Bug #15796
Mitigate Foreshadow aka. L1 Terminal Fault vulnerabilities
100%
Description
A recent and very severe vulnerability has been revealed that allows arbitrary memory reads. The mitigations (both for userspace and hypervisors) were submitted to the Linux kernel in commit 958f338e96f874a0d29442396d6adf9c1e17aa2d. For non-hypervisors, the fix is simple and has no performance impact. It is important that Tails upgrade its kernel to mitigate this nasty vulnerability.
- https://foreshadowattack.eu/
- https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
- https://blog.ubuntu.com/2018/08/14/ubuntu-updates-for-l1-terminal-fault-vulnerabilities
Debian status:
- https://security-tracker.debian.org/tracker/CVE-2018-3615 (only affects Intel SGX, which we don’t use)
- https://security-tracker.debian.org/tracker/CVE-2018-3620
- https://security-tracker.debian.org/tracker/CVE-2018-3646 (only affects virtualization, which we don’t use)
Subtasks
Related issues
Blocks Tails - |
Resolved | 2018-02-20 | |
Blocks Tails - |
Resolved | 2018-08-27 | |
Blocks Tails - |
Resolved | 2018-08-26 |
History
#1 Updated by Anonymous 2018-08-16 10:07:34
- Priority changed from High to Normal
#2 Updated by Anonymous 2018-08-16 12:51:40
- related to
Feature #15117: Improve visibility of scrollbar in persistence assistant added
#3 Updated by Anonymous 2018-08-16 12:51:48
- related to deleted (
)Feature #15117: Improve visibility of scrollbar in persistence assistant
#4 Updated by mercedes508 2018-08-16 15:44:40
- Status changed from New to Confirmed
- Assignee set to intrigeri
- Target version set to Tails_3.9
#5 Updated by intrigeri 2018-08-17 05:59:02
- Description updated
- Priority changed from Normal to Elevated
Next step is: upgrade to linux (4.17.15-1), that introduces the mitigation.
#6 Updated by intrigeri 2018-08-17 05:59:14
- blocks
Feature #15334: Core work 2018Q3: Foundations Team added
#7 Updated by intrigeri 2018-08-17 06:00:21
- Subject changed from Mitigate Foreshadow to Mitigate Foreshadow aka. L1 Terminal Fault vulnerabilities
- Description updated
#8 Updated by intrigeri 2018-08-17 06:07:15
- Description updated
#9 Updated by intrigeri 2018-08-18 11:28:54
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to bugfix/15796-foreshadow+force-all-tests
#10 Updated by intrigeri 2018-08-18 15:39:42
I should update my branch to include Linux 4.17.17-1. Linux 4.17.17 was released with only 1 new commit to fix a regression that seems important: https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.17
#11 Updated by intrigeri 2018-08-18 18:14:46
Full test suite runs with 4.17.15-1 look as good as usual.
#12 Updated by intrigeri 2018-08-19 06:59:33
- % Done changed from 10 to 20
- QA Check set to Ready for QA
intrigeri wrote:
> I should update my branch to include Linux 4.17.17-1
Done on the topic branch. Next steps:
- full test suite runs
- test on bare metal
#13 Updated by intrigeri 2018-08-20 06:12:45
- % Done changed from 20 to 30
> Next steps:
>
> * full test suite runs
LGTM. Left: test on bare metal.
#14 Updated by intrigeri 2018-08-21 11:43:57
- Assignee changed from intrigeri to segfault
- % Done changed from 30 to 50
- Estimated time set to 0 h
#15 Updated by segfault 2018-08-23 11:00:50
- Assignee changed from segfault to intrigeri
- QA Check changed from Ready for QA to Info Needed
LGTM. Should I build and test this?
#16 Updated by intrigeri 2018-08-24 05:25:10
- Assignee changed from intrigeri to segfault
- QA Check changed from Info Needed to Ready for QA
> LGTM. Should I build and test this?
Yes, please test on whatever bare metal you have handy :)
#17 Updated by intrigeri 2018-08-25 07:34:12
- Assignee changed from segfault to intrigeri
- QA Check changed from Ready for QA to Dev Needed
Hold on, I’d like to include the upgrade to intel-microcode 3.20180807a.1 that adds some more L1TF and Spectre mitigation measures.
#18 Updated by intrigeri 2018-08-30 05:23:47
- blocks
Bug #15852: Upgrade firmware-nonfree to 20180825-1 added
#19 Updated by intrigeri 2018-08-31 04:27:06
- Assignee changed from intrigeri to segfault
- QA Check changed from Dev Needed to Ready for QA
#20 Updated by intrigeri 2018-09-02 08:11:04
- blocks
Bug #15846: devel and branches based on devel FTBFS: The following packages have unmet dependencies added
#21 Updated by segfault 2018-09-04 11:40:42
- Assignee changed from segfault to intrigeri
- QA Check changed from Ready for QA to Pass
Works on my hardware
#22 Updated by intrigeri 2018-09-04 11:55:22
- Status changed from In Progress to Fix committed
- Assignee deleted (
intrigeri) - % Done changed from 50 to 100
#23 Updated by intrigeri 2018-09-05 16:15:15
- Status changed from Fix committed to Resolved