Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines
Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines
Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#58700 - [linux][linux-firmware][libvirt][qemu][intel-ucode] CVE-2018-3639 CVE-2018-3640
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Wednesday, 23 May 2018, 01:31 GMT
Last edited by Eli Schwartz (eschwartz) - Wednesday, 23 May 2018, 02:14 GMT
Opened by loqs (loqs) - Wednesday, 23 May 2018, 01:31 GMT
Last edited by Eli Schwartz (eschwartz) - Wednesday, 23 May 2018, 02:14 GMT
|
DetailsCVE-2018-3639 Description:
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. Kernel fixes in 4.14.43 4.16.11 (note requires new microcode / firmware update) QEMU no new release relevant commits in git https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da https://git.qemu.org/?p=qemu.git;a=commit;h=cfeea0c021db6234c154dbc723730e81553924ff https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da libvirt no new release commits in git https://libvirt.org/git/?p=libvirt.git;a=commit;h=1dbca2eccad58d91a5fd33962854f1a653638182 https://libvirt.org/git/?p=libvirt.git;a=commit;h=9267342206ce17f6933d57a3128cdc504d5945c9 CVE-2018-3640 Description: Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka Rogue System Register Read (RSRE), Variant 3a. requires new microcode |
This task depends upon
For CVE-2018-3640 that appears to be Intel only the mitigation is planned to be bundled with the microcode update with the mitigation for CVE-2018-3639.
****
CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
> How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make s ure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode up date for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CP U by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional O S, kernel or software change needed.
CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports speculation store bypass: YES (found in /proc/self/status)
> STATUS: VULNERABLE (Your CPU doesn't support SSBD)
> How to fix: Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actua lly provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually d one at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're usi ng a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availabilit y of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is av ailable for your CPU by searching for your CPUID (indicated in the Hardware Check section).
****