인텔 CPU 등 취약점의 윈도 및 주요 리눅스 패치 상태 (1/10 22:00 업데이트)

IT & Security/etc. (악성코드,취약점)

인텔 CPU 등 취약점의 윈도 및 주요 리눅스 패치 상태 (1/10 22:00 업데이트)

la Nube 2018. 1. 5. 11:55

인텔 CPU 등의 Kernel Side-Channel Attacks 주요 리눅스 패치 여부

http://la-nube.tistory.com/307

위 게시글에 대하여 주요 리눅스 패치 상태를 다음과 같이 업데이트합니다.

<이 내용은 2018년 1월 10일 22시 00분 기준입니다.>

<Ubuntu>

우분투 16.04 LTS Xenial Xerus / 리눅스민트 18.3 Sylvia / 하모니카 커뮤니티 배포판 MoorDev 1.0

- 커널 4.4 : linux 4.4.0-108.131 에서 linux 4.4.0-109.132 로 업데이트

linux (4.4.0-109.132) xenial; urgency=low

* linux: 4.4.0-109.132 -proposed tracker (LP: #1742252)

* Kernel trace with xenial 4.4 (4.4.0-108.131, Candidate kernels for PTI fix)

(LP: #1741934)

- SAUCE: kaiser: fix perf crashes - fix to original commit

- 커널 4.10/4.13 : linux-hwe 4.10.0-42.46~16.04.1 에서 4.13.0-26.29~16.04.2 로 업데이트

linux-hwe (4.13.0-26.29~16.04.2) xenial; urgency=low

* linux-hwe: 4.13.0-26.29~16.04.2 -proposed tracker (LP: #1742177)

* linux: 4.13.0-25.29 -proposed tracker (LP: #1741955)

* CVE-2017-5754

- Revert "UBUNTU: [Config] updateconfigs to enable PTI"

- [Config] Enable PTI with UNWINDER_FRAME_POINTER

<이 내용은 2018년 1월 10일 12시 00분 기준입니다.>

<Debian>

데비안 8 Jessie (OldStable) / 리눅스민트데비안에디션(LMDE) 2 Betsy

- linux 3.16.51-3 에서 linux 3.16.51-3+deb8u1 로 업데이트

- 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점에 대하여 보안 패치가 발표됨 (fixed)

linux (3.16.51-3+deb8u1) jessie-security; urgency=high

* dccp: CVE-2017-8824: use-after-free in DCCP code

* Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with

l2cap socket

* Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with

l2cap socket (CVE-2017-15868)

* media: dvb-usb-v2: lmedm04: Improve logic checking of warm start

(CVE-2017-16538)

* media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner

(CVE-2017-16538)

* ipsec: Fix aborted xfrm policy dump crash (CVE-2017-16939)

* netfilter: nfnetlink_cthelper: Add missing permission checks

(CVE-2017-17448)

* netlink: Add netns check on taps (CVE-2017-17449)

* netfilter: xt_osf: Add missing permission checks (CVE-2017-17450)

* USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558)

* [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio

(CVE-2017-17741)

* crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805)

* crypto: hmac - require that the underlying hash algorithm is unkeyed

(CVE-2017-17806)

* KEYS: add missing permission check for request_key() destination

(CVE-2017-17807)

* [x86] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts

(CVE-2017-1000407)

* bluetooth: Prevent stack info leak from the EFS element.

(CVE-2017-1000410)

* Bump ABI to 5 and apply deferred stable changes:

- Input: i8042 - break load dependency between atkbd/psmouse and i8042

- Input: i8042 - set up shared ps2_cmd_mutex for AUX ports

- ACPICA: Utilities: split IO address types from data type models.

- [arm64] Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO

- block: fix bdi vs gendisk lifetime mismatch

- cgroup: make sure a parent css isn't offlined before its children

- libata: Align ata_device's id on a cacheline

- libata: Ignore spurious PHY event on LPM policy change

- net/ipv6: add sysctl option accept_ra_min_hop_limit

- quota: Store maximum space limit in bytes

- quota: Switch ->get_dqblk() and ->set_dqblk() to use bytes as space units

- [s390*] Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO

- scsi: scsi_error: count medium access timeout only once per EH run

- [x86] panic: replace smp_send_stop() with kdump friendly version in panic

path

* [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)

(CVE-2017-5754)

<Ubuntu>

다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점을 '완화(경감)'하는 새로운 커널이 발표되었음

우분투 17.10 Artful Aardvark

- 커널 4.13 : linux 4.13.0-21.24 에서 linux 4.13.0-25.29 로 업데이트

우분투 17.04 Zesty Zapus

- 2017년 1월 13일 부로 지원종료

우분투 16.04 LTS Xenial Xerus / 리눅스민트 18.3 Sylvia / 하모니카 커뮤니티 배포판 MoorDev 1.0

- 커널 4.4 : linux 4.4.0-104.127 에서 linux 4.4.0-108.131 로 업데이트

- 커널 4.10 : linux-hwe 4.10.0-42.46~16.04.1 에서는 아직 보안 패치가 나오지 않았음

우분투 14.04 LTS Trusty Tahr / 리눅스민트 17.3 Rosa / 하모니카 2.1

- 커널 3.13 : linux 3.13.0-137.186 에서 linux 3.13.0-139.188 로 업데이트

- 커널 4.4 : linux-lts-xenial 4.4.0-104.127~14.04.1 에서 linux-lts-xenial 4.4.0-108.131~14.04.1 로 업데이트

우분투 12.04 LTS Trusty Tahr ESM (Extended Support Maintenance for Ubuntu Advantage Customers)

- 커널 3.2 : linux 3.2.0-132.178 로 업데이트

- 커널 3.13 : linux-lts-trusty 3.13.0-139.188~precise1 로 업데이트

<이 내용은 2018년 1월 10일 01시 00분 기준입니다.>

<Debian>

데비안 7 Wheezy (OldOldStable)

- linux 3.2.96-2 에서 linux 3.2.96-3 로 업데이트

- 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점에 대하여 보안 패치가 발표됨 (fixed)

linux (3.2.96-3) wheezy-security; urgency=high

* [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)

(CVE-2017-5754)

* Bump ABI to 5 and apply deferred stable changes:

- Input: i8042 - break load dependency between atkbd/psmouse and i8042

- Input: i8042 - set up shared ps2_cmd_mutex for AUX ports

- ACPICA: Utilities: split IO address types from data type models.

- ALSA: Enable CONFIG_ZONE_DMA for smaller PCI DMA masks

- libata: Align ata_device's id on a cacheline

- libata: Ignore spurious PHY event on LPM policy change

- net/ipv6: add sysctl option accept_ra_min_hop_limit

* USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558)

* [x86] KVM: Fix stack-out-of-bounds read in write_mmio (CVE-2017-17741)

* crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805)

* crypto: hmac - require that the underlying hash algorithm is unkeyed

(CVE-2017-17806)

* KEYS: add missing permission check for request_key() destination

(CVE-2017-17807)

<Ubuntu>

우분투 17.10 Artful Aardvark

- 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점을 '완화(경감)'하는 새로운 커널이 제안되었음(Proposed)

linux (4.13.0-25.29) artful; urgency=low

* linux: 4.13.0-25.29 -proposed tracker (LP: #1741955)

* CVE-2017-5754

- Revert "UBUNTU: [Config] updateconfigs to enable PTI"

- [Config] Enable PTI with UNWINDER_FRAME_POINTER

linux (4.13.0-24.28) artful; urgency=low

* linux: 4.13.0-24.28 -proposed tracker (LP: #1741745)

* CVE-2017-5754

- x86/cpu, x86/pti: Do not enable PTI on AMD processors

linux (4.13.0-23.27) artful; urgency=low

* linux: 4.13.0-23.27 -proposed tracker (LP: #1741556)

[ Kleber Sacilotto de Souza ]

* CVE-2017-5754

- x86/mm: Add the 'nopcid' boot option to turn off PCID

- x86/mm: Enable CR4.PCIDE on supported systems

- x86/mm: Document how CR4.PCIDE restore works

- x86/entry/64: Refactor IRQ stacks and make them NMI-safe

- x86/entry/64: Initialize the top of the IRQ stack before switching stacks

- x86/entry/64: Add unwind hint annotations

- xen/x86: Remove SME feature in PV guests

- x86/xen/64: Rearrange the SYSCALL entries

- irq: Make the irqentry text section unconditional

- x86/xen/64: Fix the reported SS and CS in SYSCALL

- x86/paravirt/xen: Remove xen_patch()

- x86/traps: Simplify pagefault tracing logic

- x86/idt: Unify gate_struct handling for 32/64-bit kernels

- x86/asm: Replace access to desc_struct:a/b fields

- x86/xen: Get rid of paravirt op adjust_exception_frame

- x86/paravirt: Remove no longer used paravirt functions

- x86/entry: Fix idtentry unwind hint

- x86/mm/64: Initialize CR4.PCIDE early

- objtool: Add ORC unwind table generation

- objtool, x86: Add facility for asm code to provide unwind hints

- x86/unwind: Add the ORC unwinder

- x86/kconfig: Consolidate unwinders into multiple choice selection

- objtool: Upgrade libelf-devel warning to error for CONFIG_ORC_UNWINDER

- x86/ldt/64: Refresh DS and ES when modify_ldt changes an entry

- x86/mm: Give each mm TLB flush generation a unique ID

- x86/mm: Track the TLB's tlb_gen and update the flushing algorithm

- x86/mm: Rework lazy TLB mode and TLB freshness tracking

- x86/mm: Implement PCID based optimization: try to preserve old TLB entries

using PCID

- x86/mm: Factor out CR3-building code

- x86/mm/64: Stop using CR3.PCID == 0 in ASID-aware code

- x86/mm: Flush more aggressively in lazy TLB mode

- Revert "x86/mm: Stop calling leave_mm() in idle code"

- kprobes/x86: Set up frame pointer in kprobe trampoline

- x86/tracing: Introduce a static key for exception tracing

- x86/boot: Add early cmdline parsing for options with arguments

- mm, x86/mm: Fix performance regression in get_user_pages_fast()

- x86/asm: Remove unnecessary \n\t in front of CC_SET() from asm templates

- objtool: Don't report end of section error after an empty unwind hint

- x86/head: Remove confusing comment

- x86/head: Remove unused 'bad_address' code

- x86/head: Fix head ELF function annotations

- x86/boot: Annotate verify_cpu() as a callable function

- x86/xen: Fix xen head ELF annotations

- x86/xen: Add unwind hint annotations

- x86/head: Add unwind hint annotations

- ACPI / APEI: adjust a local variable type in ghes_ioremap_pfn_irq()

- x86/unwinder: Make CONFIG_UNWINDER_ORC=y the default in the 64-bit defconfig

- x86/fpu/debug: Remove unused 'x86_fpu_state' and 'x86_fpu_deactivate_state'

tracepoints

- x86/unwind: Rename unwinder config options to 'CONFIG_UNWINDER_*'

- x86/unwind: Make CONFIG_UNWINDER_ORC=y the default in kconfig for 64-bit

- bitops: Add clear/set_bit32() to linux/bitops.h

- x86/cpuid: Add generic table for CPUID dependencies

- x86/fpu: Parse clearcpuid= as early XSAVE argument

- x86/fpu: Make XSAVE check the base CPUID features before enabling

- x86/fpu: Remove the explicit clearing of XSAVE dependent features

- x86/platform/UV: Convert timers to use timer_setup()

- objtool: Print top level commands on incorrect usage

- x86/cpuid: Prevent out of bound access in do_clear_cpu_cap()

- x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt()

- mm/sparsemem: Allocate mem_section at runtime for CONFIG_SPARSEMEM_EXTREME=y

- x86/kasan: Use the same shadow offset for 4- and 5-level paging

- x86/xen: Provide pre-built page tables only for CONFIG_XEN_PV=y and

CONFIG_XEN_PVH=y

- x86/xen: Drop 5-level paging support code from the XEN_PV code

- ACPI / APEI: remove the unused dead-code for SEA/NMI notification type

- x86/asm: Don't use the confusing '.ifeq' directive

- x86/build: Beautify build log of syscall headers

- x86/mm/64: Rename the register_page_bootmem_memmap() 'size' parameter to

'nr_pages'

- x86/cpufeatures: Enable new SSE/AVX/AVX512 CPU features

- x86/mm: Relocate page fault error codes to traps.h

- x86/boot: Relocate definition of the initial state of CR0

- ptrace,x86: Make user_64bit_mode() available to 32-bit builds

- x86/entry/64: Remove the restore_c_regs_and_iret label

- x86/entry/64: Split the IRET-to-user and IRET-to-kernel paths

- x86/entry/64: Move SWAPGS into the common IRET-to-usermode path

- x86/entry/64: Simplify reg restore code in the standard IRET paths

- x86/entry/64: Shrink paranoid_exit_restore and make labels local

- x86/entry/64: Use pop instead of movq in syscall_return_via_sysret

- x86/entry/64: Merge the fast and slow SYSRET paths

- x86/entry/64: Use POP instead of MOV to restore regs on NMI return

- x86/entry/64: Remove the RESTORE_..._REGS infrastructure

- xen, x86/entry/64: Add xen NMI trap entry

- x86/entry/64: De-Xen-ify our NMI code

- x86/entry/32: Pull the MSR_IA32_SYSENTER_CS update code out of

native_load_sp0()

- x86/entry/64: Pass SP0 directly to load_sp0()

- x86/entry: Add task_top_of_stack() to find the top of a task's stack

- x86/xen/64, x86/entry/64: Clean up SP code in cpu_initialize_context()

- x86/entry/64: Stop initializing TSS.sp0 at boot

- x86/entry/64: Remove all remaining direct thread_struct::sp0 reads

- x86/entry/32: Fix cpu_current_top_of_stack initialization at boot

- x86/entry/64: Remove thread_struct::sp0

- x86/traps: Use a new on_thread_stack() helper to clean up an assertion

- x86/entry/64: Shorten TEST instructions

- x86/cpuid: Replace set/clear_bit32()

- bitops: Revert cbe96375025e ("bitops: Add clear/set_bit32() to

linux/bitops.h")

- x86/mm: Define _PAGE_TABLE using _KERNPG_TABLE

- x86/cpufeatures: Re-tabulate the X86_FEATURE definitions

- x86/cpufeatures: Fix various details in the feature definitions

- selftests/x86/protection_keys: Fix syscall NR redefinition warnings

- selftests/x86/ldt_gdt: Robustify against set_thread_area() and LAR oddities

- selftests/x86/ldt_gdt: Add infrastructure to test set_thread_area()

- selftests/x86/ldt_gdt: Run most existing LDT test cases against the GDT as

well

- selftests/x86/ldt_get: Add a few additional tests for limits

- ACPI / APEI: Replace ioremap_page_range() with fixmap

- x86/virt, x86/platform: Merge 'struct x86_hyper' into 'struct x86_platform'

and 'struct x86_init'

- x86/virt: Add enum for hypervisors to replace x86_hyper

- drivers/misc/intel/pti: Rename the header file to free up the namespace

- x86/cpufeature: Add User-Mode Instruction Prevention definitions

- x86: Make X86_BUG_FXSAVE_LEAK detectable in CPUID on AMD

- perf/x86: Enable free running PEBS for REGS_USER/INTR

- bpf: fix build issues on um due to mising bpf_perf_event.h

- locking/barriers: Add implicit smp_read_barrier_depends() to READ_ONCE()

- locking/barriers: Convert users of lockless_dereference() to READ_ONCE()

- x86/mm/kasan: Don't use vmemmap_populate() to initialize shadow

- mm/sparsemem: Fix ARM64 boot crash when CONFIG_SPARSEMEM_EXTREME=y

- objtool: Move synced files to their original relative locations

- objtool: Move kernel headers/code sync check to a script

- objtool: Fix cross-build

- tools/headers: Sync objtool UAPI header

- objtool: Fix 64-bit build on 32-bit host

- x86/decoder: Fix and update the opcodes map

- x86/decoder: Add new TEST instruction pattern

- x86/insn-eval: Add utility functions to get segment selector

- x86/entry/64/paravirt: Use paravirt-safe macro to access eflags

- x86/unwinder/orc: Dont bail on stack overflow

- x86/unwinder: Handle stack overflows more gracefully

- x86/irq: Remove an old outdated comment about context tracking races

- x86/irq/64: Print the offending IP in the stack overflow warning

- x86/entry/64: Allocate and enable the SYSENTER stack

- x86/dumpstack: Add get_stack_info() support for the SYSENTER stack

- x86/entry/gdt: Put per-CPU GDT remaps in ascending order

- x86/mm/fixmap: Generalize the GDT fixmap mechanism, introduce struct

cpu_entry_area

- x86/kasan/64: Teach KASAN about the cpu_entry_area

- x86/entry: Fix assumptions that the HW TSS is at the beginning of cpu_tss

- x86/dumpstack: Handle stack overflow on all stacks

- x86/entry: Move SYSENTER_stack to the beginning of struct tss_struct

- x86/entry: Remap the TSS into the CPU entry area

- x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0

- x86/espfix/64: Stop assuming that pt_regs is on the entry stack

- x86/entry/64: Use a per-CPU trampoline stack for IDT entries

- x86/entry/64: Return to userspace from the trampoline stack

- x86/entry/64: Create a per-CPU SYSCALL entry trampoline

- x86/entry/64: Move the IST stacks into struct cpu_entry_area

- x86/entry/64: Remove the SYSENTER stack canary

- x86/entry: Clean up the SYSENTER_stack code

- x86/entry/64: Make cpu_entry_area.tss read-only

- x86/paravirt: Dont patch flush_tlb_single

- x86/paravirt: Provide a way to check for hypervisors

- x86/cpufeatures: Make CPU bugs sticky

- x86/Kconfig: Limit NR_CPUS on 32-bit to a sane amount

- x86/mm/dump_pagetables: Check PAGE_PRESENT for real

- x86/mm/dump_pagetables: Make the address hints correct and readable

- x86/vsyscall/64: Explicitly set _PAGE_USER in the pagetable hierarchy

- x86/vsyscall/64: Warn and fail vsyscall emulation in NATIVE mode

- arch, mm: Allow arch_dup_mmap() to fail

- x86/ldt: Rework locking

- x86/ldt: Prevent LDT inheritance on exec

- x86/mm/64: Improve the memory map documentation

- x86/doc: Remove obvious weirdnesses from the x86 MM layout documentation

- x86/entry: Rename SYSENTER_stack to CPU_ENTRY_AREA_entry_stack

- x86/uv: Use the right TLB-flush API

- x86/microcode: Dont abuse the TLB-flush interface

- x86/mm: Use __flush_tlb_one() for kernel memory

- x86/mm: Remove superfluous barriers

- x86/mm: Add comments to clarify which TLB-flush functions are supposed to

flush what

- x86/mm: Move the CR3 construction functions to tlbflush.h

- x86/mm: Remove hard-coded ASID limit checks

- x86/mm: Put MMU to hardware ASID translation in one place

- x86/mm: Create asm/invpcid.h

- x86/cpu_entry_area: Move it to a separate unit

- x86/cpu_entry_area: Move it out of the fixmap

- init: Invoke init_espfix_bsp() from mm_init()

- x86/cpu_entry_area: Prevent wraparound in setup_cpu_entry_area_ptes() on

32bit

- x86/cpufeatures: Add X86_BUG_CPU_INSECURE

- x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y

- x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching

- x86/mm/pti: Add infrastructure for page table isolation

- x86/pti: Add the pti= cmdline option and documentation

- x86/mm/pti: Add mapping helper functions

- x86/mm/pti: Allow NX poison to be set in p4d/pgd

- x86/mm/pti: Allocate a separate user PGD

- x86/mm/pti: Populate user PGD

- x86/mm/pti: Add functions to clone kernel PMDs

- x86/mm/pti: Force entry through trampoline when PTI active

- x86/mm/pti: Share cpu_entry_area with user space page tables

- x86/entry: Align entry text section to PMD boundary

- x86/mm/pti: Share entry text PMD

- x86/mm/pti: Map ESPFIX into user space

- x86/cpu_entry_area: Add debugstore entries to cpu_entry_area

- x86/events/intel/ds: Map debug buffers in cpu_entry_area

- x86/mm/64: Make a full PGD-entry size hole in the memory map

- x86/pti: Put the LDT in its own PGD if PTI is on

- x86/pti: Map the vsyscall page if needed

- x86/mm: Allow flushing for future ASID switches

- x86/mm: Abstract switching CR3

- x86/mm: Use/Fix PCID to optimize user/kernel switches

- x86/mm: Optimize RESTORE_CR3

- x86/mm: Use INVPCID for __native_flush_tlb_single()

- x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming

- x86/dumpstack: Indicate in Oops whether PTI is configured and enabled

- x86/mm/pti: Add Kconfig

- x86/mm/dump_pagetables: Add page table directory to the debugfs VFS

hierarchy

- x86/mm/dump_pagetables: Check user space page table for WX pages

- x86/mm/dump_pagetables: Allow dumping current pagetables

- x86/ldt: Make the LDT mapping RO

- x86/smpboot: Remove stale TLB flush invocations

- x86/mm: Remove preempt_disable/enable() from __native_flush_tlb()

- x86/ldt: Plug memory leak in error path

- x86/ldt: Make LDT pgtable free conditional

- [Config] updateconfigs to enable PTI

- kvm: x86: fix RSM when PCID is non-zero

- x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat()

- SAUCE: only attempt to use PCID in 64 bit builds

- SAUCE: BODGE: temporarily disable some kprobe trace points which are

cratering

- s390/mm: use generic mm_hooks

- objtool: use sh to invoke sync-check.sh in the Makefile

우분투 16.04 LTS Xenial Xerus / 리눅스민트 18.3 Sylvia / 하모니카 커뮤니티 배포판 MoorDev 1.0

- 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점을 '완화(경감)'하는 새로운 커널이 제안되었음(Proposed)

linux (4.4.0-108.131) xenial; urgency=low

* linux: 4.4.0-108.131 -proposed tracker (LP: #1741727)

* CVE-2017-5754

- x86/mm: Disable PCID on 32-bit kernels

linux (4.4.0-107.130) xenial; urgency=low

* linux: 4.4.0-107.130 -proposed tracker (LP: #1741643)

* CVE-2017-5754

- Revert "UBUNTU: SAUCE: arch/x86/entry/vdso: temporarily disable vdso"

- KPTI: Report when enabled

- x86, vdso, pvclock: Simplify and speed up the vdso pvclock reader

- x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap

- x86/kasan: Clear kasan_zero_page after TLB flush

- kaiser: Set _PAGE_NX only if supported

linux (4.4.0-106.129) xenial; urgency=low

* linux: 4.4.0-106.129 -proposed tracker (LP: #1741528)

* CVE-2017-5754

- KAISER: Kernel Address Isolation

- kaiser: merged update

- kaiser: do not set _PAGE_NX on pgd_none

- kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE

- kaiser: fix build and FIXME in alloc_ldt_struct()

- kaiser: KAISER depends on SMP

- kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER

- kaiser: fix perf crashes

- kaiser: ENOMEM if kaiser_pagetable_walk() NULL

- kaiser: tidied up asm/kaiser.h somewhat

- kaiser: tidied up kaiser_add/remove_mapping slightly

- kaiser: kaiser_remove_mapping() move along the pgd

- kaiser: cleanups while trying for gold link

- kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET

- kaiser: delete KAISER_REAL_SWITCH option

- kaiser: vmstat show NR_KAISERTABLE as nr_overhead

- x86/mm: Enable CR4.PCIDE on supported systems

- x86/mm: Build arch/x86/mm/tlb.c even on !SMP

- x86/mm, sched/core: Uninline switch_mm()

- x86/mm: Add INVPCID helpers

- x86/mm: If INVPCID is available, use it to flush global mappings

- kaiser: enhanced by kernel and user PCIDs

- kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user

- kaiser: PCID 0 for kernel and 128 for user

- kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user

- kaiser: paranoid_entry pass cr3 need to paranoid_exit

- kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls

- kaiser: fix unlikely error in alloc_ldt_struct()

- kaiser: add "nokaiser" boot option, using ALTERNATIVE

- x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling

- x86/boot: Add early cmdline parsing for options with arguments

- x86/kaiser: Check boottime cmdline params

- kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush

- kaiser: drop is_atomic arg to kaiser_pagetable_walk()

- kaiser: asm/tlbflush.h handle noPGE at lower level

- kaiser: kaiser_flush_tlb_on_return_to_user() check PCID

- x86/paravirt: Dont patch flush_tlb_single

- x86/kaiser: Reenable PARAVIRT

- kaiser: disabled on Xen PV

- x86/kaiser: Move feature detection up

- kvm: x86: fix RSM when PCID is non-zero

- SAUCE: arch/x86/entry/vdso: temporarily disable vdso

- [Config]: CONFIG_KAISER=y

<이 내용은 2018년 1월 6일 22시 30분 기준입니다.>

제가 사용하는 백신인 비트디펜더 토탈 시큐리티에서 특정 레지스트리에 대한 패치가 완료되어,

마이크로소프트(MS) 윈도10 버전1703(레드스톤2, RS2)에 대한 누적 업데이트를 받았습니다.

마이크로소프트 윈도, 엣지, 인터넷 익스플로러에 대한 긴급 보안 패치입니다.

<이 내용은 2018년 1월 6일 00시 30분 기준입니다.>

마이크로소프트(MS) 윈도10에서 발표한 긴급 보안 패치 KB40568XX 적용 시 일부 제품들과의 호환성 문제로 인하여 BSOD(쉽게 말하면, 블루스크린)가 발생하는 경우가 확인되어, MS에서 자동 업데이트를 통한 배포를 중단하고, 특정 레지스트리가 설정된 PC에 한해서만 우선적으로 보안 패치를 적용하고 있습니다.

이 레지스트리는 안티바이러스(백신) 제품들과 관련된 것으로, 이 부분은 안티바이러스(제품) 업체에서 백신의 패치를 통하여 윈도 업데이트에 앞서 미리 해주어야 합니다.

이 부분에 대한 자세한 내용은 http://blog.alyac.co.kr/1472 를 참고하기 바랍니다.

<이 내용은 2018년 1월 5일 11시 30분 기준입니다.>

마이크로소프트(MS) 윈도10에서 미국시간으로 1월 4일부터, 한국시간으로는 5일부터

긴급 보안 패치가 예정되어 있었으나, 1월 5일 11시 30분 현재까지 자동 업데이트가 이루어지지 않고 있습니다.

참고로 수동으로 업데이트는 가능합니다.

<Debian>

데비안 9 Stretch (Stable)

- linux 4.9.65-3+deb9u1 에서 linux 4.9.65-3+deb9u2 로 업데이트

- 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점에 대하여 보안 패치가 발표됨 (fixed)

linux (4.9.65-3+deb9u2) stretch-security; urgency=high

* x86: setup PCID, preparation work for KPTI.

- x86/mm/64: Fix reboot interaction with CR4.PCIDE

- x86/mm: Add the 'nopcid' boot option to turn off PCID

- x86/mm: Disable PCID on 32-bit kernels

- x86/mm: Enable CR4.PCIDE on supported systems

* [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)

(CVE-2017-5754)

- kaiser: add "nokaiser" boot option, using ALTERNATIVE

- kaiser: align addition to x86/mm/Makefile

- kaiser: asm/tlbflush.h handle noPGE at lower level

- kaiser: cleanups while trying for gold link

- kaiser: delete KAISER_REAL_SWITCH option

- kaiser: disabled on Xen PV

- kaiser: do not set _PAGE_NX on pgd_none

- kaiser: drop is_atomic arg to kaiser_pagetable_walk()

- kaiser: enhanced by kernel and user PCIDs

- kaiser: ENOMEM if kaiser_pagetable_walk() NULL

- kaiser: fix build and FIXME in alloc_ldt_struct()

- kaiser: fix perf crashes

- kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER

- kaiser: fix unlikely error in alloc_ldt_struct()

- kaiser: KAISER depends on SMP

- kaiser: kaiser_flush_tlb_on_return_to_user() check PCID

- kaiser: kaiser_remove_mapping() move along the pgd

- KAISER: Kernel Address Isolation

- x86_64: KAISER - do not map kernel in user mode

- kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user

- kaiser: merged update

- kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET

- kaiser: paranoid_entry pass cr3 need to paranoid_exit

- kaiser: PCID 0 for kernel and 128 for user

- kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE

- kaiser: tidied up asm/kaiser.h somewhat

- kaiser: tidied up kaiser_add/remove_mapping slightly

- kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush

- kaiser: vmstat show NR_KAISERTABLE as nr_overhead

- kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user

- KPTI: Rename to PAGE_TABLE_ISOLATION

- KPTI: Report when enabled

- x86/boot: Add early cmdline parsing for options with arguments

- x86/kaiser: Check boottime cmdline params

- x86/kaiser: Move feature detection up

- x86/kaiser: Reenable PARAVIRT

- x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling

- x86/paravirt: Dont patch flush_tlb_single

* Bump ABI to 5.

- 그러나, 나머지 2개의 취약점인 Spectre(스펙터)에 대해서는 아직 보안 패치가 없음 (vulnerable)

<Ubuntu>

우분투 17.10 Artful Aardvark

- 최신버전 : linux 4.13.0-21.24

- 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음

우분투 17.04 Zesty Zapus

- 최신버전 : linux 4.10.0-42.46

- 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음

우분투 16.04 LTS Xenial Xerus / 리눅스민트 18.3 Sylvia / 하모니카 커뮤니티 배포판 MoorDev 1.0

- 최신버전 : linux 4.4.0-104.127 또는, linux-hwe 4.10.0-42.46~16.04.1

- 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음

우분투 14.04 LTS Trusty Tahr / 리눅스민트 17.3 Rosa / 하모니카 2.1

- 최신버전 : linux 3.13.0-137.186 또는, linux-lts-xenial 4.4.0-104.127~14.04.1

- 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음

우분투 12.04 LTS Trusty Tahr ESM (Extended Support Maintenance for Ubuntu Advantage Customers)

- 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음

우분투 12.04 LTS Trusty Tahr / 리눅스민트 13 Maya

- 2017년 4월 28일 부로 지원종료

<RHEL>