티스토리 뷰

인텔 CPU 등의 Kernel Side-Channel Attacks 주요 리눅스 패치 여부

http://la-nube.tistory.com/307


위 게시글에 대하여 주요 리눅스 패치 상태를 다음과 같이 업데이트합니다.


--


<이 내용은 2018년 1월 10일 22시 00분 기준입니다.>


<Ubuntu>


우분투 16.04 LTS Xenial Xerus / 리눅스민트 18.3 Sylvia / 하모니카 커뮤니티 배포판 MoorDev 1.0

 - 커널 4.4 : linux 4.4.0-108.131 에서 linux 4.4.0-109.132 로 업데이트


linux (4.4.0-109.132) xenial; urgency=low

  * linux: 4.4.0-109.132 -proposed tracker (LP: #1742252)

  * Kernel trace with xenial 4.4  (4.4.0-108.131, Candidate kernels for PTI fix)

    (LP: #1741934)

    - SAUCE: kaiser: fix perf crashes - fix to original commit


 - 커널 4.10/4.13 : linux-hwe 4.10.0-42.46~16.04.1 에서 4.13.0-26.29~16.04.2 로 업데이트


linux-hwe (4.13.0-26.29~16.04.2) xenial; urgency=low

  * linux-hwe: 4.13.0-26.29~16.04.2 -proposed tracker (LP: #1742177)

  * linux: 4.13.0-25.29 -proposed tracker (LP: #1741955)

  * CVE-2017-5754

    - Revert "UBUNTU: [Config] updateconfigs to enable PTI"

    - [Config] Enable PTI with UNWINDER_FRAME_POINTER


--


<이 내용은 2018년 1월 10일 12시 00분 기준입니다.>


<Debian>


데비안 8 Jessie (OldStable) / 리눅스민트데비안에디션(LMDE) 2 Betsy

 - linux 3.16.51-3 에서 linux 3.16.51-3+deb8u1 로 업데이트



 - 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점에 대하여 보안 패치가 발표됨 (fixed)


linux (3.16.51-3+deb8u1) jessie-security; urgency=high

  * dccp: CVE-2017-8824: use-after-free in DCCP code

  * Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with

    l2cap socket

  * Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with

    l2cap socket (CVE-2017-15868)

  * media: dvb-usb-v2: lmedm04: Improve logic checking of warm start

    (CVE-2017-16538)

  * media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner

    (CVE-2017-16538)

  * ipsec: Fix aborted xfrm policy dump crash (CVE-2017-16939)

  * netfilter: nfnetlink_cthelper: Add missing permission checks

    (CVE-2017-17448)

  * netlink: Add netns check on taps (CVE-2017-17449)

  * netfilter: xt_osf: Add missing permission checks (CVE-2017-17450)

  * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558)

  * [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio

    (CVE-2017-17741)

  * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805)

  * crypto: hmac - require that the underlying hash algorithm is unkeyed

    (CVE-2017-17806)

  * KEYS: add missing permission check for request_key() destination

    (CVE-2017-17807)

  * [x86]  KVM: VMX: remove I/O port 0x80 bypass on Intel hosts

    (CVE-2017-1000407)

  * bluetooth: Prevent stack info leak from the EFS element.

    (CVE-2017-1000410)

  * Bump ABI to 5 and apply deferred stable changes:

    - Input: i8042 - break load dependency between atkbd/psmouse and i8042

    - Input: i8042 - set up shared ps2_cmd_mutex for AUX ports

    - ACPICA: Utilities: split IO address types from data type models.

    - [arm64] Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO

    - block: fix bdi vs gendisk lifetime mismatch

    - cgroup: make sure a parent css isn't offlined before its children

    - libata: Align ata_device's id on a cacheline

    - libata: Ignore spurious PHY event on LPM policy change

    - net/ipv6: add sysctl option accept_ra_min_hop_limit

    - quota: Store maximum space limit in bytes

    - quota: Switch ->get_dqblk() and ->set_dqblk() to use bytes as space units

    - [s390*] Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO

    - scsi: scsi_error: count medium access timeout only once per EH run

    - [x86] panic: replace smp_send_stop() with kdump friendly version in panic

      path

  * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)

    (CVE-2017-5754)



<Ubuntu>


다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점을 '완화(경감)'하는 새로운 커널이 발표되었음


우분투 17.10 Artful Aardvark

 - 커널 4.13 : linux 4.13.0-21.24 에서 linux 4.13.0-25.29 로 업데이트


우분투 17.04 Zesty Zapus

 - 2017년 1월 13일 부로 지원종료


우분투 16.04 LTS Xenial Xerus / 리눅스민트 18.3 Sylvia / 하모니카 커뮤니티 배포판 MoorDev 1.0

 - 커널 4.4 : linux 4.4.0-104.127 에서 linux 4.4.0-108.131 로 업데이트

 - 커널 4.10 : linux-hwe 4.10.0-42.46~16.04.1 에서는 아직 보안 패치가 나오지 않았음


우분투 14.04 LTS Trusty Tahr / 리눅스민트 17.3 Rosa / 하모니카 2.1

 - 커널 3.13 : linux 3.13.0-137.186 에서 linux 3.13.0-139.188 로 업데이트

 - 커널 4.4 : linux-lts-xenial 4.4.0-104.127~14.04.1 에서 linux-lts-xenial 4.4.0-108.131~14.04.1 로 업데이트


우분투 12.04 LTS Trusty Tahr ESM (Extended Support Maintenance for Ubuntu Advantage Customers)

 - 커널 3.2 : linux 3.2.0-132.178 로 업데이트

 - 커널 3.13 : linux-lts-trusty 3.13.0-139.188~precise1 로 업데이트


--


<이 내용은 2018년 1월 10일 01시 00분 기준입니다.>


<Debian>


데비안 7 Wheezy (OldOldStable)

 - linux 3.2.96-2 에서 linux 3.2.96-3 로 업데이트



 - 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점에 대하여 보안 패치가 발표됨 (fixed)


linux (3.2.96-3) wheezy-security; urgency=high

  * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)

    (CVE-2017-5754)

  * Bump ABI to 5 and apply deferred stable changes:

    - Input: i8042 - break load dependency between atkbd/psmouse and i8042

    - Input: i8042 - set up shared ps2_cmd_mutex for AUX ports

    - ACPICA: Utilities: split IO address types from data type models.

    - ALSA: Enable CONFIG_ZONE_DMA for smaller PCI DMA masks

    - libata: Align ata_device's id on a cacheline

    - libata: Ignore spurious PHY event on LPM policy change

    - net/ipv6: add sysctl option accept_ra_min_hop_limit

  * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558)

  * [x86] KVM: Fix stack-out-of-bounds read in write_mmio (CVE-2017-17741)

  * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805)

  * crypto: hmac - require that the underlying hash algorithm is unkeyed

    (CVE-2017-17806)

  * KEYS: add missing permission check for request_key() destination

    (CVE-2017-17807)



<Ubuntu>


우분투 17.10 Artful Aardvark

 - 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점을 '완화(경감)'하는 새로운 커널이 제안되었음(Proposed)


linux (4.13.0-25.29) artful; urgency=low

  * linux: 4.13.0-25.29 -proposed tracker (LP: #1741955)

  * CVE-2017-5754

    - Revert "UBUNTU: [Config] updateconfigs to enable PTI"

    - [Config] Enable PTI with UNWINDER_FRAME_POINTER


linux (4.13.0-24.28) artful; urgency=low

  * linux: 4.13.0-24.28 -proposed tracker (LP: #1741745)

  * CVE-2017-5754

    - x86/cpu, x86/pti: Do not enable PTI on AMD processors


linux (4.13.0-23.27) artful; urgency=low

  * linux: 4.13.0-23.27 -proposed tracker (LP: #1741556)

  [ Kleber Sacilotto de Souza ]

  * CVE-2017-5754

    - x86/mm: Add the 'nopcid' boot option to turn off PCID

    - x86/mm: Enable CR4.PCIDE on supported systems

    - x86/mm: Document how CR4.PCIDE restore works

    - x86/entry/64: Refactor IRQ stacks and make them NMI-safe

    - x86/entry/64: Initialize the top of the IRQ stack before switching stacks

    - x86/entry/64: Add unwind hint annotations

    - xen/x86: Remove SME feature in PV guests

    - x86/xen/64: Rearrange the SYSCALL entries

    - irq: Make the irqentry text section unconditional

    - x86/xen/64: Fix the reported SS and CS in SYSCALL

    - x86/paravirt/xen: Remove xen_patch()

    - x86/traps: Simplify pagefault tracing logic

    - x86/idt: Unify gate_struct handling for 32/64-bit kernels

    - x86/asm: Replace access to desc_struct:a/b fields

    - x86/xen: Get rid of paravirt op adjust_exception_frame

    - x86/paravirt: Remove no longer used paravirt functions

    - x86/entry: Fix idtentry unwind hint

    - x86/mm/64: Initialize CR4.PCIDE early

    - objtool: Add ORC unwind table generation

    - objtool, x86: Add facility for asm code to provide unwind hints

    - x86/unwind: Add the ORC unwinder

    - x86/kconfig: Consolidate unwinders into multiple choice selection

    - objtool: Upgrade libelf-devel warning to error for CONFIG_ORC_UNWINDER

    - x86/ldt/64: Refresh DS and ES when modify_ldt changes an entry

    - x86/mm: Give each mm TLB flush generation a unique ID

    - x86/mm: Track the TLB's tlb_gen and update the flushing algorithm

    - x86/mm: Rework lazy TLB mode and TLB freshness tracking

    - x86/mm: Implement PCID based optimization: try to preserve old TLB entries

      using PCID

    - x86/mm: Factor out CR3-building code

    - x86/mm/64: Stop using CR3.PCID == 0 in ASID-aware code

    - x86/mm: Flush more aggressively in lazy TLB mode

    - Revert "x86/mm: Stop calling leave_mm() in idle code"

    - kprobes/x86: Set up frame pointer in kprobe trampoline

    - x86/tracing: Introduce a static key for exception tracing

    - x86/boot: Add early cmdline parsing for options with arguments

    - mm, x86/mm: Fix performance regression in get_user_pages_fast()

    - x86/asm: Remove unnecessary \n\t in front of CC_SET() from asm templates

    - objtool: Don't report end of section error after an empty unwind hint

    - x86/head: Remove confusing comment

    - x86/head: Remove unused 'bad_address' code

    - x86/head: Fix head ELF function annotations

    - x86/boot: Annotate verify_cpu() as a callable function

    - x86/xen: Fix xen head ELF annotations

    - x86/xen: Add unwind hint annotations

    - x86/head: Add unwind hint annotations

    - ACPI / APEI: adjust a local variable type in ghes_ioremap_pfn_irq()

    - x86/unwinder: Make CONFIG_UNWINDER_ORC=y the default in the 64-bit defconfig

    - x86/fpu/debug: Remove unused 'x86_fpu_state' and 'x86_fpu_deactivate_state'

      tracepoints

    - x86/unwind: Rename unwinder config options to 'CONFIG_UNWINDER_*'

    - x86/unwind: Make CONFIG_UNWINDER_ORC=y the default in kconfig for 64-bit

    - bitops: Add clear/set_bit32() to linux/bitops.h

    - x86/cpuid: Add generic table for CPUID dependencies

    - x86/fpu: Parse clearcpuid= as early XSAVE argument

    - x86/fpu: Make XSAVE check the base CPUID features before enabling

    - x86/fpu: Remove the explicit clearing of XSAVE dependent features

    - x86/platform/UV: Convert timers to use timer_setup()

    - objtool: Print top level commands on incorrect usage

    - x86/cpuid: Prevent out of bound access in do_clear_cpu_cap()

    - x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt()

    - mm/sparsemem: Allocate mem_section at runtime for CONFIG_SPARSEMEM_EXTREME=y

    - x86/kasan: Use the same shadow offset for 4- and 5-level paging

    - x86/xen: Provide pre-built page tables only for CONFIG_XEN_PV=y and

      CONFIG_XEN_PVH=y

    - x86/xen: Drop 5-level paging support code from the XEN_PV code

    - ACPI / APEI: remove the unused dead-code for SEA/NMI notification type

    - x86/asm: Don't use the confusing '.ifeq' directive

    - x86/build: Beautify build log of syscall headers

    - x86/mm/64: Rename the register_page_bootmem_memmap() 'size' parameter to

      'nr_pages'

    - x86/cpufeatures: Enable new SSE/AVX/AVX512 CPU features

    - x86/mm: Relocate page fault error codes to traps.h

    - x86/boot: Relocate definition of the initial state of CR0

    - ptrace,x86: Make user_64bit_mode() available to 32-bit builds

    - x86/entry/64: Remove the restore_c_regs_and_iret label

    - x86/entry/64: Split the IRET-to-user and IRET-to-kernel paths

    - x86/entry/64: Move SWAPGS into the common IRET-to-usermode path

    - x86/entry/64: Simplify reg restore code in the standard IRET paths

    - x86/entry/64: Shrink paranoid_exit_restore and make labels local

    - x86/entry/64: Use pop instead of movq in syscall_return_via_sysret

    - x86/entry/64: Merge the fast and slow SYSRET paths

    - x86/entry/64: Use POP instead of MOV to restore regs on NMI return

    - x86/entry/64: Remove the RESTORE_..._REGS infrastructure

    - xen, x86/entry/64: Add xen NMI trap entry

    - x86/entry/64: De-Xen-ify our NMI code

    - x86/entry/32: Pull the MSR_IA32_SYSENTER_CS update code out of

      native_load_sp0()

    - x86/entry/64: Pass SP0 directly to load_sp0()

    - x86/entry: Add task_top_of_stack() to find the top of a task's stack

    - x86/xen/64, x86/entry/64: Clean up SP code in cpu_initialize_context()

    - x86/entry/64: Stop initializing TSS.sp0 at boot

    - x86/entry/64: Remove all remaining direct thread_struct::sp0 reads

    - x86/entry/32: Fix cpu_current_top_of_stack initialization at boot

    - x86/entry/64: Remove thread_struct::sp0

    - x86/traps: Use a new on_thread_stack() helper to clean up an assertion

    - x86/entry/64: Shorten TEST instructions

    - x86/cpuid: Replace set/clear_bit32()

    - bitops: Revert cbe96375025e ("bitops: Add clear/set_bit32() to

      linux/bitops.h")

    - x86/mm: Define _PAGE_TABLE using _KERNPG_TABLE

    - x86/cpufeatures: Re-tabulate the X86_FEATURE definitions

    - x86/cpufeatures: Fix various details in the feature definitions

    - selftests/x86/protection_keys: Fix syscall NR redefinition warnings

    - selftests/x86/ldt_gdt: Robustify against set_thread_area() and LAR oddities

    - selftests/x86/ldt_gdt: Add infrastructure to test set_thread_area()

    - selftests/x86/ldt_gdt: Run most existing LDT test cases against the GDT as

      well

    - selftests/x86/ldt_get: Add a few additional tests for limits

    - ACPI / APEI: Replace ioremap_page_range() with fixmap

    - x86/virt, x86/platform: Merge 'struct x86_hyper' into 'struct x86_platform'

      and 'struct x86_init'

    - x86/virt: Add enum for hypervisors to replace x86_hyper

    - drivers/misc/intel/pti: Rename the header file to free up the namespace

    - x86/cpufeature: Add User-Mode Instruction Prevention definitions

    - x86: Make X86_BUG_FXSAVE_LEAK detectable in CPUID on AMD

    - perf/x86: Enable free running PEBS for REGS_USER/INTR

    - bpf: fix build issues on um due to mising bpf_perf_event.h

    - locking/barriers: Add implicit smp_read_barrier_depends() to READ_ONCE()

    - locking/barriers: Convert users of lockless_dereference() to READ_ONCE()

    - x86/mm/kasan: Don't use vmemmap_populate() to initialize shadow

    - mm/sparsemem: Fix ARM64 boot crash when CONFIG_SPARSEMEM_EXTREME=y

    - objtool: Move synced files to their original relative locations

    - objtool: Move kernel headers/code sync check to a script

    - objtool: Fix cross-build

    - tools/headers: Sync objtool UAPI header

    - objtool: Fix 64-bit build on 32-bit host

    - x86/decoder: Fix and update the opcodes map

    - x86/decoder: Add new TEST instruction pattern

    - x86/insn-eval: Add utility functions to get segment selector

    - x86/entry/64/paravirt: Use paravirt-safe macro to access eflags

    - x86/unwinder/orc: Dont bail on stack overflow

    - x86/unwinder: Handle stack overflows more gracefully

    - x86/irq: Remove an old outdated comment about context tracking races

    - x86/irq/64: Print the offending IP in the stack overflow warning

    - x86/entry/64: Allocate and enable the SYSENTER stack

    - x86/dumpstack: Add get_stack_info() support for the SYSENTER stack

    - x86/entry/gdt: Put per-CPU GDT remaps in ascending order

    - x86/mm/fixmap: Generalize the GDT fixmap mechanism, introduce struct

      cpu_entry_area

    - x86/kasan/64: Teach KASAN about the cpu_entry_area

    - x86/entry: Fix assumptions that the HW TSS is at the beginning of cpu_tss

    - x86/dumpstack: Handle stack overflow on all stacks

    - x86/entry: Move SYSENTER_stack to the beginning of struct tss_struct

    - x86/entry: Remap the TSS into the CPU entry area

    - x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0

    - x86/espfix/64: Stop assuming that pt_regs is on the entry stack

    - x86/entry/64: Use a per-CPU trampoline stack for IDT entries

    - x86/entry/64: Return to userspace from the trampoline stack

    - x86/entry/64: Create a per-CPU SYSCALL entry trampoline

    - x86/entry/64: Move the IST stacks into struct cpu_entry_area

    - x86/entry/64: Remove the SYSENTER stack canary

    - x86/entry: Clean up the SYSENTER_stack code

    - x86/entry/64: Make cpu_entry_area.tss read-only

    - x86/paravirt: Dont patch flush_tlb_single

    - x86/paravirt: Provide a way to check for hypervisors

    - x86/cpufeatures: Make CPU bugs sticky

    - x86/Kconfig: Limit NR_CPUS on 32-bit to a sane amount

    - x86/mm/dump_pagetables: Check PAGE_PRESENT for real

    - x86/mm/dump_pagetables: Make the address hints correct and readable

    - x86/vsyscall/64: Explicitly set _PAGE_USER in the pagetable hierarchy

    - x86/vsyscall/64: Warn and fail vsyscall emulation in NATIVE mode

    - arch, mm: Allow arch_dup_mmap() to fail

    - x86/ldt: Rework locking

    - x86/ldt: Prevent LDT inheritance on exec

    - x86/mm/64: Improve the memory map documentation

    - x86/doc: Remove obvious weirdnesses from the x86 MM layout documentation

    - x86/entry: Rename SYSENTER_stack to CPU_ENTRY_AREA_entry_stack

    - x86/uv: Use the right TLB-flush API

    - x86/microcode: Dont abuse the TLB-flush interface

    - x86/mm: Use __flush_tlb_one() for kernel memory

    - x86/mm: Remove superfluous barriers

    - x86/mm: Add comments to clarify which TLB-flush functions are supposed to

      flush what

    - x86/mm: Move the CR3 construction functions to tlbflush.h

    - x86/mm: Remove hard-coded ASID limit checks

    - x86/mm: Put MMU to hardware ASID translation in one place

    - x86/mm: Create asm/invpcid.h

    - x86/cpu_entry_area: Move it to a separate unit

    - x86/cpu_entry_area: Move it out of the fixmap

    - init: Invoke init_espfix_bsp() from mm_init()

    - x86/cpu_entry_area: Prevent wraparound in setup_cpu_entry_area_ptes() on

      32bit

    - x86/cpufeatures: Add X86_BUG_CPU_INSECURE

    - x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y

    - x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching

    - x86/mm/pti: Add infrastructure for page table isolation

    - x86/pti: Add the pti= cmdline option and documentation

    - x86/mm/pti: Add mapping helper functions

    - x86/mm/pti: Allow NX poison to be set in p4d/pgd

    - x86/mm/pti: Allocate a separate user PGD

    - x86/mm/pti: Populate user PGD

    - x86/mm/pti: Add functions to clone kernel PMDs

    - x86/mm/pti: Force entry through trampoline when PTI active

    - x86/mm/pti: Share cpu_entry_area with user space page tables

    - x86/entry: Align entry text section to PMD boundary

    - x86/mm/pti: Share entry text PMD

    - x86/mm/pti: Map ESPFIX into user space

    - x86/cpu_entry_area: Add debugstore entries to cpu_entry_area

    - x86/events/intel/ds: Map debug buffers in cpu_entry_area

    - x86/mm/64: Make a full PGD-entry size hole in the memory map

    - x86/pti: Put the LDT in its own PGD if PTI is on

    - x86/pti: Map the vsyscall page if needed

    - x86/mm: Allow flushing for future ASID switches

    - x86/mm: Abstract switching CR3

    - x86/mm: Use/Fix PCID to optimize user/kernel switches

    - x86/mm: Optimize RESTORE_CR3

    - x86/mm: Use INVPCID for __native_flush_tlb_single()

    - x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming

    - x86/dumpstack: Indicate in Oops whether PTI is configured and enabled

    - x86/mm/pti: Add Kconfig

    - x86/mm/dump_pagetables: Add page table directory to the debugfs VFS

      hierarchy

    - x86/mm/dump_pagetables: Check user space page table for WX pages

    - x86/mm/dump_pagetables: Allow dumping current pagetables

    - x86/ldt: Make the LDT mapping RO

    - x86/smpboot: Remove stale TLB flush invocations

    - x86/mm: Remove preempt_disable/enable() from __native_flush_tlb()

    - x86/ldt: Plug memory leak in error path

    - x86/ldt: Make LDT pgtable free conditional

    - [Config] updateconfigs to enable PTI

    - kvm: x86: fix RSM when PCID is non-zero

    - x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat()

    - SAUCE: only attempt to use PCID in 64 bit builds

    - SAUCE: BODGE: temporarily disable some kprobe trace points which are

      cratering

    - s390/mm: use generic mm_hooks

    - objtool: use sh to invoke sync-check.sh in the Makefile



우분투 16.04 LTS Xenial Xerus / 리눅스민트 18.3 Sylvia / 하모니카 커뮤니티 배포판 MoorDev 1.0

 - 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점을 '완화(경감)'하는 새로운 커널이 제안되었음(Proposed)


linux (4.4.0-108.131) xenial; urgency=low

  * linux: 4.4.0-108.131 -proposed tracker (LP: #1741727)

  * CVE-2017-5754

    - x86/mm: Disable PCID on 32-bit kernels


linux (4.4.0-107.130) xenial; urgency=low

  * linux: 4.4.0-107.130 -proposed tracker (LP: #1741643)

  * CVE-2017-5754

    - Revert "UBUNTU: SAUCE: arch/x86/entry/vdso: temporarily disable vdso"

    - KPTI: Report when enabled

    - x86, vdso, pvclock: Simplify and speed up the vdso pvclock reader

    - x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap

    - x86/kasan: Clear kasan_zero_page after TLB flush

    - kaiser: Set _PAGE_NX only if supported


linux (4.4.0-106.129) xenial; urgency=low

  * linux: 4.4.0-106.129 -proposed tracker (LP: #1741528)

  * CVE-2017-5754

    - KAISER: Kernel Address Isolation

    - kaiser: merged update

    - kaiser: do not set _PAGE_NX on pgd_none

    - kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE

    - kaiser: fix build and FIXME in alloc_ldt_struct()

    - kaiser: KAISER depends on SMP

    - kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER

    - kaiser: fix perf crashes

    - kaiser: ENOMEM if kaiser_pagetable_walk() NULL

    - kaiser: tidied up asm/kaiser.h somewhat

    - kaiser: tidied up kaiser_add/remove_mapping slightly

    - kaiser: kaiser_remove_mapping() move along the pgd

    - kaiser: cleanups while trying for gold link

    - kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET

    - kaiser: delete KAISER_REAL_SWITCH option

    - kaiser: vmstat show NR_KAISERTABLE as nr_overhead

    - x86/mm: Enable CR4.PCIDE on supported systems

    - x86/mm: Build arch/x86/mm/tlb.c even on !SMP

    - x86/mm, sched/core: Uninline switch_mm()

    - x86/mm: Add INVPCID helpers

    - x86/mm: If INVPCID is available, use it to flush global mappings

    - kaiser: enhanced by kernel and user PCIDs

    - kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user

    - kaiser: PCID 0 for kernel and 128 for user

    - kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user

    - kaiser: paranoid_entry pass cr3 need to paranoid_exit

    - kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls

    - kaiser: fix unlikely error in alloc_ldt_struct()

    - kaiser: add "nokaiser" boot option, using ALTERNATIVE

    - x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling

    - x86/boot: Add early cmdline parsing for options with arguments

    - x86/kaiser: Check boottime cmdline params

    - kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush

    - kaiser: drop is_atomic arg to kaiser_pagetable_walk()

    - kaiser: asm/tlbflush.h handle noPGE at lower level

    - kaiser: kaiser_flush_tlb_on_return_to_user() check PCID

    - x86/paravirt: Dont patch flush_tlb_single

    - x86/kaiser: Reenable PARAVIRT

    - kaiser: disabled on Xen PV

    - x86/kaiser: Move feature detection up

    - kvm: x86: fix RSM when PCID is non-zero

    - SAUCE: arch/x86/entry/vdso: temporarily disable vdso

    - [Config]: CONFIG_KAISER=y


--


<이 내용은 2018년 1월 6일 22시 30분 기준입니다.>



제가 사용하는 백신인 비트디펜더 토탈 시큐리티에서 특정 레지스트리에 대한 패치가 완료되어,

마이크로소프트(MS) 윈도10 버전1703(레드스톤2, RS2)에 대한 누적 업데이트를 받았습니다.

마이크로소프트 윈도, 엣지, 인터넷 익스플로러에 대한 긴급 보안 패치입니다.


--


<이 내용은 2018년 1월 6일 00시 30분 기준입니다.>


마이크로소프트(MS) 윈도10에서 발표한 긴급 보안 패치 KB40568XX 적용 시 일부 제품들과의 호환성 문제로 인하여 BSOD(쉽게 말하면, 블루스크린)가 발생하는 경우가 확인되어, MS에서 자동 업데이트를 통한 배포를 중단하고, 특정 레지스트리가 설정된 PC에 한해서만 우선적으로 보안 패치를 적용하고 있습니다.


이 레지스트리는 안티바이러스(백신) 제품들과 관련된 것으로, 이 부분은 안티바이러스(제품) 업체에서 백신의 패치를 통하여 윈도 업데이트에 앞서 미리 해주어야 합니다.


이 부분에 대한 자세한 내용은 http://blog.alyac.co.kr/1472 를 참고하기 바랍니다.


--


<이 내용은 2018년 1월 5일 11시 30분 기준입니다.>


마이크로소프트(MS) 윈도10에서 미국시간으로 1월 4일부터, 한국시간으로는 5일부터

긴급 보안 패치가 예정되어 있었으나, 1월 5일 11시 30분 현재까지 자동 업데이트가 이루어지지 않고 있습니다.

참고로 수동으로 업데이트는 가능합니다.


--


<Debian>


데비안 9 Stretch (Stable)

 - linux 4.9.65-3+deb9u1 에서 linux 4.9.65-3+deb9u2 로 업데이트



 - 다음과 같이 CVE-2017-5754 (Meltdown, 멜트다운) 취약점에 대하여 보안 패치가 발표됨 (fixed)


linux (4.9.65-3+deb9u2) stretch-security; urgency=high

  * x86: setup PCID, preparation work for KPTI.

    - x86/mm/64: Fix reboot interaction with CR4.PCIDE

    - x86/mm: Add the 'nopcid' boot option to turn off PCID

    - x86/mm: Disable PCID on 32-bit kernels

    - x86/mm: Enable CR4.PCIDE on supported systems

  * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)

    (CVE-2017-5754)

    - kaiser: add "nokaiser" boot option, using ALTERNATIVE

    - kaiser: align addition to x86/mm/Makefile

    - kaiser: asm/tlbflush.h handle noPGE at lower level

    - kaiser: cleanups while trying for gold link

    - kaiser: delete KAISER_REAL_SWITCH option

    - kaiser: disabled on Xen PV

    - kaiser: do not set _PAGE_NX on pgd_none

    - kaiser: drop is_atomic arg to kaiser_pagetable_walk()

    - kaiser: enhanced by kernel and user PCIDs

    - kaiser: ENOMEM if kaiser_pagetable_walk() NULL

    - kaiser: fix build and FIXME in alloc_ldt_struct()

    - kaiser: fix perf crashes

    - kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER

    - kaiser: fix unlikely error in alloc_ldt_struct()

    - kaiser: KAISER depends on SMP

    - kaiser: kaiser_flush_tlb_on_return_to_user() check PCID

    - kaiser: kaiser_remove_mapping() move along the pgd

    - KAISER: Kernel Address Isolation

    - x86_64: KAISER - do not map kernel in user mode

    - kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user

    - kaiser: merged update

    - kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET

    - kaiser: paranoid_entry pass cr3 need to paranoid_exit

    - kaiser: PCID 0 for kernel and 128 for user

    - kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE

    - kaiser: tidied up asm/kaiser.h somewhat

    - kaiser: tidied up kaiser_add/remove_mapping slightly

    - kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush

    - kaiser: vmstat show NR_KAISERTABLE as nr_overhead

    - kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user

    - KPTI: Rename to PAGE_TABLE_ISOLATION

    - KPTI: Report when enabled

    - x86/boot: Add early cmdline parsing for options with arguments

    - x86/kaiser: Check boottime cmdline params

    - x86/kaiser: Move feature detection up

    - x86/kaiser: Reenable PARAVIRT

    - x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling

    - x86/paravirt: Dont patch flush_tlb_single

  * Bump ABI to 5.



 - 그러나, 나머지 2개의 취약점인 Spectre(스펙터)에 대해서는 아직 보안 패치가 없음 (vulnerable)


--


<Ubuntu>



우분투 17.10 Artful Aardvark

 - 최신버전 : linux 4.13.0-21.24

 - 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음


우분투 17.04 Zesty Zapus

 - 최신버전 : linux 4.10.0-42.46

 - 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음


우분투 16.04 LTS Xenial Xerus / 리눅스민트 18.3 Sylvia / 하모니카 커뮤니티 배포판 MoorDev 1.0

 - 최신버전 : linux 4.4.0-104.127 또는, linux-hwe 4.10.0-42.46~16.04.1

 - 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음


우분투 14.04 LTS Trusty Tahr / 리눅스민트 17.3 Rosa / 하모니카 2.1

 - 최신버전 : linux 3.13.0-137.186 또는, linux-lts-xenial 4.4.0-104.127~14.04.1

 - 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음


우분투 12.04 LTS Trusty Tahr ESM (Extended Support Maintenance for Ubuntu Advantage Customers)

 - 상태가 needs-triage 에서 pending 으로 변경됨, 보안 패치는 아직 발표되지 않았음


우분투 12.04 LTS Trusty Tahr / 리눅스민트 13 Maya

 - 2017년 4월 28일 부로 지원종료


--

<RHEL>



Red Hat Enterprise Linux (RHEL) 7

 - kernel-3.10.0-693.11.6.el7 로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 보안 패치가 완료됨


Red Hat Enterprise Linux 7.3 Extended Update Support

 - kernel-3.10.0-514.36.5.el7 로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 보안 패치가 완료됨


Red Hat Enterprise Linux 7.2 Advanced Update Support

 - kernel-3.10.0-327.62.4.el7 로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 보안 패치가 완료됨


Red Hat Enterprise Linux (RHEL) 6

 - kernel-2.6.32-696.18.7.el6 으로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 보안 패치가 완료됨


Red Hat Enterprise Linux 6.7 Extended Update Support

 - kernel-2.6.32-573.49.3.el6 으로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 보안 패치가 완료됨


Red Hat Enterprise Linux 6.6 Advanced Update Support

 - kernel-2.6.32-504.64.4.el6 으로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 보안 패치가 완료됨


Red Hat Enterprise Linux 6.5 Advanced Update Support

 - kernel-2.6.32-431.85.2.el6 으로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 보안 패치가 완료됨


Red Hat Enterprise Linux 6.4 Advanced Update Support

 - kernel-2.6.32-358.84.2.el6 으로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 보안 패치가 완료됨


Red Hat Enterprise Linux 6.2 Advanced Update Support

 - kernel-2.6.32-220.76.2.el6 으로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 보안 패치가 완료됨


Red Hat Enterprise Linux 5 Extended Lifecycle Support

 - pending 으로 상태가 변경됨, 아직 보안 패치는 나오지 않음


Red Hat Enterprise Linux 5.9 Advanced Update Support

 - pending 으로 상태가 변경됨, 아직 보안 패치는 나오지 않음


--


<CentOS>


CentOS 7.4.1708

 - kernel-3.10.0-693.11.6.el7 로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 패치가 완료됨


CnetOS 6.9

 - kernel-2.6.32-696.18.7.el6 으로 업데이트

 - Meltdown 및 Spectre 취약점에 대하여 패치가 완료됨


CentOS 5

 - 2017년 3월 31일 부로 지원종료


--


<참고>

https://access.redhat.com/security/vulnerabilities/speculativeexecution

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html

https://security-tracker.debian.org/tracker/CVE-2017-5753

https://security-tracker.debian.org/tracker/CVE-2017-5715

https://security-tracker.debian.org/tracker/CVE-2017-5754

댓글
댓글쓰기 폼