Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 12 Dec 2018, 03:01
All times are UTC - 4
 Forum index » Off-Topic Area » Security
[ meltown & spectre ] Puppy's kernel update ?
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [23 Posts]   Goto page: 1, 2 Next
Author Message
fabrice_035


Joined: 28 Apr 2014
Posts: 538
Location: Bretagne / France

PostPosted: Mon 08 Jan 2018, 07:50    Post subject:  [ meltown & spectre ] Puppy's kernel update ?
Subject description: Abandon ship ?
 

Hi,

Puppy's developper can u tell me if there are a hope to view a patch/update for Puppy's ? (like Tahrpup)

Regard.
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1305

PostPosted: Mon 08 Jan 2018, 11:16    Post subject:  

Upgrade the kernal. Untill then just be carefull of what you install and stay away from untrusted web sites.

I don't believe that these attacks have been demonstrated from a browser script but if you are woried maybe turn off javascript or alternatively install a script blocker like noscript and only allow scripts from trusted sites.
Back to top
View user's profile Send private message 
Sailor Enceladus

Joined: 22 Feb 2016
Posts: 1547

PostPosted: Mon 08 Jan 2018, 11:39    Post subject:  

My impression, from compiling 4.4.110 in Puduan with kernel-kit and seeing no sign of the Meltdown Kaiser/KPTI patch being used, is that you have to add CONFIG_PAGE_TABLE_ISOLATION=y to the "Security options" part of the kernel config for it to work, so I'm building it again with that line added, this time in Slacko 5.7.1 woof-CE. Maybe I'll post the kernel here when it's done. Smile

edit: Then again I compiled it as 32-bit nopae last time, and I read somewhere that the exploit can read RAM in the 4GB range, so maybe 32-bit nopae kernels are already exempt from the issue? The one I'm building this time is 4.4.110 32-bit pae though.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1628

PostPosted: Mon 08 Jan 2018, 12:10    Post subject:  

s243a wrote:
Upgrade the kernal. Untill then just be carefull of what you install and stay away from untrusted web sites.

I don't believe that these attacks have been demonstrated from a browser script but if you are woried maybe turn off javascript or alternatively install a script blocker like noscript and only allow scripts from trusted sites.




s243a,

So should we view "murga-linux" as a trusted site, given the bazillion of downloads of scripts it has in its memory banks? You know, all those "remove the fake.gz" and/or links to downloads....and all of it so thoughtfully done over http and not that stupid thing of https?

Beware of what lurks in our house Laughing Wink
Back to top
View user's profile Send private message 
fabrice_035


Joined: 28 Apr 2014
Posts: 538
Location: Bretagne / France

PostPosted: Mon 08 Jan 2018, 12:39    Post subject:  

@s243a
Quote:
Upgrade the kernal


-> expert way <-
Off course, download original kernel, patch, recompil... i tried this Confused it's too hard for me and same for many users i think Embarassed

Share your experience plz.
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1305

PostPosted: Mon 08 Jan 2018, 14:58    Post subject:  

belham2 wrote:
s243a wrote:
Upgrade the kernal. Untill then just be carefull of what you install and stay away from untrusted web sites.

I don't believe that these attacks have been demonstrated from a browser script but if you are woried maybe turn off javascript or alternatively install a script blocker like noscript and only allow scripts from trusted sites.




s243a,

So should we view "murga-linux" as a trusted site, given the bazillion of downloads of scripts it has in its memory banks? You know, all those "remove the fake.gz" and/or links to downloads....and all of it so thoughtfully done over http and not that stupid thing of https?

Beware of what lurks in our house Laughing Wink


If you don't trust those then you don't have to use them or alternativly review the source for security issues. One could also webscrape the forum and compile a list of checksums. The checksums could be stored somewhere more secure like freenet. If an old file changes its checksum then that is very suspecious.

Maybe Flash could pull this info from the forum monthly and publish the info to Freenet. I'm not singling out anyone elses house but puppy by nature of being a minimal distribution has security advantages.

If you really want to get relegious about this though then what you need is a pgp web of trust. Also note that there is nothing stopping people from sighning their downloads with a pgp signature and as an added bonus unlike SSL it doesn't rely on a central athority.

Also note that an attacker usually tries to maximize the number of people they can target with the least effort. Typically they would be more interested in targeting one of the most used linux distrubutions and getting a large percentage of the users rather then targeting ranked 10 or less on distro watch and only getting a few of the users. Also most attacks aren't sophisticated and rely on social engineering rather than exploiting an esotaric vaulnrability. There also is no indictation yet that any of the above attacks have been used in the wild.

But then again if the target is interesting enough to the right peoole (e.g. intellegence agencies) then I'm sure that these attacks will be tried.
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 398
Location: S.E Australia

PostPosted: Mon 08 Jan 2018, 20:42    Post subject: A list of apparently affected CPUs  

Note: Prefbar browser addon allows user to toggle javascript & flash on/off as required.

Apparently affected CPU list: https://www.techarp.com/guides/complete-list-cpus-meltdown-spectre

EDIT: Corrected link - all apparently affected CPU list

Last edited by ozsouth on Tue 09 Jan 2018, 01:39; edited 1 time in total
Back to top
View user's profile Send private message 
musher0

Joined: 04 Jan 2009
Posts: 13156
Location: Gatineau (Qc), Canada

PostPosted: Mon 08 Jan 2018, 23:38    Post subject: Re: A list of apparently affected CPUs  

ozsouth wrote:
Note: Prefbar browser addon allows user to toggle javascript & flash on/off as required.

Apparently affected CPU list: https://www.techarp.com/guides/complete-list-cpus-meltdown-spectre/4/

Hello ozsouth and all.

I can't seem to find a similar list for AMD CPUs.
Some articles say they are also affected.
Does anybody have a lead? TIA.

_________________
musher0
~~~~~~~~~~
Je suis né pour aimer et non pas pour haïr. (Sophocle) /
I was born to love and not to hate. (Sophocles)
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 398
Location: S.E Australia

PostPosted: Tue 09 Jan 2018, 01:40    Post subject:  

see 2 posts up
Back to top
View user's profile Send private message 
musher0

Joined: 04 Jan 2009
Posts: 13156
Location: Gatineau (Qc), Canada

PostPosted: Tue 09 Jan 2018, 02:02    Post subject:  

Ah. It's on another page of that article:
https://www.techarp.com/guides/complete-list-cpus-meltdown-spectre/#amd
Thanks, ozsouth.

Edit -- Phew. AMD "Turion line" CPUs are not affected.

_________________
musher0
~~~~~~~~~~
Je suis né pour aimer et non pas pour haïr. (Sophocle) /
I was born to love and not to hate. (Sophocles)
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 398
Location: S.E Australia

PostPosted: Tue 09 Jan 2018, 03:50    Post subject: My summary (as requested)  

Apparently affected CPU list - https://www.techarp.com/guides/complete-list-cpus-meltdown-spectre

Intel support notes - https://www.intel.com/sa-00086-support

Prefbar mozilla addon toggles javascript & flash on/off.
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1305

PostPosted: Tue 09 Jan 2018, 03:54    Post subject: Re: My summary (as requested)  

ozsouth wrote:


Intel support notes - https://www.intel.com/sa-00086-support

Prefbar mozilla addon toggles javascript & flash on/off.


I wonder what this means:

"The vulnerability identified in CVE-2017-5712 is exploitable remotely over the network in conjunction with a valid administrative Intel® Management Engine credential. The vulnerability is not exploitable if a valid administrative credential is unavailable."
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1628

PostPosted: Tue 09 Jan 2018, 04:44    Post subject: Re: My summary (as requested)  

[quote="ozsouth"]Apparently affected CPU list - https://www.techarp.com/guides/complete-list-cpus-meltdown-spectre

Intel support notes - https://www.intel.com/sa-00086-support



Hi Ozsouth!

Thank you for that link...by far the most easy and understandable discussion of Spectre 1/2 & exactly which chips are affected.

After going thru the list, I am feeling a whole lot better. This is one time having a bit dated (but still working great) hardware & chips has paid off enormously. None---not one single one in my house---AMD desktop chips are on the list. Woohooo! I do have one Intel chip (in a laptop) on the list, but I took it completely out of commission 3 days ago & it will stay that way probably forever since Intel is passing-the-buck to the mftr of the laptop & saying it's them (and not Intel) that'll provide the BIOS update fixes. Of course, mftr's of older laptops with Intel affected chips are currently doing no such thing, and I've been told they've no plans to. From what I've hard, not HP, not Asus, not Sony, not Dell, a one of them are going to support/provide BIOS updates for affected Intel chips from 2010-2013. They are just saying they've dropped support for those, and you've got to buy a new laptop that is under support still. Geez, and they wonder why their customer ratings are near the non-existent.

Anyhow, thanks again for the links.
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 398
Location: S.E Australia

PostPosted: Tue 09 Jan 2018, 06:52    Post subject: My mitigation  

Re the OP's question, I don't expect Slacko64 k4.4 will be updated. Other pups may be. New pups based on patched kernels will eventually be released, so mitigate in the interim, if like me, you have processors in the 'twilight zone' - on the affected list, but not getting updates (5-8 years old).

Hence I have a full install for most work, with javascript & flash toggled off, & do my secure stuff quickly on a frugal install on that laptop, then reboot.
Back to top
View user's profile Send private message 
ac2011

Joined: 09 Feb 2011
Posts: 127

PostPosted: Tue 09 Jan 2018, 10:21    Post subject:  

musher0 wrote:
Ah. It's on another page of that article:
https://www.techarp.com/guides/complete-list-cpus-meltdown-spectre/#amd
Thanks, ozsouth.

Edit -- Phew. AMD "Turion line" CPUs are not affected.


Or perhaps just too old to be listed? I have a couple of T7600 Intel Core 2 Duo machines that also aren't on that list. I don't see what, if anything, would make them invulnerable to Spectre, though. It may just be the case that these machines are too old for Intel/AMD to even bother testing.

Not trying to alarm you, just saying that absence of proof is not proof of absence. I would like to see a list of CPUs that have been tested as definitely *not* affected. That would be more useful.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 2 [23 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0737s ][ Queries: 12 (0.0118s) ][ GZIP on ]