Bug 23460 - Update request: kernel-linus-4.14.65-1.mga6
Summary: Update request: kernel-linus-4.14.65-1.mga6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok, mga6-32-ok
Keywords: advisory, validated_update
Depends on: 23457
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-17 18:39 CEST by Thomas Backlund
Modified: 2018-08-19 13:25 CEST (History)
3 users (show)

See Also:
Source RPM: kernel-linus
CVE:
Status comment:


Attachments

Description Thomas Backlund 2018-08-17 18:39:15 CEST
High prio kernel security update for "L1TF" + some other security and bugfixes:
https://www.phoronix.com/scan.php?page=news_item&px=L1-Terminal-Fault

SRPMS:
kernel-linus-4.14.64-1.mga6.src.rpm


i586:
kernel-linus-4.14.64-1.mga6-1-1.mga6.i586.rpm
kernel-linus-devel-4.14.64-1.mga6-1-1.mga6.i586.rpm
kernel-linus-devel-latest-4.14.64-1.mga6.i586.rpm
kernel-linus-doc-4.14.64-1.mga6.noarch.rpm
kernel-linus-latest-4.14.64-1.mga6.i586.rpm
kernel-linus-source-4.14.64-1.mga6-1-1.mga6.noarch.rpm
kernel-linus-source-latest-4.14.64-1.mga6.noarch.rpm


x86_64:
kernel-linus-4.14.64-1.mga6-1-1.mga6.x86_64.rpm
kernel-linus-devel-4.14.64-1.mga6-1-1.mga6.x86_64.rpm
kernel-linus-devel-latest-4.14.64-1.mga6.x86_64.rpm
kernel-linus-doc-4.14.64-1.mga6.noarch.rpm
kernel-linus-latest-4.14.64-1.mga6.x86_64.rpm
kernel-linus-source-4.14.64-1.mga6-1-1.mga6.noarch.rpm
kernel-linus-source-latest-4.14.64-1.mga6.noarch.rpm
Comment 1 Thomas Backlund 2018-08-17 18:41:51 CEST
This also wants the microcode update released before or at the same time as this update

Priority: Normal => High
Depends on: (none) => 23457

Comment 2 Thomas Backlund 2018-08-17 23:06:08 CEST
Advisory, added to svn:

type: security
subject: Updated kernel-linus packages fix security vulnerabilities
CVE:
 - CVE-2018-3615
 - CVE-2018-3620
 - CVE-2018-3646
src:
  6:
   core:
     - kernel-linus-4.14.64-1.mga6
description: |
  This kernel-linus update is based on the upstream 4.14.64 and adds fixes
  and mitigations for the now publically known security issue affecting
  Intel processors called L1 Terminal Fault (L1TF):

  Systems with microprocessors utilizing speculative execution and Intel
  Software Guard Extensions (Intel SGX) may allow unauthorized disclosure
  of information residing in the L1 data cache from an enclave to an
  attacker with local user access via side-channel analysis (CVE-2018-3615).

  Systems with microprocessors utilizing speculative execution and address
  translations may allow unauthorized disclosure of information residing in
  the L1 data cache to an attacker with local user access via a terminal
  page fault and side-channel analysis (CVE-2018-3620).

  Systems with microprocessors utilizing speculative execution and address
  translations may allow unauthorized disclosure of information residing in
  the L1 data cache to an attacker with local user access with guest OS
  privilege via a terminal page fault and side-channel analysis
  (CVE-2018-3646).

  The impact of the L1TF security issues:
  * Malicious applications may be able to infer the values of data in the
    operating system memory, or data from other applications.
  * A malicious guest virtual machine (VM) may be able to infer the values
    of data in the VMM’s memory, or values of data in the memory of other
    guest VMs.
  * Malicious software running outside of SMM may be able to infer values
    of data in SMM memory.
  * Malicious software running outside of an Intel® SGX enclave or within an
    enclave may be able to infer data from within another Intel SGX enclave.

  NOTE! You also need to install the the 0.20180807-1.mga6.nonfree microcode
  update (mga#23457) or a bios update from your hardware vendor containing
  the updated microcodes to get all current set of fixes and mitigations
  for L1TF.

  For other upstream fixes in this update, see the referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23460
 - https://bugs.mageia.org/show_bug.cgi?id=23457
 - https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.63
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.64

Keywords: (none) => advisory

Comment 3 psyca 2018-08-18 14:51:33 CEST
There is a new hotfix kernel upstream - Kernel 4.14.65
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.65

CC: (none) => linux

Comment 4 Thomas Backlund 2018-08-18 14:59:09 CEST
An of course one beoken thing with l1tf fixes was found upstream, so a 4.14.65 was released... :/

So I'm re-spinning all kernels to pick it up...

Whiteboard: (none) => feedback

Comment 5 Thomas Backlund 2018-08-18 18:04:30 CEST
4.14.65 is mirroring out...
(and the only change compared to 4.14.64 is the l1tf fix)

so rpms to test:

SRPMS:
kernel-linus-4.14.65-1.mga6.src.rpm


i586:
kernel-linus-4.14.65-1.mga6-1-1.mga6.i586.rpm
kernel-linus-devel-4.14.65-1.mga6-1-1.mga6.i586.rpm
kernel-linus-devel-latest-4.14.65-1.mga6.i586.rpm
kernel-linus-doc-4.14.65-1.mga6.noarch.rpm
kernel-linus-latest-4.14.65-1.mga6.i586.rpm
kernel-linus-source-4.14.65-1.mga6-1-1.mga6.noarch.rpm
kernel-linus-source-latest-4.14.65-1.mga6.noarch.rpm


x86_64:
kernel-linus-4.14.65-1.mga6-1-1.mga6.x86_64.rpm
kernel-linus-devel-4.14.65-1.mga6-1-1.mga6.x86_64.rpm
kernel-linus-devel-latest-4.14.65-1.mga6.x86_64.rpm
kernel-linus-doc-4.14.65-1.mga6.noarch.rpm
kernel-linus-latest-4.14.65-1.mga6.x86_64.rpm
kernel-linus-source-4.14.65-1.mga6-1-1.mga6.noarch.rpm
kernel-linus-source-latest-4.14.65-1.mga6.noarch.rpm

Summary: Update request: kernel-linus-4.14.64-1.mga6 => Update request: kernel-linus-4.14.65-1.mga6
Whiteboard: feedback => (none)

Comment 6 Len Lawrence 2018-08-19 09:42:20 CEST
Rebooted to Mate.  No issues so far.  Doing my morning chores with it.  Stress tests terminated OK.
$ uname -r
4.14.65-1.mga6

Intel Core i7-4790, NVIDIA GeForce GTX 970, Mobo: MSI model: Z97-G43

CC: (none) => tarazed25

Comment 7 Thomas Backlund 2018-08-19 13:01:01 CEST
Enough tests...

Validating and flushing out due to the severity

Keywords: (none) => validated_update
Whiteboard: (none) => mga6-64-ok, mga6-32-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-08-19 13:25:56 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0347.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.