Bug 22335 - Update request: kernel-tmb 4.14.13
Summary: Update request: kernel-tmb 4.14.13
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK, MGA6-32-OK
Keywords: advisory, validated_update
Depends on: 22337
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-06 23:32 CET by Thomas Backlund
Modified: 2018-01-13 15:29 CET (History)
2 users (show)

See Also:
Source RPM: kernel-tmb
CVE:
Status comment:


Attachments

Description Thomas Backlund 2018-01-06 23:32:09 CET
Meltdown fixed kernel...

Advisory will follow

There might be need for a rebuild for additional fixes... but please start testing so we can catch regressions...


SRPMS:
kernel-tmb-4.14.12-2.mga6.src.rpm


i586:
kernel-tmb-desktop-4.14.12-2.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-4.14.12-2.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-latest-4.14.12-2.mga6.i586.rpm
kernel-tmb-desktop-latest-4.14.12-2.mga6.i586.rpm
kernel-tmb-source-4.14.12-2.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.12-2.mga6.noarch.rpm


x86_64:
kernel-tmb-desktop-4.14.12-2.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-4.14.12-2.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-latest-4.14.12-2.mga6.x86_64.rpm
kernel-tmb-desktop-latest-4.14.12-2.mga6.x86_64.rpm
kernel-tmb-source-4.14.12-2.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.12-2.mga6.noarch.rpm
Thomas Backlund 2018-01-06 23:38:37 CET

Depends on: (none) => 22337

Comment 1 Thomas Backlund 2018-01-09 01:06:42 CET

Unfortunately there is still some regressions that will be fixed in 4.14.13, so  a new kernel will be coming...

Keywords: (none) => feedback

Comment 2 Thomas Backlund 2018-01-10 15:37:50 CET
Ok, all currently known issues should be fixed with theese:


SRPMS:
kernel-tmb-4.14.13-1.mga6.src.rpm


i586:
kernel-tmb-desktop-4.14.13-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-4.14.13-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-latest-4.14.13-1.mga6.i586.rpm
kernel-tmb-desktop-latest-4.14.13-1.mga6.i586.rpm
kernel-tmb-source-4.14.13-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.13-1.mga6.noarch.rpm


x86_64:
kernel-tmb-desktop-4.14.13-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-4.14.13-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-latest-4.14.13-1.mga6.x86_64.rpm
kernel-tmb-desktop-latest-4.14.13-1.mga6.x86_64.rpm
kernel-tmb-source-4.14.13-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.13-1.mga6.noarch.rpm

Keywords: feedback => (none)
Summary: Update request: kernel-tmb 4.14.12 => Update request: kernel-tmb 4.14.13

Comment 3 Brian Rockwell 2018-01-10 20:40:00 CET
Intel(R) Core(TM) i3 CPU       M 350  @ 2.27GHz
Core Processor Integrated Graphics Controller
RTL8191SEvB Wireless LAN Controller


The following 6 packages are going to be installed:

- cpupower-4.14.13-1.mga6.i586
- cpupower-devel-4.14.13-1.mga6.i586
- dracut-044-11.1.mga6.i586
- kernel-tmb-desktop-4.14.13-1.mga6-1-1.mga6.i586
- kernel-tmb-desktop-latest-4.14.13-1.mga6.i586
- microcode-0.20180108-1.mga6.nonfree.noarch

50MB of additional disk space will be used.

47MB of packages will be retrieved.

Is it ok to continue?


Rebooted


$ uname -a 
Linux localhost.localdomain 4.14.13-tmb-desktop-1.mga6 #1 SMP PREEMPT Wed Jan
10 13:49:50 UTC 2018 i686 i686 i686 GNU/Linux

wifi is working, konsole, Libreoffice, firefox, chromium all working.


Laptop – so sleep mode works when I close the lid and then hit resume.

working as designed

CC: (none) => brtians1

Comment 4 claire robinson 2018-01-11 19:13:01 CET
Seems fine on kaby lake mga6 64

model name	: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz

Installed with cpupower, microcode, dracut, dkms-virtualbox

Network, suspend, resume, sound, vbox.
Nothing unusual to report.


Tested using the latest spectre & meltdown checker from ..

$ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh

# sh /home/claire/spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.14.13-tmb-desktop-1.mga6 #1 SMP PREEMPT Wed Jan 10 14:08:24 UTC 2018 x86_64

...snip spectre stuff

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
Comment 5 Thomas Backlund 2018-01-12 21:33:26 CET
Advisory, added to svn:

type: security
subject: Updated kernel-tmb packages fix security vulnerabilities
CVE:
 - CVE 2017-5715
 - CVE 2017-5753
 - CVE-2017-5754
 - CVE-2017-15129
 - CVE-2017-17741
src:
  6:
   core:
     - kernel-tmb-4.14.13-1.mga6
description: |
  This kernel-tmb update is based on the upstream 4.14.13 and and fixes
  several security issues.

  The most important fix in this update is for the security issue named
  "Meltdown" that is fixed in theese kernels by enabling kernel Page
  Table Isolation (KTPI). Note that according to AMD, this issue does
  not effect Amd processors, so it is not enabled by default on systems
  using Amd CPU.

  The list of known security fixes and mitigations in this kernel:

  kvm: vmx: Scrub hardware GPRs at VM-exit. This enables partial mitigation
  in kvm for the security issue named "Spectre" (CVE 2017-5715, CVE 2017-5753).

  Systems with microprocessors utilizing speculative execution and indirect
  branch prediction may allow unauthorized disclosure of information to an
  attacker with local user access via a side-channel analysis of the data
  cache (CVE-2017-5754, "MeltDown").

  A use-after-free vulnerability was found in network namespaces code
  affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id()
  in net/core/net_namespace.c does not check for the net::count value after
  it has found a peer network in netns_ids idr, which could lead to double
  free and memory corruption. This vulnerability could allow an unprivileged
  local user to induce kernel memory corruption on the system, leading to a
  crash. Due to the nature of the flaw, privilege escalation cannot be fully
  ruled out, although it is thought to be unlikely (CVE-2017-15129).

  The KVM implementation in the Linux kernel through 4.14.7 allows attackers
  to obtain potentially sensitive information from kernel memory, aka a
  write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c
  and include/trace/events/kvm.h (CVE-2017-17741).

  The kernels are also fixed to allow loading cpu microcode for Amd
  family 17 (Zen) processors.

  For more info about Meltdown, Spectre and other fixes in this update,
  see the refences.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=22335
 - https://meltdownattack.com/
 - https://googleprojectzero.blogspot.fi/2018/01/reading-privileged-memory-with-side.html
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.111
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.112
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.113

Keywords: (none) => advisory

Thomas Backlund 2018-01-13 14:55:20 CET

Whiteboard: (none) => MGA6-64-OK, MGA6-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-01-13 15:29:38 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0077.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.