| === JackFrost is now known as Unit193 | ||
| blahdeblah | Personally, I'd rather build a reboot-friendly application architecture. | 00:41 |
|---|---|---|
| sarnold | :) | 00:41 |
| yurtesen | Is this channel alive? | 04:02 |
| yurtesen | Is there anybody here who can check/approve/merge security related debdiffs for a package in universe or somebody who knows a person who can do that? | 05:30 |
| Teachmehow | Hi everyone. I have a list of installed packages on my system with dpkg. Is there any library/package that will allow me to convert the package names to its respective CPE? | 05:55 |
| sbeattie | yurtesen: do you have a launchpad bug or other pointer? | 06:09 |
| sbeattie | Teachmehow: sadly, there is not really that I'm aware of, though happy to be corrected if someone knows of one. | 06:09 |
| yurtesen | @sbeattie yes I prepared a small debdiff also https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911/comments/4 | 06:55 |
| sbeattie | yurtesen: thanks, I saw some chatter about that bug, I'll poke further. | 06:57 |
| yurtesen | Thankyou, That was my first debdiff. Hopefully it is somewhat acceptable. I had a few questions about how to track if anybody is looking at a debdiff and format of the changelog if anybody can answer. See comment 8 for formatting question: https://answers.launchpad.net/ubuntu/+source/tomcat9/+question/700934 | 08:24 |
| tomreyn | i just brought this up in -kernel, but maybe you could also give me feedback, maybe i'm missing something. i'm running 18.04 amd64 with HWE (5.4.0-104-generic #118~18.04.1-Ubuntu). "cat /sys/devices/system/cpu/vulnerabilities/spectre_v2" reports "Mitigation: LFENCE, IBPB: conditional, STIBP: disabled, RSB filling" (on this Ryzen 7 1800X), so it seems the kernel has not been compiled with a retpoline-aware compiler, which would suggest | 08:45 |
| tomreyn | the system is affected by spectre_v2, and apparently so because a compiler which does not (yet) support full_retpoline is used to build these kernels. | 08:45 |
| tomreyn | buildd@ubuntu built this one using gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04) on Thu Mar 3 13:53:15 UTC 2022. | 08:49 |
| jjohansen | tomreyn: gcc 7.5 supports retpoline. until this last week lfence/jump was amd's recommended mitigation. You could force generic retpoline using the kernel boot parameter spectre_v2=retpoline,generic | 09:18 |
| jjohansen | see: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036 | 09:18 |
| tomreyn | jjohansen: I can't force it with spectre_v2=retpoline,lfence (suggested by apw in #ubuntu-kernel - sorry for cross-posting here): cat /proc/version /proc/cmdline /sys/devices/system/cpu/vulnerabilities/spectre_v2 | nc termbin.com 9999 | 09:42 |
| tomreyn | https://termbin.com/gbhc | 09:42 |
| tomreyn | interestnigly, AMDs advisory states "LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on *some* AMD CPUs" (*stress* added by myself) and does *not* list Ryzen 1000 series Desktop CPUs below. which could mean those are not affected, or are not being handled. | 09:50 |
| ubottu | Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715> | 09:50 |
| tomreyn | jjohansen: you have a point. i booted with spectre_v2=retpoline,generic now and got "Mitigation: Retpolines, IBPB: conditional, STIBP: disabled, RSB filling" | 10:14 |
| Nicholas[m] | on a related point, mitigation for spectre and meltdown result in a performance hit. Do we only need this mitigation on multiuser machines? | 10:27 |
| Nicholas[m] | For a single-user desktop (or small multiuser system of trusted users) can we disable this mitigating features and boost system performance...? | 10:27 |
| jjohansen | Nicholas[m]: that entirely depends on what software you run on those machines. VMs that you don't trust - no | 10:40 |
| jjohansen | web browsers connected to the internet, well just about anything that could run untrusted scripts like the web browser | 10:41 |
| jjohansen | not | 10:41 |
| === chrisccoulson_ is now known as chrisccoulson | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!