Update grsecurity kernels to 4.4.182 #4543
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps kernel version in metapackage. This kernel version addresses network stack vulnerabilities known as SACK panic (https://access.redhat.com/security/vulnerabilities/tcpsack): * CVE-2019-11479 * CVE-2019-11478 * CVE-2019-11477
This will ensure the lastest CPU microcode is used to provide further mitigations against CPU vulnerabilities: * CVE-2017-5753 (Spectre v1) * CVE-2017-5715 (Spectre v2) * CVE-2017-5754 (Spectre v3 a.k.a. Meltdown) * CVE-2018-3640 (Spectre v3a) * CVE-2018-3639 (Spectre v4) * CVE-2018-3615 (Foreshadow SGX a.k.a. L1TF) * CVE-2018-3620 (Forshadow-NG OS a.k.a. L1TF) * CVE-2018-3646 (Foreshadow-NG VMM a.k.a L1TF) * CVE-2018-12126 (Fallout) * CVE-2018-12130 (ZombieLoad) * CVE-2018-12127 (RIDL a.k.a. MLPDS) * CVE-2019-11091 (RIDL a.k.a MDS) While an attacker would need code execution to be able to exploit these vulnerabilities, updating the CPU microcode will provide defense-in-depth.
|
Tested clean install on Mac Minis:
Upgrade testing:
|
|
Thanks @zenmonkeykstop for the review! I'm going to merge this to unblock CI, as other PR's will need to be re-based on this in order to pass infra tests. We will do further QA as part of 0.14.0 release testing. |
9 tasks
19 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
Description of Changes
Fixes #4520, #3663 .
Bumps kernels to 4.4.182
Adds intel-microcode to list of dependencies
Testing
Testing can only be done once kernels are upgraded to apt test.
Clean install
uname -rreturns4.4.182-grseconappandmonserversUpgrade testing
molecule/shared/stable-verto 0.13.0 (because 0.13.1 boxes not yet uploaded, see Release SecureDrop 0.13.1 #4524 )make upgrade-startsecurity.listapt.freedom.press -> apt-test.freedom.press and `sudo cron-apt -i -sappandmonserversuname -rreturns4.4.182-grseconappandmonserversintel-microcodepackage is installed onappandmonserversDeployment
Both new and existing installs will be updated via unattended apt updates.
Checklist
If you made non-trivial code changes: