Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update kernels to 4.14.169 or later #5111

Closed
emkll opened this issue Jan 29, 2020 · 1 comment · Fixed by #5188
Closed

Update kernels to 4.14.169 or later #5111

emkll opened this issue Jan 29, 2020 · 1 comment · Fixed by #5188
Labels
security
Milestone
1.3.0

Comments

@emkll
Copy link
Contributor

emkll commented Jan 29, 2020
edited
Loading

Description

Updating will provide improve cache handling to mitigate CVE-2020-0549 (https://cacheoutattack.com/)
A microcode update will be provided by Intel at a later date.

In order to exploit this vulnerability, an attacker requires:

  1. Local code execution on the server
  2. A CPU that supports Intel TSX

We do disable TSX in the kernel config: https://github.com/freedomofpress/ansible-role-grsecurity-build/blob/master/files/config-securedrop-4.14#L626 , so this vulnerability may not even be exploitable by an attacker.

Since the likelihood of exploitation is extremely unlikely. I propose we update Kernels as part of the 1.3.0 release.
@emkll emkll added the security label Jan 29, 2020
@emkll emkll added this to the 1.3.0 milestone Jan 29, 2020
@conorsch
Copy link
Contributor

conorsch commented Apr 3, 2020

Opened a dependency PR in the build repo: freedomofpress/ansible-role-grsecurity-build#57

Will kick off a server-kernel build with those new deps.

conorsch pushed a commit that referenced this issue Apr 7, 2020
Update grsecurity kernels to 4.14.175
9c19bfe 
Closes #5111
This was referenced Apr 7, 2020
Merged
Merged
conorsch pushed a commit that referenced this issue Apr 7, 2020
Update grsecurity kernels to 4.14.175
da07ca7 
Closes #5111
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
1.3.0
Development

Successfully merging a pull request may close this issue.

Update grsecurity kernels to 4.14.175 freedomofpress/securedrop
2 participants
@conorsch @emkll