>>>>
> > >>>>>>>> Please, take into consideration what is in the link and you can
> > >>>>>>>> consult through
> > >>>>>>>> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715
> > >>>>>>>
> > >>>>>>> Leandro,
> > >>>>>>> I've been on this website before I posted with spectre-meltdown-checker
> > >>>>>>> results. I have vulnerable status just like author of this topic. I am
> > >>>>>>> on intel-microcode 3.20210608.2, and by the look of it, this bug
> > >>>>>>> supposed to be fixed in:
> > >>>>>>>
> > >>>>>>> "intel-microcode: Some microcode updates to partially adress
> > >>>>>>> CVE-2017-5715 included in 3.20171215.1
> > >>>>>>> Further updates in 3.20180312.1"
> > >>>>>>>
> > >>>>>>> So my version of microcode is 3-4 years newer than that.
> > >>>>>>>
> > >>>>>>> Is it microcode problem, or spectre-meltdown-checker displaying wrong
> > >>>>>>> information, or something else entirely?
> > >>>>>>>
> > >>>>>>
> > >>>>>> I want to mention that on the same computer with kernel Debian 5.10.92-2
> > >>>>>>
> > >>>>>> spectre-meltdown-checker
> > >>>>>>
> > >>>>>> reports that the system is not vulnerable to CVE-2017-5715
> > >>>>>>
> > >>>>>> Kind regards
> > >>>>>> Georgi
> > >>>>>>
> > >>>>>
> > >>>>> This script is reporting an already patched CVE as vulnerable.
> > >>>>
> > >>>>
> > >>>> Are you sure this behavior on 5.10.103-1 is not some kind of regression?
> > >>>> What is the evidence that vulnerability is still fixed?
> > >>>>
> > >>>>
> > >>>> Kind regards
> > >>>> Georgi
> > >>>>
> > >>>
> > >>> When replying to your email I was aware of the script issue that was reporting
> > >>> several already resolved CVEs as unresolved. As Salvatore sent the issue link.
> > >>> But it seems to me that this problem was solved 7 days ago, it would be
> > >>> interesting if there was an update or a backport to stable.
> > >>>
> > >>
> > >> Hi Leandro,
> > >>
> > >> I also think that an update would be nice.
> > >>
> > >> Kind regards
> > >> Georgi
> > >>
> > >
> > > I applied a patch from upstream and repackaged it from unstable.
> > > And this CVE is displayed as resolved.
> > >
> >
> > Thank you, Leandro!
> >
> > I guess that the patch will appear in Debian stable (11.4), right?
> >
> > Kind regards
> > Georgi
> >
> 
> This update must comply with the link below. I only did a test here.
> It is up to the maintainers to analyze this.
> I already see it as something necessary to be corrected.
> [1] https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions

I would suggest to ask the maintainers if they can prepare an update
to be included in the next point release. This can happen directly or
to the bug #1008181.

Sylvestre and Holger, would you have time to include the bugfix as
well in the future bullseye point release?

Regards,
Salvatore
Reply to: