(old)Puppy Linux Discussion Forum

Hi,

Puppy's developper can u tell me if there are a hope to view a patch/update for Puppy's ? (like Tahrpup)

Regard.

Upgrade the kernal. Untill then just be carefull of what you install and stay away from untrusted web sites.

I don't believe that these attacks have been demonstrated from a browser script but if you are woried maybe turn off javascript or alternatively install a script blocker like noscript and only allow scripts from trusted sites.

My impression, from compiling 4.4.110 in Puduan with kernel-kit and seeing no sign of the Meltdown Kaiser/KPTI patch being used, is that you have to add CONFIG_PAGE_TABLE_ISOLATION=y to the "Security options" part of the kernel config for it to work, so I'm building it again with that line added, this time in Slacko 5.7.1 woof-CE. Maybe I'll post the kernel here when it's done.

edit: Then again I compiled it as 32-bit nopae last time, and I read somewhere that the exploit can read RAM in the 4GB range, so maybe 32-bit nopae kernels are already exempt from the issue? The one I'm building this time is 4.4.110 32-bit pae though.

s243a wrote:Upgrade the kernal. Untill then just be carefull of what you install and stay away from untrusted web sites.

I don't believe that these attacks have been demonstrated from a browser script but if you are woried maybe turn off javascript or alternatively install a script blocker like noscript and only allow scripts from trusted sites.

s243a,

So should we view "murga-linux" as a trusted site, given the bazillion of downloads of scripts it has in its memory banks? You know, all those "remove the fake.gz" and/or links to downloads....and all of it so thoughtfully done over http and not that stupid thing of https?

Beware of what lurks in our house

@s243a

Upgrade the kernal

-> expert way <-
Off course, download original kernel, patch, recompil... i tried this it's too hard for me and same for many users i think

Share your experience plz.

belham2 wrote:

s243a wrote:Upgrade the kernal. Untill then just be carefull of what you install and stay away from untrusted web sites.

I don't believe that these attacks have been demonstrated from a browser script but if you are woried maybe turn off javascript or alternatively install a script blocker like noscript and only allow scripts from trusted sites.

s243a,

So should we view "murga-linux" as a trusted site, given the bazillion of downloads of scripts it has in its memory banks? You know, all those "remove the fake.gz" and/or links to downloads....and all of it so thoughtfully done over http and not that stupid thing of https?

Beware of what lurks in our house

If you don't trust those then you don't have to use them or alternativly review the source for security issues. One could also webscrape the forum and compile a list of checksums. The checksums could be stored somewhere more secure like freenet. If an old file changes its checksum then that is very suspecious.

Maybe Flash could pull this info from the forum monthly and publish the info to Freenet. I'm not singling out anyone elses house but puppy by nature of being a minimal distribution has security advantages.

If you really want to get relegious about this though then what you need is a pgp web of trust. Also note that there is nothing stopping people from sighning their downloads with a pgp signature and as an added bonus unlike SSL it doesn't rely on a central athority.

Also note that an attacker usually tries to maximize the number of people they can target with the least effort. Typically they would be more interested in targeting one of the most used linux distrubutions and getting a large percentage of the users rather then targeting ranked 10 or less on distro watch and only getting a few of the users. Also most attacks aren't sophisticated and rely on social engineering rather than exploiting an esotaric vaulnrability. There also is no indictation yet that any of the above attacks have been used in the wild.

But then again if the target is interesting enough to the right peoole (e.g. intellegence agencies) then I'm sure that these attacks will be tried.

Note: Prefbar browser addon allows user to toggle javascript & flash on/off as required.

Apparently affected CPU list: https://www.techarp.com/guides/complete ... wn-spectre

EDIT: Corrected link - all apparently affected CPU list

ozsouth wrote:Note: Prefbar browser addon allows user to toggle javascript & flash on/off as required.

Apparently affected CPU list: https://www.techarp.com/guides/complete ... spectre/4/

Hello ozsouth and all.

I can't seem to find a similar list for AMD CPUs.
Some articles say they are also affected.
Does anybody have a lead? TIA.

see 2 posts up

Ah. It's on another page of that article:
https://www.techarp.com/guides/complete ... ectre/#amd
Thanks, ozsouth.

Edit -- Phew. AMD "Turion line" CPUs are not affected.

Apparently affected CPU list - https://www.techarp.com/guides/complete ... wn-spectre

Intel support notes - https://www.intel.com/sa-00086-support

Prefbar mozilla addon toggles javascript & flash on/off.

ozsouth wrote:
Intel support notes - https://www.intel.com/sa-00086-support

Prefbar mozilla addon toggles javascript & flash on/off.

I wonder what this means:

"The vulnerability identified in CVE-2017-5712 is exploitable remotely over the network in conjunction with a valid administrative Intel® Management Engine credential. The vulnerability is not exploitable if a valid administrative credential is unavailable."

[quote="ozsouth"]Apparently affected CPU list - https://www.techarp.com/guides/complete ... wn-spectre

Intel support notes - https://www.intel.com/sa-00086-support



Hi Ozsouth!

Thank you for that link...by far the most easy and understandable discussion of Spectre 1/2 & exactly which chips are affected.

After going thru the list, I am feeling a whole lot better. This is one time having a bit dated (but still working great) hardware & chips has paid off enormously. None---not one single one in my house---AMD desktop chips are on the list. Woohooo! I do have one Intel chip (in a laptop) on the list, but I took it completely out of commission 3 days ago & it will stay that way probably forever since Intel is passing-the-buck to the mftr of the laptop & saying it's them (and not Intel) that'll provide the BIOS update fixes. Of course, mftr's of older laptops with Intel affected chips are currently doing no such thing, and I've been told they've no plans to. From what I've hard, not HP, not Asus, not Sony, not Dell, a one of them are going to support/provide BIOS updates for affected Intel chips from 2010-2013. They are just saying they've dropped support for those, and you've got to buy a new laptop that is under support still. Geez, and they wonder why their customer ratings are near the non-existent.

Anyhow, thanks again for the links.

Re the OP's question, I don't expect Slacko64 k4.4 will be updated. Other pups may be. New pups based on patched kernels will eventually be released, so mitigate in the interim, if like me, you have processors in the 'twilight zone' - on the affected list, but not getting updates (5-8 years old).

Hence I have a full install for most work, with javascript & flash toggled off, & do my secure stuff quickly on a frugal install on that laptop, then reboot.

musher0 wrote:Ah. It's on another page of that article:
https://www.techarp.com/guides/complete ... ectre/#amd
Thanks, ozsouth.

Edit -- Phew. AMD "Turion line" CPUs are not affected.

Or perhaps just too old to be listed? I have a couple of T7600 Intel Core 2 Duo machines that also aren't on that list. I don't see what, if anything, would make them invulnerable to Spectre, though. It may just be the case that these machines are too old for Intel/AMD to even bother testing.

Not trying to alarm you, just saying that absence of proof is not proof of absence. I would like to see a list of CPUs that have been tested as definitely *not* affected. That would be more useful.

ozsouth wrote:Apparently affected CPU list - https://www.techarp.com/guides/complete ... wn-spectre

Intel support notes - https://www.intel.com/sa-00086-support

Prefbar mozilla addon toggles javascript & flash on/off.

Hi Ozsouth,

Trying to access "techarp' today to show a few friends the lists, and am getting weird behavior from the techarp site. First, it keeps trying to reload our browsers (shut them down and restart them--and we are on different machines, and different lans). Even more weirdly, when we won't let it do that, it pops up the pic below. Gotta ask: do you use this site often? Are they legit? Had never heard of them until yest and now I am circumspect given this behavior their site is displaying. The scripts on the main page are aggressive in attempting to do things to each different browser we tried (Firefox, Palemoon, Chrome) but we have the browsers set up that javascript is disabled. Darn weird...didn't do this to me yesterday when I looked the 1st time.

(This pic below was snapped after a full 1-2 minutes passed)

belham2 wrote:Trying to access "techarp' today to show a few friends the lists, and am getting weird behavior from the techarp site.

They are running some DDoS protection software. (I've seen that before on other sites.) Enable Javascript and cookies and you should be able to get in.

musher0 wrote:AMD "Turion line" CPUs are not affected.

ac2011 wrote:Or perhaps just too old to be listed? I have a couple of T7600 Intel Core 2 Duo machines that also aren't on that list. I don't see what, if anything, would make them invulnerable to Spectre, though. It may just be the case that these machines are too old for Intel/AMD to even bother testing.

The list contains AMD workstation processors going as far back as 2011, but desktop/mobile processors only for 2015-2017. Unless home PC CPUs didn't receive the features that made them vulnerable until 2015, It looks like a case of "didn't bother testing older ones".

Linux 32 bit kernels and 64 bit kernels handle memory spaces quite differently. Here is one reference https://lwn.net/Articles/738975/. There may be better. I haven't yet seen a 32 bit kernel with the kpti patches verifiably enabled and am trying to understand whether that is due to the greater pressure to patch the 64 bit ones or to the difference in memory handling affecting meltdown & spectre vulnerability. Any help in understanding this part of the issue?

Edit 11/01/2018: Having made no progress at all with 32 bit kernels, I extracted the 64b 4.14.12 from Fatdog64 721 Final (Thanks Kirk, James, SFR and step) and am running LxPupSc 18.01 +2T with it. kpti enabled, meltdown protected, but microcode not working yet on my i5 so still spectre vulnerable. Inch by inch... later, also running and meltdown protected in battleshooters xfce xenialpup64. My i5 is probably outside intels 5 year fix window hence the microcode not working. Confirmed that the latest ucode doesn't include the 2520 though intel claims it does. Microcode loading is working correctly on that kernel so I'll probably use it across the board for now.

Edited later on 11/01/2018 to add attachment and update microcode stuff.

Is there a kernel update for dummies file somewhere? Tahrpup 64 6.0.6

Okay, so the situation with me is that I am running Puppy Precise 5.7.1 on an machine with an AMD Athlon 3000+ processor.

I am very happy with this setup since it has been tweaked to cater my preferences over a long period of time.

Now, patches for Ubuntu Precise are only available for Ubuntu Advantage customers with Extended Security Maintenance. So if I want security I should basically switch to another Puppy.

But I don't want to.

If I understand correctly, my cpu is only vulnerable to one form of the Spectre exploit, which in itself is the more difficult one to accomplish.
So the question really is, am I a wreckless idiot for thinking the risks are negligable if I don't do anything at all?