Spectre v4 mitigations + other security and bugfixes... advisory will follow SRPM: kernel-tmb-4.14.43-1.mga6.src.rpm i586: kernel-tmb-desktop-4.14.43-1.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-4.14.43-1.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-latest-4.14.43-1.mga6.i586.rpm kernel-tmb-desktop-latest-4.14.43-1.mga6.i586.rpm kernel-tmb-source-4.14.43-1.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.43-1.mga6.noarch.rpm x86_64: kernel-tmb-desktop-4.14.43-1.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-4.14.43-1.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-latest-4.14.43-1.mga6.x86_64.rpm kernel-tmb-desktop-latest-4.14.43-1.mga6.x86_64.rpm kernel-tmb-source-4.14.43-1.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.43-1.mga6.noarch.rpm
Depends on: (none) => 23062, 22977
Installed and rebooted OK. System: Host: belexeuli Kernel: 4.14.43-tmb-desktop-1.mga6 x86_64 CPU: Quad core Intel Core i7-2600 (-HT-MCP-) speed/max: 1717/3800 MHz Machine: Device: desktop System: Alienware product: Alienware X51 v: 00 Graphics: Card-2: NVIDIA GF114 [GeForce GTX 555] GLX Version: 4.6.0 NVIDIA 390.59 Network: Card-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller. driver: r8169 RAM: 7.68 GB Ran some quick stress tests. Leaving this to run.
CC: (none) => tarazed25
System: Host: vega Kernel: 4.14.43-tmb-desktop-1.mga6 x86_64 CPU: Quad core Intel Core i7-4790K (-HT-MCP-) Machine: Device: desktop Mobo: Gigabyte model: G1.Sniper Z97 v: x.x Graphics: Card-2: NVIDIA GK104 [GeForce GTX 770] GLX Version: 4.6.0 NVIDIA 390.59 Network: Card-1: Qualcomm Atheros Killer E220x Gigabit Ethernet Controller driver: alx RAM: 15.33 GB Switched to the tmb kernel and rebooted to Mate. nvidia and virtualbox drivers rebult during boot. Complaint about microcode being out of date but could find nothing in the journal. BTAIM the desktop is running normally. Passed several stress tests. Networking OK. Remote login to workstation on the LAN. Graphical applications all run without problems, stellarium, VLC with TV input. Bluetooth sound works perfectly. No problems with virtualbox. Running two vms at the same time. Opened a password-protected file in LibreOffice. The release version of celestia does not work but after performing a local build and installing that, it worked fine with this kernel.
Updated to 4.14.44 for more security fixes and to add fixes for bug 23060 So rpms to test: SRPM: kernel-tmb-4.14.44-1.mga6.src.rpm i586: kernel-tmb-desktop-4.14.44-1.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-4.14.44-1.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-latest-4.14.44-1.mga6.i586.rpm kernel-tmb-desktop-latest-4.14.44-1.mga6.i586.rpm kernel-tmb-source-4.14.44-1.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.44-1.mga6.noarch.rpm x86_64: kernel-tmb-desktop-4.14.44-1.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-4.14.44-1.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-latest-4.14.44-1.mga6.x86_64.rpm kernel-tmb-desktop-latest-4.14.44-1.mga6.x86_64.rpm kernel-tmb-source-4.14.44-1.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.44-1.mga6.noarch.rpm
Summary: Update request: kernel-tmb-4.14.43-1.mga6 => Update request: kernel-tmb-4.14.44-1.mga6
System: Host: vega Kernel: 4.14.44-tmb-desktop-1.mga6 x86_64 CPU: Quad core Intel Core i7-4790K (-HT-MCP-) speed/max: 4186/4400 MHz Machine: Device: desktop Mobo: Gigabyte model: G1.Sniper Z97 v: x.x Graphics: Card-2: NVIDIA GK104 [GeForce GTX 770] GLX Version: 4.6.0 NVIDIA 390.59 Network: Card-1: Qualcomm Atheros Killer E220x Gigabit Ethernet Controller driver: alx RAM: 15.33 GB Sorted out the microcode problems before installing this and rebooted to Mate DE. Ran similar tests to those reported in comment 2 for 4.14.43, all with positive results.
This one has been updated to get the same fixes as done for kernel-4.14.44-2 so new rpms: SRPM: kernel-tmb-4.14.44-2.mga6.src.rpm i586: kernel-tmb-desktop-4.14.44-2.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-4.14.44-2.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-latest-4.14.44-2.mga6.i586.rpm kernel-tmb-desktop-latest-4.14.44-2.mga6.i586.rpm kernel-tmb-source-4.14.44-2.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.44-2.mga6.noarch.rpm x86_64: kernel-tmb-desktop-4.14.44-2.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-4.14.44-2.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-latest-4.14.44-2.mga6.x86_64.rpm kernel-tmb-desktop-latest-4.14.44-2.mga6.x86_64.rpm kernel-tmb-source-4.14.44-2.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.44-2.mga6.noarch.rpm
Summary: Update request: kernel-tmb-4.14.44-1.mga6 => Update request: kernel-tmb-4.14.44-2.mga6
Advisory (added to svn): type: security subject: Updated kernel-tmb packages fix security vulnerabilities CVE: - CVE-2017-5754 - CVE-2018-1065 - CVE-2018-1068 - CVE-2018-1087 - CVE-2018-1092 - CVE-2018-1093 - CVE-2018-1094 - CVE-2018-1095 - CVE-2018-1130 - CVE-2018-8897 - CVE-2018-1120 - CVE-2018-3639 - CVE-2018-1000004 - CVE-2018-1000200 src: 6: core: - kernel-tmb-4.14.44-2.mga6 description: | This kernel-tmb update is based on the upstream 4.14.44 and fixes atleast the following security issues: This update adds KPTI mitigation for Meltdown (CVE-2017-5754) on 32bit x86. The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in net/ipv6/netfilter/ip6_tables.c (CVE-2018-1065). A flaw was found in the Linux kernel implementation of 32 bit syscall interface for bridging allowing a privileged user to arbitrarily write to a limited range of kernel memory. This flaw can be exploited not only by a system's privileged user (a real "root" user), but also by an attacker who is a privileged user (a "root" user) in a user+network namespace (CVE-2018-1068). On x86, MOV SS and POP SS behave strangely if they encounter a data breakpoint. If this occurs in a KVM guest, KVM incorrectly thinks that a #DB instruction was caused by the undocumented ICEBP instruction. This results in #DB being delivered to the guest kernel with an incorrect RIP on the stack. On most guest kernels, this will allow a guest user to DoS the guest kernel or even to escalate privilege to that of the guest kernel (CVE-2018-1087). The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a root directory with a zero i_links_count, which allows attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image (CVE-2018-1092). The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers (CVE-2018-1093). The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.15.15 does not always initialize the crc32c checksum driver, which allows attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image (CVE-2018-1094). The ext4_xattr_check_entries function in fs/ext4/xattr.c in the Linux kernel through 4.15.15 does not properly validate xattr sizes, which causes misinterpretation of a size as an error code, and consequently allows attackers to cause a denial of service (get_acl NULL pointer dereference and system crash) via a crafted ext4 image (CVE-2018-1095). By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks) (CVE-2018-1120). A null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in the Linux kernel before v4.16-rc7 allows a local user to cause a denial of service by a number of certain crafted system calls (CVE-2018-1130). Speculative Store Bypass (SSB) – also known as Spectre Variant 4. Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (CVE-2018-3639). NOTE! This fix only apply to Amd hardware so far as Intel CPUs need a fixed microcode update in order for the fix to get activated. At the time of this release we dont yet know when Intel will release new microcode. The Linux kernel does not properly handle debug exceptions delivered after a stack switch operation via mov SS or pop SS instructions. During the stack switch operation, the exceptions are deferred. As a result, a local user can cause the kernel to crash (CVE-2018-8897). A race condition vulnerability exists in the sound system, that can lead to a deadlock and denial of service condition (CVE-2018-1000004). A flaw was found in the Linux kernel where an out of memory (oom) killing of a process that has large spans of mlocked memory can result in deferencing a NULL pointer, leading to denial of service (CVE-2018-1000200). WireGuard has been updated to 0.0.20180519. For other fixes in this update, see the referenced changelogs. references: - https://bugs.mageia.org/show_bug.cgi?id=23076 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.19 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.20 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.21 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.22 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.23 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.24 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.25 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.26 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.27 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.28 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.29 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.30 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.31 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.32 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.33 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.34 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.35 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.36 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.37 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.38 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.39 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.40 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.41 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.42 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.43 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.44
Keywords: (none) => advisory
Installed all three flavours on this recently upgraded system. Selexted tmb at boot. System: Host: markab Kernel: 4.14.44-tmb-desktop-2.mga6 x86_64 CPU: Quad core Intel Core i7-5700HQ (-HT-MCP-) speed/max: 2518/3500 MHz Machine: Device: laptop System: GIGABYTE product: X5 Graphics: Card-1: NVIDIA GM204M [GeForce GTX 965M] GLX Version: 4.6.0 NVIDIA 390.59 Network: Card-1: Qualcomm Atheros Killer E220x Gigabit Ethernet Controller driver: alx Card-2: Intel Wireless 7265 driver: iwlwifi RAM: 15.60 GB Running on ethernet just now. Ran usual stress tests and other applications. Pulled the plug on ethernet and wifi came up immediately. NFS shares and local networking OK. 3K graphics working well with stellarium and vlc. Closing and opening the laptod lid in the middle of this edit did no damage. Had to fiddle to get bluetooth audio working. Connection to TV soundbar failed. Removed device and added it again and all was well. It all looks good so far.
Enough tests, validating
Whiteboard: (none) => mga6-64-ok, mga6-32-okKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0264.html
Status: NEW => RESOLVEDResolution: (none) => FIXED