Navigation

Language Selection

Search

Security: Meltdown and Spectre, Apple Code Leak, WordPress's Broken Automatic Update

Submitted by Roy Schestowitz on Thursday 8th of February 2018 10:09:24 PM Filed under

Security

Spectre V1 Mitigation & Other Spectre/Meltdown Updates For 64-bit ARM On Linux 4.16

Last week was the updates providing initial Spectre Variant Two and Meltdown mitigation for 64-bit ARM hardware on the Linux 4.16 kernel. This week as the Linux 4.16 merge window nears the end, Spectre Variant One mitigation has come for ARM64 as well as other Spectre V2 / Meltdown updates.
CloudLinux's KernelCare Promises to Fix Meltdown & Spectre Flaws without Reboots

CloudLinux has informed Softpedia about the availability of a new version of its KernelCare rebootless kernel patching service for Linux-based operating systems, promising to mitigate the Meltdown and Spectre security vulnerabilities without reboots.

Meltdown and Spectre affect the kernel and other components of a Linux-based operating system, including QEMU, Xen, Nvidia graphics drivers, as well as web browsers like Firefox, Chrome, and Opera. To patch your Linux computer against these bugs that affect billions of devices, requires you to reboot your systems, but not with KernelCare, a commercial live patching service from CloudLinux.
Key iPhone Source Code Gets Posted Online in 'Biggest Leak in History'
iBoot Source Code Leaked — Here's What iPhone Users Need to Know
“Biggest iPhone Code Leak?” — Source Code Of The Most Critical Part Of iOS Dumped On GitHub
iOS iBoot bootloader source code leaked on GitHub
WordPress's broken automatic update function

According to WordFence, a WordPress security site, "WordPress 4.9.3 was released earlier this week and it included a bug which broke WordPress auto-update. Millions of sites auto-updated from 4.9.2 to WordPress 4.9.3 and it broke their ability to auto-update in the future."

Login or register to post comments
Printer-friendly version
1826 reads
PDF version

More in Tux Machines

today's howtos

How to make LibreOffice Writer remember your last cursor position

Out of the box, LibreOffice opens every document at the beginning. Fortunately, the developers saw to add a little feature that would, when configured, open a document at the location of your cursor where you last worked on the document.
How to install Deepin desktop environment in Ubuntu
How to convert PNG to SVG image files - Tutorial
How to create VM using the qcow2 image file in KVM
Bash check if process is running or not on Linux / Unix
How to enter single user mode in SUSE 12 Linux?
How to Configure Nginx as Reverse Proxy for Nodejs App

Android Leftovers

The Spectre/Meltdown Performance Impact On Linux 4.20, Decimating Benchmarks With New STIBP Overhead

As outlined yesterday, significant slowdowns with the Linux 4.20 kernel turned out to be due to the addition of the kernel-side bits for STIBP (Single Thread Indirect Branch Predictors) for cross-HyperThread Spectre Variant Two mitigation. This has incurred significant performance penalties with the STIBP support in its current state with Linux 4.20 Git and is enabled by default at least for Intel systems with up-to-date microcode. Here are some follow-up benchmarks looking at the performance hit with the Linux 4.20 development kernel as well as the overall Spectre and Meltdown mitigation impact on this latest version of the Linux kernel. Some users have said AMD also needs STIBP, but at least with Linux 4.20 Git and the AMD systems I have tested with their up-to-date BIOS/microcode, that hasn't appeared to be the case. Most of the AMD STIBP references date back to January when Spectre/Meltdown first came to light. We'll see in the week ahead if there is any comment from AMD but at this time seems to be affecting up-to-date Intel systems with the Linux 4.20 kernel.

Today in Techrights

Latest News

Fedora: Flatpak, PHP Builds, Ansible and NeuroFedora

Flatpak – a solution to the Linux desktop packaging problem

In hindsight I must say the situation was not as bad as I thought on the server level: Linux in the data center grew and grew. Packaging simply did not matter that much because admins were used to problems deploying applications on servers anyway and they had the proper knowledge (and time) to tackle challenges. Additionally, the recent rise of container technologies like Docker had a massive impact: it made deploying of apps much easier and added other benefits like sandboxing, detailed access permissions, clearer responsibilities especially with dev and ops teams involved, and less dependency hell problems. Together with Kubernetes it seems as there is an actual standard evolving of how software is deployed on Linux servers. To summarize, in the server ecosystem things never were as bad, and are quite good these days. Given that Azure serves more Linux servers than Windows servers there are reasons to believe that Linux is these days the dominant server platform and that Windows is more and more becoming a niche platform.
PHP on RHEL-8
How to authenticate Ansible with Azure
NeuroFedora update: week 46

LLVM/AOCC, GCC at AMD

Radeon GCC Back-End Updated For Running Single-Threaded C & Fortran On AMD GPUs

Back in September Code Sourcery / Mentor Graphics posted the Radeon GCC back-end they have been developing with the cooperation of AMD. This is for allowing the GCC compiler to eventually offload nicely to Radeon GPUs with its different programming languages and supported parallel programming models, particularly with OpenMP and OpenACC in mind. But for now this patch series just works with single-threaded C and Fortran programs. The second version of this port was posted for review. Hitting the GCC mailing list on Friday was the updated version of this AMD GCN port targeting Tonga/Fiji through Vega graphics hardware. Code Sourcery will post the OpenACC/OpenMP support bits at a later date while for now the code works with single-threaded C/Fortran programs with C++ not yet supported, among other initial shortcomings. For now the AMDGPU LLVM back-end is far more mature in comparison, which is what's currently used by the open-source AMD Linux driver compute and graphics stacks.
AMD Optimizing C/C++ Compiler 1.3 Brings More Zen Tuning

Earlier this month AMD quietly released a new version of their Optimizing C/C++ compiler in the form of AOCC 1.3. This new compiler release has more Zen tuning to try to squeeze even more performance out of Ryzen/EPYC systems when using their LLVM-based compiler. The AMD Optimizing C/C++ Compiler remains AMD's high performance compiler for Zen compared to the earlier AMD Open64 Compiler up through the Bulldozer days. AOCC is based on LLVM Clang with various patches added in. Fortunately, with time at least a lot of the AOCC patches do appear to work their way into upstream LLVM Clang. AOCC also has experimental Fortran language support using the "Flang" front-end that isn't as nearly mature as Clang.

Security: Japan's Top Cybersecurity Official, SuperCooKey, Information Breach on HealthCare.gov

Security News This Week: Japan's Top Cybersecurity Official Has Never Used a Computer
SuperCooKey – A SuperCookie Built Into TLS 1.2 and 1.3

TLS 1.3 has a heavily touted feature called 0-RTT that has been paraded by CloudFlare as a huge speed benefit to users because it allows sessions to be resumed quickly from previous visits. This immediately raised an eyebrow for me because this means that full negotiation is not taking place.

After more research, I’ve discovered that 0-RTT does skip renegotiation steps that involve generating new keys.

This means that every time 0-RTT is used, the server knows that you’ve been to the site before, and it knows all associated IPs and sign-in credentials attached to that particular key.
Information Breach on HealthCare.gov

In October 2018, a breach occurred within the Marketplace system used by agents and brokers. This breach allowed inappropriate access to the personal information of approximately 75,000 people who are listed on Marketplace applications.