CLD-202 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
linux |
| Deficiency Type |
SECURITY |
| Date Created |
2018-01-07 13:45:12 |
| Date Last Modified |
2018-11-28 14:22:06 |
Version Specific Information:
| Cucumber 1.0 i686 | fixed in linux-4.9.77-i686-1 |
| Cucumber 1.0 x86_64 | fixed in linux-4.9.77-x86_64-1 |
| Cucumber 1.1 i686 |
fixed in linux-4.9.77-i686-1 |
| Cucumber 1.1 x86_64 |
fixed in linux-4.9.77-x86_64-1 |
Details:
==================================== Edit #5 ===================================
Further mitigated against in Linux 4.9.114. Here are the details from the
relevant changelog entry:
+----------------+
Mon Jul 23 12:58:16 EDT 2018
base/linux upgraded from 4.9.113 to 4.9.114 to further mitigate against Spectre
variants 1 and 2 (CVE-2017-5753 and CVE-2017-5715 respecitvely). For
more information see:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.114
kernel/linux-source upgraded from 4.9.113 to 4.9.114
* SECURITY FIX *
+----------------+
==================================== Edit #5 ===================================
Mon May 14 18:44:12 EDT 2018:
The kernel has been rebuilt using the new kernel-gcc compiler to enable the
retpoline mitigation against this vulnerability. Here are the details from the
relevant changelog entry:
Mon May 14 18:08:17 EDT 2018
base/linux rebuilt (build 2) to enable the retpoline mitigation against the
Spectre v2 security vulnerability (CVE-2017-5715). Starting with this
build, the kernel-gcc package is now required to build the linux
package. It is necessary to use the newer kernel-gcc (GCC v7.3.0)
instead of the standard Cucumber Linux 1.1 gcc (GCC v5.3.0) because this
mitigation requires the kernel to be compiled with a retpoline aware
compiler, which GCC 5.3.0 is not but GCC 7.3.0 is. For more information
see:
https://security.cucumberlinux.com/security/details.php?id=202
https://www.mail-archive.com/lfs-support@lists.linuxfromscratch.org/msg04844.html
* SECURITY FIX *
==================================== Edit #4 ===================================
Fri Apr 20 16:51:06 EDT 2018:
This has been even further mitigated against in version 4.9.95 of the Linux
kernel. For more information see:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.95
==================================== Edit #3 ===================================
This vulnerability has been further mitigated against in version 4.9.81 of the
Linux kernel. For further details see:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.81
==================================== Edit #2 ===================================
While this vulnerability was originally addressed in version 4.9.77 of the
Linux kernel, it has been further addressed in version 4.9.79 where BPF was
disabled. Here are some more details from the relevant changelog entry:
Thu Feb 1 16:29:37 EST 2018
base/linux upgraded from 4.9.78 to 4.9.79 to further address the Spectre 2
attack (CVE-2017-5715). This update enables the new BPF_JIT_ALWAYS_ON
feature of the Linux kernel, which removes the kernel's BPF interpreter.
This interpreter was used in the Spectre 2 attack that Google published.
It should be noted that this change does not completely prevent this
attack, it just makes it more difficult to exploit. For more information
see:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.79
http://security.cucumberlinux.com/security/details.php?id=202
* SECURITY FIX *
==================================== Edit #1 ===================================
In version 4.9.77 of the Linux kernel, patches were introduced attempting to
mitigate against this vulnerability.
================================= Original Post ================================
This is a hardware vulnerability, and as of Sun Jan 7 14:15:45 EST 2018 there
is no known fix for it or known way to mitigate the effects of it.
See https://meltdownattack.com/ for more information about this vulnerability.