Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!

Ogłoszenie

Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.

#201  2018-02-22 17:50:19

  arturek - Członek DUG

arturek
Członek DUG
Zarejestrowany: 2006-08-19

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

Do "stretch-security" na pewno wejdzie

Kod:

linux (4.9.82-1+deb9u2) stretch-security; urgency=high

* [x86] Add versioned build-dependency on gcc-6 for retpoline support.

[url]https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/changelog?h=stretch-security&id=d92a0c39878ccbe16e6cdbee49d6d867a3f8a99c[/url]

który też zawiera łatki na retpoline,
a  czekają na to gcc-6, bo jest w zależnościach

###########################


Z ostatniej chwili załatane gcc-6 i linux 4.9.82-1+deb9u2 już w  Stretch

root@debian:/home/arturek/spectre-meltdown-checker-0.35# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64
CPU is AMD FX(tm)-6300 Six-Core Processor

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  NO

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
[b]> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)[/b]

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
[b]> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)[/b]

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  NO
* Running as a Xen PV DomU:  NO
[b]> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)[/b]

A false sense of security is worse than no security at all, see --disclaimer
root@debian:/home/arturek/spectre-meltdown-checker-0.35#[/quote]

Ostatnio edytowany przez arturek (2018-02-22 18:19:18)


Debian “buster” Xfce

Offline

 

#202  2018-02-22 18:37:50

  Renia - Użytkownik

Renia
Użytkownik
Zarejestrowany: 2014-08-29

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

Kod:

PTI enabled and active:  NO

Dlaczego tak jest?


Instalacja E-Deklaracje na Debianie 64-bit:
https://forum.dug.net.pl/viewtopic.php?pid=301794#p301794

Offline

 

#203  2018-02-22 18:41:13

  arturek - Członek DUG

arturek
Członek DUG
Zarejestrowany: 2006-08-19

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

[quote=Renia]

Kod:

PTI enabled and active:  NO

Dlaczego tak jest?[/quote]
procesor amd tak ma


Debian “buster” Xfce

Offline

 

#204  2018-02-22 18:43:12

  Renia - Użytkownik

Renia
Użytkownik
Zarejestrowany: 2014-08-29

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

No tak, masz AMD, a nie Intela.


Instalacja E-Deklaracje na Debianie 64-bit:
https://forum.dug.net.pl/viewtopic.php?pid=301794#p301794

Offline

 

#205  2018-02-22 23:09:01

  Renia - Użytkownik

Renia
Użytkownik
Zarejestrowany: 2014-08-29

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

Faktycznie jest, szybciej niż się spodziewałam.

./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64
CPU is Intel(R) Celeron(R) CPU 2.80GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 60 stepping 3 ucode 0x22)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
[b]> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)[/b]

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
[b]> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline - vulnerable module loaded)[/b]

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
[b]> STATUS:  NOT VULNERABLE  (Mitigation: PTI)[/b]

A false sense of security is worse than no security at all, see --disclaimer[/quote]

Kod:

cat /proc/version
Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21)

Kod:

apt-cache policy linux-image-4.9.0-6-amd64
linux-image-4.9.0-6-amd64:
  Zainstalowana: 4.9.82-1+deb9u2
  Kandydująca:   4.9.82-1+deb9u2
  Tabela wersji:
 *** 4.9.82-1+deb9u2 100
         99 http://security.debian.org stretch/updates/main amd64 Packages
        100 /var/lib/dpkg/status

Ostatnio edytowany przez Renia (2018-02-22 23:14:20)


Instalacja E-Deklaracje na Debianie 64-bit:
https://forum.dug.net.pl/viewtopic.php?pid=301794#p301794

Offline

 

#206  2018-02-23 11:15:49

  KerneLpaniC - Użytkownik

KerneLpaniC
Użytkownik
Skąd: 127.0.0.1
Zarejestrowany: 2016-08-09

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

STATUS:  NOT VULNERABLE  X3
Można spać spokojnie ;-D

Ostatnio edytowany przez KerneLpaniC (2018-02-23 11:16:39)

Offline

 

#207  2018-02-23 11:53:53

  Renia - Użytkownik

Renia
Użytkownik
Zarejestrowany: 2014-08-29

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

Jeszcze wszystkie programy muszą być przekompilowane z GCC z łatką, a to trochę potrwa.


Instalacja E-Deklaracje na Debianie 64-bit:
https://forum.dug.net.pl/viewtopic.php?pid=301794#p301794

Offline

 

#208  2018-02-23 12:35:18

  KerneLpaniC - Użytkownik

KerneLpaniC
Użytkownik
Skąd: 127.0.0.1
Zarejestrowany: 2016-08-09

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

@Renia czyli wszystkie programy powinny dostać update z security? czyli czeka nas sporo updatów?

Offline

 

#209  2018-02-23 12:44:43

  Renia - Użytkownik

Renia
Użytkownik
Zarejestrowany: 2014-08-29

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

Nie wiem jak to zostanie rozwiązane w Debianie. Teraz doceniam filozofię Gentoo.


Instalacja E-Deklaracje na Debianie 64-bit:
https://forum.dug.net.pl/viewtopic.php?pid=301794#p301794

Offline

 

#210  2018-02-23 12:50:05

  KerneLpaniC - Użytkownik

KerneLpaniC
Użytkownik
Skąd: 127.0.0.1
Zarejestrowany: 2016-08-09

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

W sensie żeby sobie samemu wszystko skompilować od nowa? Troche czasochłonne. Tzn nie wiem jak dokładnie tam jest ;p

Offline

 

#211  2018-06-02 20:03:13

  KerneLpaniC - Użytkownik

KerneLpaniC
Użytkownik
Skąd: 127.0.0.1
Zarejestrowany: 2016-08-09

Re: Poważny błąd w CPU Intela wymaga jego wymiany albo spowolnienia do 63%

są kolejne podatnośći
https://security-tracker.debian.org/tracker/CVE-2018-3640
https://security-tracker.debian.org/tracker/CVE-2018-3639

i aktualizacja skryptu
https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh

u mnie daje wynik

Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
CPU is Intel(R) Pentium(R) Dual  CPU  T2370  @ 1.73GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 0xf family 0x6 stepping 0xd ucode 0xa4 cpuid 0x6fd)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES
  * Vulnerable to Variant 3a:  YES
  * Vulnerable to Variant 4:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86):  YES  (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
* Kernel has mask_nospec64 (arm):  NO
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  NO
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  NO
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  YES
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Full retpoline is mitigating the vulnerability)
IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES
  * PTI enabled and active:  YES
  * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability:  NO
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

> How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed.

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Kernel supports speculation store bypass:  NO
> STATUS:  VULNERABLE  (Neither your CPU nor your kernel support SSBD)

> How to fix: Both your CPU microcode and your kernel are lacking support for mitigation. If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel from recent-enough sources. The microcode of your CPU also needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).

A false sense of security is worse than no security at all, see --disclaimer[/quote]

Offline

 

Stopka forum

Powered by PunBB
© Copyright 2002–2005 Rickard Andersson
To nie jest tylko forum, to nasza mała ojczyzna ;-)

[ Generated in 0.020 seconds, 11 queries executed ]

Informacje debugowania

Time (s) Query
0.00010 SET CHARSET latin2
0.00003 SET NAMES latin2
0.00099 SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='3.128.201.207' WHERE u.id=1
0.00080 REPLACE INTO punbb_online (user_id, ident, logged) VALUES(1, '3.128.201.207', 1732429092)
0.00052 SELECT * FROM punbb_online WHERE logged<1732428792
0.00080 SELECT topic_id FROM punbb_posts WHERE id=319670
0.00777 SELECT id FROM punbb_posts WHERE topic_id=30168 ORDER BY posted
0.00073 SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=30168 AND t.moved_to IS NULL
0.00012 SELECT search_for, replace_with FROM punbb_censoring
0.00443 SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=30168 ORDER BY p.id LIMIT 200,25
0.00088 UPDATE punbb_topics SET num_views=num_views+1 WHERE id=30168
Total query time: 0.01717 s