On 20 February 2018 at 05:09, Andy Smith <a...@strugglers.net> wrote:
> Hello, > > On Mon, Feb 19, 2018 at 09:03:20PM +0000, Michael Fothergill wrote: > > On 19 February 2018 at 19:10, Michael Lange <klappn...@freenet.de> > wrote: > > > no, I meant to say that you were looking at the wrong place if you > wanted > > > to see if the "spectre-2" fix has arrived in debian, for this one you > > > will have to look here: > > > > > > https://security-tracker.debian.org/tracker/CVE-2017-5715 > > > > No, we were not looking for it. I think a joint fix for meltdown and > > spectre 1 would fit the bill at present . > > They are different bugs with different fixes. No one is even certain > HOW to fix Spectre variant 1 yet, or if it can be without entirely > new CPUs. Things have only got as far as kicking around ideas on how > to make exploiting it harder. > > Your suggestion makes about as much sense as lumping every single > buffer overflow bug into one CVE and then saying almost all software > ever made is vulnerable, until there is one patch that fixes > everything at once. > I think I just got Spectre 1 and 2 mixed up in the discussion. I did not think the Spectre fix worked for the entirety of the the Spectre vulnerability. I also read in quite a few places that fixing all of it was an open ended problem. > > Your comments along the lines of "I thought it was fixed…", as > Michael Lange pointed out, were about Spectre variant 2 but you are > looking at the security tracker page for Spectre variant 1. > CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere > yet, not even in Linux upstream. > > Spectre v2, which you are talking about, is CVE-2017-5715, again as > Michael Lange just pointed out to you. As you can see from the link > that Michael gave you, Spectre v2 is fixed in the kernel package in > sid. Read it again: > > <https://security-tracker.debian.org/tracker/CVE-2017-5715> > > That's the retpoline stuff you're talking about. > For me at any rate if the new version of gcc 4.9 makes it easier for a new user to get access to that portion of Spectre vulnerability jointly with the the availability of Meltdown as is, then as I said I would be very pleased. and if a third person comes on the site asking about this problem then we could encourage them to try it. Cheers MF > Cheers, > Andy > > -- > https://bitfolk.com/ -- No-nonsense VPS hosting > >
