/srv/irclogs.ubuntu.com/2022/03/18/#ubuntu-security.txt

=== JackFrost is now known as Unit193
blahdeblahPersonally, I'd rather build a reboot-friendly application architecture.00:41
sarnold:)00:41
yurtesenIs this channel alive?04:02
yurtesenIs there anybody here who can check/approve/merge security related debdiffs for a package in universe or somebody who knows a person who can do that?05:30
Teachmehow Hi everyone. I have a list of installed packages on my system with dpkg. Is there any library/package that will allow me to convert the package names to its respective CPE?05:55
sbeattieyurtesen: do you have a launchpad bug or other pointer?06:09
sbeattieTeachmehow: sadly, there is not really that I'm aware of, though happy to be corrected if someone knows of one.06:09
yurtesen@sbeattie yes I prepared a small debdiff also https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911/comments/406:55
sbeattieyurtesen: thanks, I saw some chatter about that bug, I'll poke further.06:57
yurtesenThankyou, That was my first debdiff. Hopefully it is somewhat acceptable. I had a few questions about how to track if anybody is looking at a debdiff and format of the changelog if anybody can answer. See comment 8 for formatting question: https://answers.launchpad.net/ubuntu/+source/tomcat9/+question/70093408:24
tomreyni just brought this up in -kernel, but maybe you could also give me feedback, maybe i'm missing something. i'm running 18.04 amd64 with HWE (5.4.0-104-generic #118~18.04.1-Ubuntu). "cat /sys/devices/system/cpu/vulnerabilities/spectre_v2" reports "Mitigation: LFENCE, IBPB: conditional, STIBP: disabled, RSB filling" (on this Ryzen 7 1800X), so it seems the kernel has not been compiled with a retpoline-aware compiler, which would suggest 08:45
tomreynthe system is affected by spectre_v2, and apparently so because a compiler which does not (yet) support full_retpoline is used to build these kernels.08:45
tomreynbuildd@ubuntu built this one using gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04) on Thu Mar 3 13:53:15 UTC 2022.08:49
jjohansentomreyn: gcc 7.5 supports retpoline. until this last week lfence/jump was amd's recommended mitigation. You could force generic retpoline using the kernel boot parameter spectre_v2=retpoline,generic09:18
jjohansensee: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-103609:18
tomreynjjohansen: I can't force it with spectre_v2=retpoline,lfence (suggested by apw in #ubuntu-kernel - sorry for cross-posting here): cat /proc/version /proc/cmdline /sys/devices/system/cpu/vulnerabilities/spectre_v2 | nc termbin.com 999909:42
tomreynhttps://termbin.com/gbhc09:42
tomreyninterestnigly, AMDs advisory states "LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on *some* AMD CPUs" (*stress* added by myself) and does *not* list Ryzen 1000 series Desktop CPUs below. which could mean those are not affected, or are not being handled.09:50
ubottuSystems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715>09:50
tomreynjjohansen: you have a point. i booted with spectre_v2=retpoline,generic now and got "Mitigation: Retpolines, IBPB: conditional, STIBP: disabled, RSB filling"10:14
Nicholas[m]on a related point, mitigation for spectre and meltdown result in a performance hit. Do we only need this mitigation on multiuser machines? 10:27
Nicholas[m]For a single-user desktop (or small multiuser system of trusted users) can we disable this mitigating features and boost system performance...?10:27
jjohansenNicholas[m]: that entirely depends on what software you run on those machines. VMs that you don't trust - no10:40
jjohansenweb browsers connected to the internet, well just about anything that could run untrusted scripts like the web browser10:41
jjohansennot10:41
=== chrisccoulson_ is now known as chrisccoulson

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!