[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question on CVE-2017-5754 on Debian 8.9

Nicholas Geovanis <nickgeovanis@gmail.com> wrote:

> I've installed the patch for CVE-2017-5754 as well as the microcode update:

Well, Intel majorly fscked up their microcodes and strongly recommends
to revert to an earlier BIOS/UEFI firmware (if possible) and also
advised all vendors shipping microcode as a separate package (meaning
VMware and all Linux vendors here) to revert to the version from
November 2017, which so far all major Linux distributions have done.

(Debian didn't even ship the update for Stable/Oldstable because the
problems where already showing two weeks ago.)

So, right now, unless you have the latest bleeding edge kernel, compiled
with a repoline-aware pre-release GCC, you will be vulnerable for
CVE-2017-5753 (Spectre#1) and CVE-2017-5715 (Spectre#2) for quite some
time.

> # uname -a
> Linux ftp51 3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08)
> x86_64 GNU/Linux
> # dmesg | grep isolation
> [    0.000000] Kernel/User page tables isolation: enabled

> And yet, the widely-recommended test script at
> https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh

Did you run the script as root? Did you use the most recent version of
it? It gets developed quite rapidly, maybe you got a version which was
not correctly functioning at that moment, giving that you download the
script from the master-branch instead of one of the tagged releases.

S°

-- 
Sigmentation fault. Core dumped.
Reply to: