Language Selection

English French German Italian Portuguese Spanish

Security Patches and the Kernel (Linux)

Filed under
Linux
Security
  • Security updates for Tuesday

    Security updates have been issued by Fedora (community-mysql, crun, java-latest-openjdk, and mupdf), openSUSE (libssh2_org), and SUSE (go1.12, libseccomp, and tar).

  • New ZombieLoad Side-Channel Attack Variant: TSX Asynchronous Abort

    In addition to the JCC erratum being made public today and that performance-shifting Intel microcode update affecting Skylake through Cascade Lake, researchers also announced a new ZombieLoad side-channel attack variant dubbed "TSX Asynchronous Abort" or TAA for short.

    ZombieLoad / MDS (Microarchitectural Data Sampling) was announced back in May by researchers while today Cyberus Technology has announced a new variant focused on Intel processors with TSX (Transactional Synchronization Extensions). TSX Asynchronous Abort is a new ZombieLoad variant that was actually discovered back as part of Cyberus' originally discoveries but faced an extended embargo.

  • Linux Kernel Gets Mitigations For TSX Aync Abort Plus Another New Issue: iITLB Multihit

    The Linux kernel has just received its mitigation work for the newly-announced TSX Asynchronous Abort (TAA) variant of ZombieLoad plus revealing mitigations for another Intel CPU issue... So today in addition to the JCC Erratum and ZombieLoad TAA the latest is iITLB Multihit (NX) - No eXcuses.

    The mainline Linux kernel received mitigations for ZombieLoad TAA that work in conjunction with newly-published Intel microcode. The mitigations also now expose /sys/devices/system/cpu/vulnerabilities/tsx_async_abort for reporting the mitigation status plus a new tsx_async_abort kernel parameter. With the TAA mitigation, the system will clear CPU buffers on ring transitions.

  • LinuxBoot Continues Maturing - Now Able To Boot Windows

    LinuxBoot is approaching two years of age as the effort led by Facebook and others for replacing some elements of the system firmware with the Linux kernel.

    Chris Koch of Google presented at last month's Platform Security Summit 2019 on the initiative. The Platform Security Summit 2019 took place at the start of October at Microsoft's facilities in Redmond. LinuxBoot in recent months has been able to begin booting Windows 10, which is related to the recent reports on kexec'ing Windows from Linux. But not only is Windows booting but VMware and Xen are also now working in a LinuxBoot environment.

SUSE addresses Transactional Asynchronous Abort

Now the reaction from Red Hat and Canonical to Intel defects

  • Red Hat Responds to ZombieLoad v2 Security Vulnerabilities Affecting Intel CPUs

    Red Hat informes Softpedia today on a series of three new security vulnerabilities affecting the Intel CPU microarchitecture, but which have been already patched in the Linux kernel.

    The three new security vulnerabilities are CVE-2018-12207 (Machine Check Error on Page Size Change), CVE-2019-11135 (TSX Asynchronous Abort), as well as CVE-2019-0155 and CVE-2019-0154 (i915 graphics driver-related vulnerabilities). These are marked by Red Hat Security team as having an important and moderate security impact, which could allow attacker to gain read access to sensitive data, and which affects all supported Red Hat Enterprise Linux systems.

  • Ubuntu updates to mitigate latest Intel hardware vulnerabilities

    Today, Intel announced a group of new vulnerabilities affecting various Intel CPUs and associated GPUs, known as TSX Asynchronous Abort (CVE-2019-11135), Intel® Processor Machine Check Error (CVE-2018-12207), and two Intel i915 graphics hardware vulnerabilities (CVE-2019-0155, CVE-2019-0154).

    TSX Asynchronous Abort (TAA) is related to the previously announced MDS vulnerabilities but only affects Intel processors that support Intel® Transactional Synchronization Extensions (TSX). Due to the similarity between this issue and MDS, the mitigations for MDS are sufficient to also mitigate TAA. As such, processors which were previously affected by MDS and which have the MDS microarchitectural buffer clearing mitigations employed are not affected by TAA. For newer processors which were not affected by MDS, but which support Intel® TSX, TAA is mitigated in Ubuntu by a combination of an updated Linux kernel and Intel microcode packages which disable Intel® TSX. Where TSX is required, this can be re-enabled via a kernel command-line option (tsx=on) and in this case, the kernel will automatically employ microarchitectural buffer clearing mechanisms as used for MDS to mitigate TAA.

    Intel® Processor Machine Check Error (MCEPSC, also called iTLB multihit) is a vulnerability specific to virtualisation, where a virtual machine can cause a denial of service (system hang) to the host processor when hugepages are employed. This is mitigated in Ubuntu with an updated Linux kernel.

  • This week's hardware vulnerabilities

    A set of patches has just been pushed into the mainline repository (and stable updates) for yet another set of hardware vulnerabilities. "TSX async abort" (or TAA) exposes information through the usual side channels by way of internal buffers used with the transactional memory (TSX) instructions. Mitigation is done by disabling TSX or by clearing the relevant buffers when switching between kernel and user mode. Given that this is not the first problem with TSX, disabling it entirely is recommended; a microcode update may be needed to do so, though. This commit contains documentation on this vulnerability and its mitigation.

Canonical Announces Ubuntu Updates to Mitigate Latest Intel Vuln

  • Canonical Announces Ubuntu Updates to Mitigate Latest Intel Vulnerabilities

    Following on the footsteps of Red Hat, Canonical also announced today that it has prepared updates for all of its supported Ubuntu Linux releases to mitigate the latest Intel CPU security vulnerabilities.

    As we reported earlier, Intel announced today that several new security vulnerabilities are affecting various of its Intel CPU microarchitectures, as well as associated GPUs. These vulnerabilities are known as TSX Asynchronous Abort (CVE-2019-11135), Intel Processor Machine Check Error (CVE-2018-12207), and Intel i915 graphics hardware vulnerabilities (CVE-2019-0155, CVE-2019-0154).

    The first security vulnerability, TSX Asynchronous Abort (TAA), is related to the previously announced MDS (Microarchitectural Data Sampling) vulnerabilities. However, Canonical's Alex Murray explains that it only affects Intel processors that support the Intel Transactional Synchronization Extensions (TSX). As such, the existing MDS mitigations will also mitigate TAA.

Linux vs. Zombieland v2: The security battle continues

  • Linux vs. Zombieland v2: The security battle continues

    Here's the bad news: We're going to keep seeing fundamental Intel CPU security holes popping open until every last one of the current generations of these chips is in landfills. Zombieland v2 is only the latest of a line of problems, which go back to Meltdown and Spectre. The "good" news is for now Intel and the operating system companies are staying ahead of hackers. Here's what Linux and Red Hat are doing about the latest nastiness.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.