Hello,
On Mon, Feb 19, 2018 at 09:03:20PM +0000, Michael Fothergill wrote:
> On 19 February 2018 at 19:10, Michael Lange <klappnase@freenet.de> wrote:
> > no, I meant to say that you were looking at the wrong place if you wanted
> > to see if the "spectre-2" fix has arrived in debian, for this one you
> > will have to look here:
> >
> > https://security-tracker.debian.org/tracker/CVE-2017- 5715
>
> No, we were not looking for it. I think a joint fix for meltdown and
> spectre 1 would fit the bill at present .
They are different bugs with different fixes. No one is even certain
HOW to fix Spectre variant 1 yet, or if it can be without entirely
new CPUs. Things have only got as far as kicking around ideas on how
to make exploiting it harder.
Your suggestion makes about as much sense as lumping every single
buffer overflow bug into one CVE and then saying almost all software
ever made is vulnerable, until there is one patch that fixes
everything at once.
Your comments along the lines of "I thought it was fixed…", as
Michael Lange pointed out, were about Spectre variant 2 but you are
looking at the security tracker page for Spectre variant 1.
CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere
yet, not even in Linux upstream.
Spectre v2, which you are talking about, is CVE-2017-5715, again as
Michael Lange just pointed out to you. As you can see from the link
that Michael gave you, Spectre v2 is fixed in the kernel package in
sid. Read it again:
<https://security-tracker.debian.org/tracker/CVE-2017- >5715
That's the retpoline stuff you're talking about.