[19:32] <Guest53> Hi. A mitigation for the amd inception vulnerability is available for a while in the upstream kernel. I would like to inquire about the timeline of introducing the fix to the ubuntu kernels.
[19:36] <Guest53> If I'm in the wrong place with this question, please direct me to the correct place to ask something like this
[20:16] <tomreyn> hmm, a valid point to me. let's pretend they're still around, since i'm also woindering.
[20:17] <tomreyn> debian got it since Aug 11, apparently? https://security-tracker.debian.org/tracker/CVE-2023-20569
[20:17] -ubottu:#ubuntu-security- A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569>
[21:22] <sarnold> tomreyn: the changelog entries on https://launchpad.net/ubuntu/+source/amd64-microcode/3.20230808.1.1ubuntu1 make me think we might have pushed the microcode updates for it already?
[21:25] <tomreyn> sarnold: looks like it, for the firmware. i was more wondering about the linux patches (though, IIRC, one of the two is sufficient).
[21:26] <sarnold> tomreyn: I wouldn't be surprised if the kernel mitigation is one of those "prevent leaking kernel data to userspace" but doesn't help with eg secrets in a web browser being held safe from interpreted languages in the web browser, where the microcode probably helps with both
[21:31] <tomreyn> sarnold: i guess the issue witht he microcode is that updates are, so far, only available for some affected CPUs (epyc, specifically, not the desktop ones), so having the kernel mitigation would be > nice to have.
[21:32] <sarnold> tomreyn: yeah :/ for at least one of the recent AMD issues they said the client cpus would be getting updated around november or december. oof.
[21:36] <tomreyn> right. so... it would be good to ensure the linux patches are present
[21:38] <sarnold> *nod* I've asked around if anyone's collected a list of necessary patches for the break-fix lines .. it quickly became apparent that it's way more than I can just pop off in a few minutes
[21:39] <tomreyn> oh, i didn't mean to suggest that *you* do it, or *now* ;-)
[21:39] <tomreyn> thanks for poking + helping me look into it.
[21:41] <sarnold> well, I kind of expected to find maybe two commits and then I could just add them to the file and then find out in a few hours if we've already shipped it or not :)
[21:41] <sarnold> no such luck, lol
[21:42] <tomreyn> :) you're clearly too optimistic
[21:47] <sarnold> definitely