Weekly Roundup 2018 – Week 5

The flood of updates has slowed a little this week:

sox (Mga 5, 6); java-1.8.0-openjdk (Mga 5,6); rsyncMga 5,6; gdk-pixbuf2.0 (Mga5) – as always, check Mageia Advisories for details. Along with the 409 updates that have gone into Cauldron, there’s been plenty happening!

Behind the scenes, work is still happening on the panel applet update mechanism, on further Meltdown/Spectra mitigation, and on the possible Mageia 6.1 release, so the devs and QA folks we all rely on are still very busy indeed. As always, you can check for yourself on Mageia Advisories, the Mageia AppDB, PkgSubmit to see the last 48 hours, and Bugzilla to see what’s currently happening. 

And almost daily, new and updated translations go up; hearty thanks to our translation team, who make Mageia so friendly to users around the world!

Interim info on Meltdown/Spectra mitigation

From tmb, our extremely busy kernel guru for whom we give thanks daily:

If you’re using

grep cpu_insecure /proc/cpuinfo && echo "patched" || echo "unpatched"

and you get

unpatched

don’t worry – this is an invalid check. Official Linux source does not have any “cpu_insecure” flag.

If you are using   

   cat /proc/cpuinfo | grep bugs

and you get 

bugs            : cpu_meltdown
bugs            : cpu_meltdown
bugs            : cpu_meltdown
bugs            : cpu_meltdown

This tells you that you have a CPU that is affected by meltdown and needs to be protected by KPTI. The only way you can get rid of that flag is to buy new hardware. That means according to Intel their new silicon that should become a new CPU by the end of 2018; for AMD and Spectre issues, it means buying a Zen2 based CPU, that is supposed to be out sometime in 2018.

If you have used https://github.com/speed47/spectre-meltdown-checker and the result is “not OK”:

That’s expected. Because:

1. Spectre variant 1 is hard to fix and also more difficult to abuse – it really needs microcode updates, and Intel botched that. According to Lenovo there should be a fix out around February 9th. AMD officially will only ship their microcode update to hardware vendors so it depends on when they will release updated bioses  or we can get the microcode through some other means. There is some code to mitigate here too, but afaik its not upstream yet.

2. Spectre variant 2 also really needs new microcode, and the IBRR/IBPB/… Kernel code mitigations have only started landing in upstream last week, and still need to be backported to the 4.14 longterm branch. And we have the alternative mitigation with minimal retpoline queued in https://bugs.mageia.org/show_bug.cgi?id=22454 (I plan to push this one later today as soon as I have written the advisories). For full retpoline we need compiler support, something I got patches for during Fosdem, and it’s now patched in gcc 5.5.0 in testing, so the next kernel will have full retpoline.

3. Meltdown has been mitigated since 4.14.13 was released in http://advisories.mageia.org/MGASA-2018-0076.html

NOTE. the Kernel Page Table Isolation mitigation is so far only for x86_64, but some suggested patches have been posted as RFC for i586, and should hopefully land soon-ish upstream and get backported. But then again, meltdown is not as easy on 32bit as it already has the 3G/1G memory split causing other complications.

Now I know some/many distros have “panic patched” stuff with earlier revisions of the fixes, but for example Redhat has afaik backed out of some of the spectre mitigations as it caused more problems than it fixed, so I have chosen to rely on somewhat tested code actually getting accepted and landing upstream.

That’s is where we are at the moment. If upstream keeps current pace we should hopefully have all the bits in place within ~1 week…

Thank you tmb!

In other news:

 The LQ Members Choice Awards polls are on right now. You may want to register and vote for Mageia being your distro of choice to add a little marketing “buzz” to our favourite distro. You can find the polls here: 

https://www.linuxquestions.org/questions/2017-linuxquestions-org-members-choice-awards-126/

If you are not a member of the LinuxQuestions.org group, you just have to register and then post one reply on their site. This then allows you to vote on various Linux poll items. Pass the word along to other Mageia supporters and make your voice count!

This entry was posted in QA, security, Weekly roundup. Bookmark the permalink.

Curious about Mageia? Download it, give it a try and tell us how you feel about it.

Want to bring something to it? Learn how you can contribute and donate.

7 Responses to Weekly Roundup 2018 – Week 5

  1. Pingback: Тижневий огляд — 2018, тиждень 5 | Mageia Blog (Україна)

  2. katnatek says:

    The technical post are hardest to translate that the average post, so please include links when you include abbreviations or not well know terms like retpoline

  3. Pingback: Ronda Semanal 2018 – Semana 5 | Mageia Blog (Español)

  4. Pingback: Wöchentliche Zusammenfassung 2018 – Woche 5 | Mageia Blog (Deutsch)

  5. tmb says:

    a retpoline is a return trampoline that uses an infinite loop that is never executed to prevent the CPU from speculating on the target of an indirect jump.

  6. Pingback: Resumo Semanal 2018 – Semana 5 | Mageia Blog (Português)

  7. Slugish says:

    what about FOSDEM