Forum › Forums › News › Announcements › “SACK Panic” Security fix kernels in repos.
- This topic has 12 replies, 7 voices, and was last updated Jun 23-7:41 pm by Anonymous.
-
AuthorPosts
-
June 21, 2019 at 3:32 am #23579Forum Admin
anticapitalista
Latest kernels available in the repos for 32 and 64 bit architecture (stretch, buster, testing and sid).
4.9.182 non-pae, pae and x64
4.19.52 non-pae, pae and x64
5.1.11 non-pae, pae and x64Users are strongly advised to upgrade.
Click for more information about SACK Panic
Philosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
June 21, 2019 at 4:50 am #23580Member
Xecure
::Thanks, anticapitalista.
Just updated on my 17.4 system and all works well.
antiX Live system enthusiast.
General Live Boot Parameters for antiX.June 21, 2019 at 5:58 am #23582Membergreyowl
::Thanks for the new kernel.
Updated to 4.9.182 on my laptop and it is working fine.- This reply was modified 3 years, 10 months ago by greyowl.
Dell Latitude D620 laptop with antiX 22 (64 bit)
June 21, 2019 at 10:53 am #23614Member
oops
::Hello,
Thanks kernel 5.1.11-antix.1-686-smp-pae works perfectly into my MSI U123eepc antiX17.4 (with usual dmesg warnings)cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-5.1.11-antix.1-686-smp-pae root=UUID=###### ro pti=auto ipv6.disable=1 resume=UUID=#### quiet dmesg -k -l emerg,alert,crit,err,warn [ 2.283243] Unstable clock detected, switching default tracing clock to "global" If you want to keep using the local clock, then add: "trace_clock=local" on the kernel command line [ 6.561999] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2- This reply was modified 3 years, 10 months ago by oops.
- This reply was modified 3 years, 10 months ago by oops.
June 21, 2019 at 7:57 pm #23636Anonymous
::Hi anti,
Is this supposed to read vulnerable on the new patched kernels?
I haven’t checked the other ones (686) yet only the 486 ones here.June 22, 2019 at 8:47 am #23652Forum Admin
Dave
::I seem to be having a different output to you linuxdaddy
comp1:~# cat /sys/devices/system/cpu/vulnerabilities/* Not affected Mitigation: Clear CPU buffers; SMT disabled Mitigation: PTI Not affected Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling comp1:~# uname -r 5.1.11-antix.1-amd64-smpDo you have the microcode package installed?
Computers are like air conditioners. They work fine until you start opening Windows. ~Author Unknown
June 22, 2019 at 4:44 pm #23683Anonymous
::Hi Dave,
Yes the microcode is installed so I’m not sure what’s going on.
Just wondering if it’s only here or if the other 32-bit users have
the same thing going on.June 22, 2019 at 5:02 pm #23685Member
oops
::Maybe you can try spectre-meltdown-checker, to check
$ spectre-meltdown-checker .... > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK Need more detailed information about mitigation options? Use --explain A false sense of security is worse than no security at all, see --disclaimer $ inxi -S System: Host: antix1 Kernel: 5.1.11-antix.1-686-smp-pae i686 bits: 32 Desktop: IceWM 1.4.3.0~pre-20181030 Distro: antiX-17.4.1_386-full Helen Keller 28 March 2019June 22, 2019 at 5:30 pm #23686Anonymous
::Thanks oops,
It says vulnerable alot too. I haven’t noticed any odd problems so it might be giving false
because the celeron-m cpu might be too old since it doesn’t even have PAE.
spectra-meltdown-checker ……* CPU microcode is the latest known available version: YES (latest version is 0x7 dated 2004/11/09 according to builtin MCExtractor DB v111 - 2019/05/18) * CPU vulnerability to the speculative execution attack variants * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YESand …… the end result: lots of KO
> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:KO CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:KO CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO$ inxi -F System: Host: antix19b1 Kernel: 5.1.11-antix.1-486-smp i686 bits: 32 Desktop: IceWM 1.5.5+git20190610 Distro: antiX-19.b1_386-full Marielle Franco 12 June 2019 Machine: Type: Laptop System: Hewlett-Packard product: Presario 2200 (PM045UA#ABA) v: Rev 1 serial: <root required> Mobo: Quanta model: 3084 v: 41.09 serial: <root required> BIOS: Hewlett-Packard v: F.10 date: 08/18/2004 Battery: ID-1: BAT0 charge: 35.0 Wh condition: 35.0/88.8 Wh (39%) CPU: Topology: Single Core model: Intel Celeron M bits: 32 type: MCP L2 cache: 512 KiB Speed: 1397 MHz min/max: N/A Core speed (MHz): 1: 1397 Graphics: Device-1: Intel 82852/855GM Integrated Graphics driver: i915 v: kernel Display: x11 server: X.Org 1.20.4 driver: intel unloaded: fbdev,modesetting,vesa resolution: 1024x768~60Hz OpenGL: renderer: Mesa DRI Intel 852GM/855GM x86/MMX/SSE2 v: 1.3 Mesa 18.3.6 Audio: Device-1: Intel 82801DB/DBL/DBM AC97 Audio driver: snd_intel8x0 Sound Server: ALSA v: k5.1.11-antix.1-486-smp Network: Device-1: Realtek RTL-8100/8101L/8139 PCI Fast Ethernet Adapter driver: 8139too IF: eth0 state: down mac: 00:c0:9f:56:05:96 Device-2: Broadcom Limited BCM4306 802.11b/g Wireless LAN driver: b43-pci-bridge IF-ID-1: wlan0 state: up mac: 00:90:4b:97:13:08 Drives: Local Storage: total: 55.89 GiB used: 10.43 GiB (18.7%) ID-1: /dev/sda vendor: Hitachi model: IC25N060ATMR04-0 size: 55.89 GiB Partition: ID-1: / size: 54.46 GiB used: 10.43 GiB (19.1%) fs: xfs dev: /dev/sda1 ID-2: swap-1 size: 1.40 GiB used: 0 KiB (0.0%) fs: swap dev: /dev/sda2 Sensors: Message: No sensors data was found. Is sensors configured? Info: Processes: 93 Uptime: 22m Memory: 460.6 MiB used: 191.2 MiB (41.5%) Shell: bash inxi: 3.0.33June 22, 2019 at 6:20 pm #23687Anonymous
::Update it’s the 486 ones because my dell-d610 with petium-m cpu says the same
thing on the 5.1.11-486 kernel but shows most mitigated on the 4.19.52-686-pae kernel
and on the 5.1.11-686-pae ones.screenshot 1: 486 kernel
screenshot 2 & 3: 686 kernelJune 22, 2019 at 10:04 pm #23696Memberanimusdominus
::@antix:~
$ cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Mitigation: Clear CPU buffers; SMT vulnerable
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
@antix:~
$@antix:~
$ inxi
CPU: Dual Core Intel Core i3-6006U (-MT MCP-) speed/min/max: 800/400/2000 MHz
Kernel: 5.1.11-antix.1-amd64-smp x86_64 Up: 1m Mem: 577.6/3812.4 MiB (15.2%)
Storage: 931.51 GiB (5.0% used) Procs: 163 Shell: bash 5.0.3 inxi: 3.0.33
@antix:~
$June 23, 2019 at 4:51 am #23710Member
oops
::@linuxdaddy : The problem seems to be here (an old microcode for your cpu, not up to date)
CPU microcode is the latest known available version: YES (latest version is 0x7 dated 2004/11/09 according to builtin MCExtractor DB v111 - 2019/05/18)June 23, 2019 at 7:41 pm #23749Anonymous
::yeah oops,
It is an old laptop and I found out on intels site that the old
32-bit cpu aren’t in the works for new microcode either so on the ones
that support 686-pae is what i’m going to stick with since most of the
things are mitigated and seem to be more for dual-core and higher anyways.
On the meltdown checker my P4 reads
Your CPU doesn't support SSBD
on the one that fails. There was also no bios updates for “dinosaurs” on the
websites so here’s a pdf link for what is in intels works and the status for
the cpus and microcode updates.
https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf -
AuthorPosts
- You must be logged in to reply to this topic.