Bug 23458 - Update request: kernel-4.14.65-1.mga6
Summary: Update request: kernel-4.14.65-1.mga6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok, mga6-32-ok
Keywords: advisory, validated_update
Depends on: 23457
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-17 18:38 CEST by Thomas Backlund
Modified: 2018-08-19 14:57 CEST (History)
9 users (show)

See Also:
Source RPM: kernel
CVE:
Status comment:


Attachments

Description Thomas Backlund 2018-08-17 18:38:36 CEST Comment hidden (obsolete)
Comment 1 Thomas Backlund 2018-08-17 18:41:31 CEST
This also wants the microcode update released before or at the same time as this update

Priority: Normal => High
Depends on: (none) => 23457

Comment 2 Brian Rockwell 2018-08-17 19:22:08 CEST Comment hidden (obsolete)

CC: (none) => brtians1

Comment 3 Len Lawrence 2018-08-17 20:48:53 CEST Comment hidden (obsolete)

CC: (none) => tarazed25

Comment 4 Len Lawrence 2018-08-17 21:13:05 CEST Comment hidden (obsolete)
Comment 5 Thomas Backlund 2018-08-17 23:03:04 CEST
Advisory, added to svn:

type: security
subject: Updated kernel packages fix security vulnerabilities
CVE:
 - CVE-2018-3615
 - CVE-2018-3620
 - CVE-2018-3646
src:
  6:
   core:
     - kernel-4.14.64-1.mga6
     - kernel-userspace-headers-4.14.64-1.mga6
     - kmod-vboxadditions-5.2.14-14.mga6
     - kmod-virtualbox-5.2.14-14.mga6
     - kmod-xtables-addons-2.13-55.mga6
     - wireguard-tools-0.0.20180809-1.mga6
description: |
  This kernel update is based on the upstream 4.14.64 and adds fixes
  and mitigations for the now publically known security issue affecting
  Intel processors called L1 Terminal Fault (L1TF):

  Systems with microprocessors utilizing speculative execution and Intel
  Software Guard Extensions (Intel SGX) may allow unauthorized disclosure
  of information residing in the L1 data cache from an enclave to an
  attacker with local user access via side-channel analysis (CVE-2018-3615).

  Systems with microprocessors utilizing speculative execution and address
  translations may allow unauthorized disclosure of information residing in
  the L1 data cache to an attacker with local user access via a terminal
  page fault and side-channel analysis (CVE-2018-3620).

  Systems with microprocessors utilizing speculative execution and address
  translations may allow unauthorized disclosure of information residing in
  the L1 data cache to an attacker with local user access with guest OS
  privilege via a terminal page fault and side-channel analysis
  (CVE-2018-3646).

  The impact of the L1TF security issues:
  * Malicious applications may be able to infer the values of data in the
    operating system memory, or data from other applications.
  * A malicious guest virtual machine (VM) may be able to infer the values
    of data in the VMM’s memory, or values of data in the memory of other
    guest VMs.
  * Malicious software running outside of SMM may be able to infer values
    of data in SMM memory.
  * Malicious software running outside of an Intel® SGX enclave or within an
    enclave may be able to infer data from within another Intel SGX enclave.

  NOTE! You also need to install the the 0.20180807-1.mga6.nonfree microcode
  update (mga#23457) or a bios update from your hardware vendor containing
  the updated microcodes to get all current set of fixes and mitigations
  for L1TF.

  Other changes in this update:
  * WireGuard has been updated to 0.0.20180809
  * added hwmon support for Threadripper2

  For other upstream fixes in this update, see the referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23458
 - https://bugs.mageia.org/show_bug.cgi?id=23457
 - https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.63
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.64

Keywords: (none) => advisory

Comment 6 Len Lawrence 2018-08-18 00:15:43 CEST Comment hidden (obsolete)
Comment 7 Thomas Andrews 2018-08-18 04:32:04 CEST Comment hidden (obsolete)

CC: (none) => andrewsfarm

Comment 8 Ben McMonagle 2018-08-18 06:47:42 CEST Comment hidden (obsolete)

CC: (none) => westel

Comment 9 Marja Van Waes 2018-08-18 07:21:49 CEST Comment hidden (obsolete)

CC: (none) => marja11

Comment 10 James Kerr 2018-08-18 10:43:56 CEST Comment hidden (obsolete)

CC: (none) => jim

Comment 11 Thomas Backlund 2018-08-18 12:26:28 CEST Comment hidden (obsolete)
Comment 12 Brian Rockwell 2018-08-18 14:56:46 CEST Comment hidden (obsolete)
Comment 13 Thomas Backlund 2018-08-18 14:58:32 CEST
An of course one beoken thing with l1tf fixes was found upstream, so a 4.14.65 was released... :/

So I'm re-spinning all kernels to pick it up...

Whiteboard: (none) => feedback

Comment 14 Herman Viaene 2018-08-18 15:11:20 CEST Comment hidden (obsolete)

CC: (none) => herman.viaene

Comment 15 Marja Van Waes 2018-08-18 20:45:42 CEST
(In reply to Thomas Backlund from comment #13)
> An of course one beoken thing with l1tf fixes was found upstream, so a
> 4.14.65 was released... :/
> 
> So I'm re-spinning all kernels to pick it up...

:-(

I'll obsolete all comments above about 4.14.64, including the description, but except the advisory, because you might want to be reminded that it needs to be updated or replaced in SVN

Summary: Update request: kernel-4.14.64-1.mga6 => Update request: kernel-4.14.65-1.mga6

Comment 16 Thomas Backlund 2018-08-18 21:06:31 CEST
4.14.65 is mirroring out...
(and the only change compared to 4.14.64 is the l1tf fix)

so updated rpms list to test:

SRPMS:
kernel-4.14.65-1.mga6.src.rpm
kernel-userspace-headers-4.14.65-1.mga6.src.rpm

kmod-vboxadditions-5.2.14-15.mga6.src.rpm
kmod-virtualbox-5.2.14-15.mga6.src.rpm
kmod-xtables-addons-2.13-60.mga6.src.rpm

wireguard-tools-0.0.20180809-1.mga6.src.rpm


i586:
cpupower-4.14.65-1.mga6.i586.rpm
cpupower-devel-4.14.65-1.mga6.i586.rpm
kernel-desktop-4.14.65-1.mga6-1-1.mga6.i586.rpm
kernel-desktop586-4.14.65-1.mga6-1-1.mga6.i586.rpm
kernel-desktop586-devel-4.14.65-1.mga6-1-1.mga6.i586.rpm
kernel-desktop586-devel-latest-4.14.65-1.mga6.i586.rpm
kernel-desktop586-latest-4.14.65-1.mga6.i586.rpm
kernel-desktop-devel-4.14.65-1.mga6-1-1.mga6.i586.rpm
kernel-desktop-devel-latest-4.14.65-1.mga6.i586.rpm
kernel-desktop-latest-4.14.65-1.mga6.i586.rpm
kernel-doc-4.14.65-1.mga6.noarch.rpm
kernel-server-4.14.65-1.mga6-1-1.mga6.i586.rpm
kernel-server-devel-4.14.65-1.mga6-1-1.mga6.i586.rpm
kernel-server-devel-latest-4.14.65-1.mga6.i586.rpm
kernel-server-latest-4.14.65-1.mga6.i586.rpm
kernel-source-4.14.65-1.mga6-1-1.mga6.noarch.rpm
kernel-source-latest-4.14.65-1.mga6.noarch.rpm
kernel-userspace-headers-4.14.65-1.mga6.i586.rpm
perf-4.14.65-1.mga6.i586.rpm

vboxadditions-kernel-4.14.65-desktop-1.mga6-5.2.14-15.mga6.i586.rpm
vboxadditions-kernel-4.14.65-desktop586-1.mga6-5.2.14-15.mga6.i586.rpm
vboxadditions-kernel-4.14.65-server-1.mga6-5.2.14-15.mga6.i586.rpm
vboxadditions-kernel-desktop586-latest-5.2.14-15.mga6.i586.rpm
vboxadditions-kernel-desktop-latest-5.2.14-15.mga6.i586.rpm
vboxadditions-kernel-server-latest-5.2.14-15.mga6.i586.rpm

virtualbox-kernel-4.14.65-desktop-1.mga6-5.2.14-15.mga6.i586.rpm
virtualbox-kernel-4.14.65-desktop586-1.mga6-5.2.14-15.mga6.i586.rpm
virtualbox-kernel-4.14.65-server-1.mga6-5.2.14-15.mga6.i586.rpm
virtualbox-kernel-desktop586-latest-5.2.14-15.mga6.i586.rpm
virtualbox-kernel-desktop-latest-5.2.14-15.mga6.i586.rpm
virtualbox-kernel-server-latest-5.2.14-15.mga6.i586.rpm

xtables-addons-kernel-4.14.65-desktop-1.mga6-2.13-60.mga6.i586.rpm
xtables-addons-kernel-4.14.65-desktop586-1.mga6-2.13-60.mga6.i586.rpm
xtables-addons-kernel-4.14.65-server-1.mga6-2.13-60.mga6.i586.rpm
xtables-addons-kernel-desktop586-latest-2.13-60.mga6.i586.rpm
xtables-addons-kernel-desktop-latest-2.13-60.mga6.i586.rpm
xtables-addons-kernel-server-latest-2.13-60.mga6.i586.rpm

wireguard-tools-0.0.20180809-1.mga6.i586.rpm



x86_64:
cpupower-4.14.65-1.mga6.x86_64.rpm
cpupower-devel-4.14.65-1.mga6.x86_64.rpm
kernel-desktop-4.14.65-1.mga6-1-1.mga6.x86_64.rpm
kernel-desktop-devel-4.14.65-1.mga6-1-1.mga6.x86_64.rpm
kernel-desktop-devel-latest-4.14.65-1.mga6.x86_64.rpm
kernel-desktop-latest-4.14.65-1.mga6.x86_64.rpm
kernel-doc-4.14.65-1.mga6.noarch.rpm
kernel-server-4.14.65-1.mga6-1-1.mga6.x86_64.rpm
kernel-server-devel-4.14.65-1.mga6-1-1.mga6.x86_64.rpm
kernel-server-devel-latest-4.14.65-1.mga6.x86_64.rpm
kernel-server-latest-4.14.65-1.mga6.x86_64.rpm
kernel-source-4.14.65-1.mga6-1-1.mga6.noarch.rpm
kernel-source-latest-4.14.65-1.mga6.noarch.rpm
kernel-userspace-headers-4.14.65-1.mga6.x86_64.rpm
perf-4.14.65-1.mga6.x86_64.rpm

vboxadditions-kernel-4.14.65-desktop-1.mga6-5.2.14-15.mga6.x86_64.rpm
vboxadditions-kernel-4.14.65-server-1.mga6-5.2.14-15.mga6.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.2.14-15.mga6.x86_64.rpm
vboxadditions-kernel-server-latest-5.2.14-15.mga6.x86_64.rpm

virtualbox-kernel-4.14.65-desktop-1.mga6-5.2.14-15.mga6.x86_64.rpm
virtualbox-kernel-4.14.65-server-1.mga6-5.2.14-15.mga6.x86_64.rpm
virtualbox-kernel-desktop-latest-5.2.14-15.mga6.x86_64.rpm
virtualbox-kernel-server-latest-5.2.14-15.mga6.x86_64.rpm

xtables-addons-kernel-4.14.65-desktop-1.mga6-2.13-60.mga6.x86_64.rpm
xtables-addons-kernel-4.14.65-server-1.mga6-2.13-60.mga6.x86_64.rpm
xtables-addons-kernel-desktop-latest-2.13-60.mga6.x86_64.rpm
xtables-addons-kernel-server-latest-2.13-60.mga6.x86_64.rpm

wireguard-tools-0.0.20180809-1.mga6.x86_64.rpm

Whiteboard: feedback => (none)

Comment 17 Thomas Backlund 2018-08-18 21:52:33 CEST
All advisories updated for the switch to 4.14.65
Comment 18 Thomas Backlund 2018-08-18 21:53:11 CEST
4.14.65 now running on mageia infra, my own server and laptop
Comment 19 Morgan Leijström 2018-08-18 22:08:45 CEST
kernel-desktop-4.14.65-1.mga6-1-1.mga6.x86_64.rpm 
( updated to all updates in all updates_testing repos - incl microcode )

64 bit OK on my workstation: i7-2600K, Nvidia GTX750 (GM107) using proprietary driver GeForce 420 and later, with CUDA & OpenCL detected OK in BOINC, LVM on LUKS on SSD, VirtualBox running MSW7, Plasma5.12 etc, video in Firefox,,, 

Also .64 was working OK.

CC: (none) => fri

Comment 20 Marja Van Waes 2018-08-18 22:17:26 CEST
Old ThinkPad SL510:

- microcode-0.20180807-1.mga6.nonfree.noarch
and
- cpupower-4.14.65-1.mga6.x86_64
- kernel-desktop-4.14.65-1.mga6-1-1.mga6.x86_64
- kernel-desktop-latest-4.14.65-1.mga6.x86_64
- kernel-userspace-headers-4.14.65-1.mga6.x86_64

[marja@Mga6_64bit ~]$ uname -r
4.14.65-desktop-1.mga6

Everything works fine, no regressions
Comment 21 Brian Rockwell 2018-08-18 23:09:51 CEST
GeForce 6150 LE
AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
MCP51 USB Controller
C51 Host Bridge


$ uname -a
Linux localhost 4.14.65-desktop-1.mga6 #1 SMP Sat Aug 18 16:12:25 UTC 2018 i686 i686 i686 GNU/Linux


Installed:

The following 6 packages are going to be installed:

- cpupower-4.14.65-1.mga6.i586
- cpupower-devel-4.14.65-1.mga6.i586
- kernel-desktop-4.14.65-1.mga6-1-1.mga6.i586
- kernel-desktop-devel-4.14.65-1.mga6-1-1.mga6.i586
- kernel-desktop-devel-latest-4.14.65-1.mga6.i586
- kernel-desktop-latest-4.14.65-1.mga6.i586

97MB of additional disk space will be used.

USB working, Networking working, Sound functions.

working fine, no regressions that I can tell.
Comment 22 Thomas Andrews 2018-08-18 23:33:57 CEST
Still working on my HP 6550b laptop, i3, 8GB, Intel graphics, Intel wifi, 64-bit Plasma system. (microcodes had been updated on the previous test) Packages installed cleanly, no problems noted.
Comment 23 Brian Rockwell 2018-08-18 23:36:19 CEST
RS780L [Radeon 3000]
AMD Athlon(tm) II X3 450 Processor

gnome


$ uname -a
Linux linux.local 4.14.65-desktop-1.mga6 #1 SMP Sat Aug 18 14:50:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


So far so good.  Able to network, browser working, system behaving normally.
Comment 24 Ben McMonagle 2018-08-19 00:08:58 CEST
Mga6 on real 32bit hardware (lxde/lxqt desktop system)

uname -r
4.14.64-desktop-1.mga6


$ lscpu
Architecture:          i686
CPU op-mode(s):        32-bit

AMD Athlon(tm) XP 2400+

Flags:                 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
                       mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 
                       3dnow cpuid 3dnowprefetch vmmcall

To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing (distrib5)")
  cpupower                       4.14.65      1.mga6        i586    
  kernel-desktop-4.14.65-1.mga6  1            1.mga6        i586    
  kernel-desktop-devel-4.14.65-> 1            1.mga6        i586    
  kernel-desktop-devel-latest    4.14.65      1.mga6        i586    
  kernel-desktop-latest          4.14.65      1.mga6        i586    
  kernel-userspace-headers       4.14.65      1.mga6        i586    
97MB of additional disk space will be used.
63MB of packages will be retrieved.
Proceed with the installation of the 6 packages? (Y/n) 



nvidia304 (304.137-2.mga6.nonfree): Installing module.
...............................................................
.............
Creating: target|kernel|dracut args|basicmodules 
 


reboot

uname -r
4.14.65-desktop-1.mga6

Firefox  - ok
USB detected and file manager popup -ok
VLC playbck from uSB .mkv video and audio - ok
Comment 25 Brian Rockwell 2018-08-19 00:28:36 CEST
$ uname -a
Linux localhost.localdomain 4.14.65-desktop-1.mga6 #1 SMP Sat Aug 18 14:50:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


- cpupower-4.14.65-1.mga6.x86_64
- kernel-desktop-4.14.65-1.mga6-1-1.mga6.x86_64
- kernel-desktop-latest-4.14.65-1.mga6.x86_64
- microcode-0.20180807-1.mga6.nonfree.noarch

Intel video (integrated)
Intel(R) Core(TM) i3 CPU       M 350  @ 2.27GHz
RTL8191SEvB Wireless LAN Controller

wifi working, browser working, libreoffice working

Working as designed.
Comment 26 Morgan Leijström 2018-08-19 00:59:53 CEST
64 bit OK on laptop Thinkpad T60, CPU core2Duo T5600, ati RV515/M54 X1400, wifi AR5418, LVM on LUKS on SSD. 

Updated to all updates in all updates_testing repos.  All installed cleanly (incl -devel, cpupower, userspace-headers, microcode...), rebooted, tested OK Resume from suspend and hibernation is OK incl video in firefox with sound over wifi.
Comment 27 Thomas Andrews 2018-08-19 04:11:29 CEST
Same hardware as Comment 22, 32-bit Plasma system, using the server kernel.

Everything looks good here.
Comment 28 Morgan Leijström 2018-08-19 05:12:54 CEST
64 bit OK on laptop Acer Aspire 7 A717-71G:
Intel i5, Nvidia and Intel GPU:s but only intel is configured, as per default in Mageia installer. Disk: nVME SSD, EFI boot, separate /boot, then rest of system in LVM lv:s in a LUKS encrypted pv.

Suspend-resume incl wifi etc works

Have no time now to test if it still fail hibernate-resume, Bug 22804 (have never worked for me)
Comment 29 Len Lawrence 2018-08-19 08:50:50 CEST
Mageia 6, x86_64, desktop kernel
Working fine on Skylake system - Intel i9-7900X, nvidia GTX 1080Ti.
Comment 30 James Kerr 2018-08-19 12:08:58 CEST
on mga6-64  plasma

packages installed cleanly:
- cpupower-4.14.65-1.mga6.x86_64
- kernel-desktop-4.14.65-1.mga6-1-1.mga6.x86_64
- kernel-desktop-devel-4.14.65-1.mga6-1-1.mga6.x86_64
- kernel-desktop-devel-latest-4.14.65-1.mga6.x86_64
- kernel-desktop-latest-4.14.65-1.mga6.x86_64
- kernel-userspace-headers-4.14.65-1.mga6.x86_64
- virtualbox-kernel-4.14.65-desktop-1.mga6-5.2.14-15.mga6.x86_64
- virtualbox-kernel-desktop-latest-5.2.14-15.mga6.x86_64

system rebooted normally:
$ uname -r
4.14.65-desktop-1.mga6

common applications OK

vbox and clients launched normally
Updated to kernel-desktop-4.14.65 on mga6-64 and mga6-32 clients - no regressions

OK for mga6-64 on this system:
Machine:   Device: desktop System: Dell product: Precision Tower 3620
           Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.11.0 
CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics:  Card: Intel HD Graphics 530
Comment 31 Thomas Backlund 2018-08-19 13:00:53 CEST
Enough tests...

Validating and flushing out due to the severity

Keywords: (none) => validated_update
Whiteboard: (none) => mga6-64-ok, mga6-32-ok
CC: (none) => sysadmin-bugs

Comment 32 Mageia Robot 2018-08-19 13:25:52 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0345.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 33 Thomas Andrews 2018-08-19 14:57:30 CEST
Internet service glitches made me late once again, but I'll report anyway.

Old Dell Inspiron 5100, 32-bit P4, iGB RAM, Radeon 7500 graphics,old Atheros wifi, 32-bit Xfce system from the 6.1 test Live iso. Using the desktop586 kernel, as that is the one that the iso installs.

Looks good here.

Note You need to log in before you can comment on or make changes to this bug.