From f47251a9cd2b15023ab038f827c37222426d94fe Mon Sep 17 00:00:00 2001 From: mickael e Date: Thu, 13 Jun 2019 10:39:57 -0400 Subject: [PATCH 1/2] Bump kernels to 4.4.182 Bumps kernel version in metapackage. This kernel version addresses network stack vulnerabilities known as SACK panic (https://access.redhat.com/security/vulnerabilities/tcpsack): * CVE-2019-11479 * CVE-2019-11478 * CVE-2019-11477 --- install_files/ansible-base/group_vars/all/securedrop | 4 ++-- molecule/builder-xenial/tests/vars.yml | 2 +- molecule/testinfra/staging/vars/staging.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop index b4078b68f1..d8691acdc0 100644 --- a/install_files/ansible-base/group_vars/all/securedrop +++ b/install_files/ansible-base/group_vars/all/securedrop @@ -52,5 +52,5 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now # If you bump this, also remember to bump in molecule/builder/tests/vars.yml securedrop_pkg_grsec: - ver: "4.4.177" - depends: "linux-image-4.4.167-grsec,linux-firmware-image-4.4.167-grsec,linux-image-4.4.177-grsec,linux-firmware-image-4.4.177-grsec" + ver: "4.4.182" + depends: "linux-image-4.4.177-grsec,linux-firmware-image-4.4.177-grsec,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec" diff --git a/molecule/builder-xenial/tests/vars.yml b/molecule/builder-xenial/tests/vars.yml index 873202c8d1..29ba12941e 100644 --- a/molecule/builder-xenial/tests/vars.yml +++ b/molecule/builder-xenial/tests/vars.yml @@ -3,7 +3,7 @@ securedrop_version: "0.14.0~rc1" ossec_version: "3.0.0" keyring_version: "0.1.2" config_version: "0.1.3" -grsec_version: "4.4.177" +grsec_version: "4.4.182" # These values will be interpolated with values populated above # via helper functions in the tests. diff --git a/molecule/testinfra/staging/vars/staging.yml b/molecule/testinfra/staging/vars/staging.yml index ca63c236be..2049389d6a 100644 --- a/molecule/testinfra/staging/vars/staging.yml +++ b/molecule/testinfra/staging/vars/staging.yml @@ -178,4 +178,4 @@ log_events_with_ossec_alerts: rule_id: "400700" fpf_apt_repo_url: "https://apt-test.freedom.press" -grsec_version: "4.4.177" +grsec_version: "4.4.182" From 40b366fa2f422e1d42e7fc9fc459fdc51e787399 Mon Sep 17 00:00:00 2001 From: mickael e Date: Wed, 19 Jun 2019 09:25:21 -0400 Subject: [PATCH 2/2] Add intel-microde to list of kernel metapackage dependencies This will ensure the lastest CPU microcode is used to provide further mitigations against CPU vulnerabilities: * CVE-2017-5753 (Spectre v1) * CVE-2017-5715 (Spectre v2) * CVE-2017-5754 (Spectre v3 a.k.a. Meltdown) * CVE-2018-3640 (Spectre v3a) * CVE-2018-3639 (Spectre v4) * CVE-2018-3615 (Foreshadow SGX a.k.a. L1TF) * CVE-2018-3620 (Forshadow-NG OS a.k.a. L1TF) * CVE-2018-3646 (Foreshadow-NG VMM a.k.a L1TF) * CVE-2018-12126 (Fallout) * CVE-2018-12130 (ZombieLoad) * CVE-2018-12127 (RIDL a.k.a. MLPDS) * CVE-2019-11091 (RIDL a.k.a MDS) While an attacker would need code execution to be able to exploit these vulnerabilities, updating the CPU microcode will provide defense-in-depth. --- install_files/ansible-base/group_vars/all/securedrop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop index d8691acdc0..830f53a76a 100644 --- a/install_files/ansible-base/group_vars/all/securedrop +++ b/install_files/ansible-base/group_vars/all/securedrop @@ -53,4 +53,4 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now # If you bump this, also remember to bump in molecule/builder/tests/vars.yml securedrop_pkg_grsec: ver: "4.4.182" - depends: "linux-image-4.4.177-grsec,linux-firmware-image-4.4.177-grsec,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec" + depends: "linux-image-4.4.177-grsec,linux-firmware-image-4.4.177-grsec,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"