Hello, On Mon, Feb 19, 2018 at 09:03:20PM +0000, Michael Fothergill wrote: > On 19 February 2018 at 19:10, Michael Lange <klappn...@freenet.de> wrote: > > no, I meant to say that you were looking at the wrong place if you wanted > > to see if the "spectre-2" fix has arrived in debian, for this one you > > will have to look here: > > > > https://security-tracker.debian.org/tracker/CVE-2017-5715 > > No, we were not looking for it. I think a joint fix for meltdown and > spectre 1 would fit the bill at present .
They are different bugs with different fixes. No one is even certain HOW to fix Spectre variant 1 yet, or if it can be without entirely new CPUs. Things have only got as far as kicking around ideas on how to make exploiting it harder. Your suggestion makes about as much sense as lumping every single buffer overflow bug into one CVE and then saying almost all software ever made is vulnerable, until there is one patch that fixes everything at once. Your comments along the lines of "I thought it was fixed…", as Michael Lange pointed out, were about Spectre variant 2 but you are looking at the security tracker page for Spectre variant 1. CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere yet, not even in Linux upstream. Spectre v2, which you are talking about, is CVE-2017-5715, again as Michael Lange just pointed out to you. As you can see from the link that Michael gave you, Spectre v2 is fixed in the kernel package in sid. Read it again: <https://security-tracker.debian.org/tracker/CVE-2017-5715> That's the retpoline stuff you're talking about. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting