2023-07-05 17:57:47 stackrot: nice new kernel vulnerability from 6.1 to 6.4: https://www.openwall.com/lists/oss-security/2023/07/05/1 2023-07-05 17:59:07 less interesting than the silent memory corruption in 6.4.1 that breaks firefox :D 2023-07-05 17:59:43 But that one doesn't have a slick name 2023-07-05 18:00:07 :) 2023-07-14 21:22:36 well would you look at that 2023-07-14 21:22:42 they added io_uring_disabled sysctl to 6.6 2023-07-14 21:23:08 now you don't need the same kernel with one option changed :D 2023-07-14 21:24:01 it even has a =1 for root/sys_admin only or =2 for fully disabled 2023-07-15 19:51:14 thanks Google 2023-07-16 17:03:42 When can that happen for unpriv userns :) 2023-07-16 17:08:41 ask the kernel developers 2023-07-16 18:46:27 idkrn[m]: isn't there already one? 2023-07-16 19:18:31 nope 2023-07-16 19:42:54 https://lwn.net/Articles/673597/ > it turns out that Debian currently carries a similar patch, but, on Debian systems, the knob is called unprivileged_userns_clone and doesn't support the "privileged users only" setting. 2023-07-16 19:43:00 my bad, it's/was debian only 2023-07-16 19:44:25 one can use `/proc/sys/user/max_user_namespaces = 0` 2023-07-16 20:06:04 that does work 2023-07-16 20:06:05 hehe 2023-07-16 20:57:19 jvoisin: there is one used by linux-hardened 2023-07-17 08:35:37 https://gitlab.alpinelinux.org/alpine/aports/-/issues/14482 2023-07-17 08:35:53 do we deem this to be a critical issue? looks like this is publically documented now and busybox upstream hasn't fixed it 2023-07-17 08:36:34 ps has a similar issue 2023-07-17 08:37:12 I personally don't think it's too serious and I don't have the time to patch it rn 2023-07-17 08:45:18 we should probably try to get the attention from upstream busybox 2023-07-19 06:08:19 "https://gitlab.alpinelinux.org/..." <- Broken URL? 2023-07-19 06:40:47 No, the issue is marked confidential 2023-07-19 06:57:49 "do we deem this to be a critical..." <- While also being public? 2023-07-19 15:17:16 Security release for openssh CVE-2023-38408 9.3p2 2023-07-19 15:19:38 it seems this CVE is also assigned to Adobe Illustrator for some reason 2023-07-19 15:20:01 ah oof, 2022, sorry 2023-07-19 15:20:44 https://www.openssh.com/releasenotes.html 2023-07-19 15:20:51 https://www.openssh.com/txt/release-9.3p2 2023-07-19 15:59:45 ikke: i added secfixes data 2023-07-19 16:47:12 ^ https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt 2023-07-19 19:33:08 ncopa: the data is useless because it's already fixed in that version 2023-07-20 06:40:18 👍 2023-07-20 06:42:55 technically it was a 0: even, haha 2023-07-20 06:45:33 im feeling old... 2023-07-20 06:45:35 :) 2023-07-20 06:45:57 we all get old eventually 2023-07-20 06:46:18 hopefully 2023-07-20 06:46:29 i better get some coffe and breakfast before I do something stupid 2023-07-20 06:46:37 or say something stupid 2023-07-20 06:49:30 how so? 2023-07-20 06:49:33 whadya thinking of 2023-07-20 08:29:52 nothing in particular. i just feel stupid for adding CVE data to openssh :) 2023-07-20 08:58:30 you also wrote 8.8 when the version is 9.3 :p 2023-07-20 08:58:34 but no harm done 2023-07-20 08:58:51 it's not like we don't all do redundant or wrong stuff 2023-07-20 08:59:03 8.9* 2023-07-24 23:46:51 zenbleed 2023-07-25 00:04:53 !49146 2023-07-25 00:15:26 !49147 !49148 2023-07-25 01:20:37 !49149 2023-07-25 01:21:21 I'm too tired to figure out my 3.16-stable branch issue, would someone please cherry pick for that for me? 2023-07-25 04:54:45 not sure if the zenbleed microcode update secretly ignores my cpu or if ucode loading is just broken for me 2023-07-25 04:54:49 annoying ass microcode updates 2023-07-25 04:56:50 Sums it up very well. 2023-07-25 04:57:19 well i can say with 100% certainty it's ignored 2023-07-25 04:57:21 no idea why tho 2023-07-25 04:57:33 thankfully the exploit is easy to run 2023-07-25 04:57:37 only the chicken bit fixes it 2023-07-25 04:58:00 oh, was gonna ask if UEFI has been updating before the OS could get to it, but sounds like it's not? 2023-07-25 04:58:07 both 2023-07-25 04:58:18 uefi updates also generally update ucode 2023-07-25 04:58:25 if the ucode you try load is newer it would get applied 2023-07-25 04:58:34 right 2023-07-25 04:58:38 if you have a new enough motherboard for zen2 you probably have an update through that route already 2023-07-25 04:58:45 just run the exploit to see if it works 2023-07-25 04:58:46 :D 2023-07-25 04:58:53 zenbleed is on AMD, right? 2023-07-25 04:58:56 zen2 2023-07-25 04:59:00 all cpus 2023-07-25 04:59:06 oh fun 2023-07-25 05:00:38 I bet my HP t740 is affected for it 2023-07-25 05:00:42 s/for/by 2023-07-25 05:01:02 or something similarly bad 2023-07-25 05:01:14 ACTION grumbles about HP's low quality UEFI updates. 2023-07-25 05:02:34 V1756B is zen1 2023-07-25 05:02:43 so nah 2023-07-25 05:03:20 maybe be hope for it yet 2023-07-25 05:03:32 anyway time to sleep. have a good one 2023-07-25 05:04:32 ikke: you have to reboot the riscv host and whatever for this 2023-07-25 05:04:35 the 7402p machine 2023-07-25 05:04:43 nld-dev-1 2023-07-25 05:05:14 https://img.ayaya.dev/ndCfqvs2thDW 2023-07-25 05:05:15 :D 2023-07-25 05:05:45 upgrade and see 2023-07-25 05:05:47 ucode should be there 2023-07-25 05:05:52 if this doesn't fix it means something is really broken 2023-07-25 05:06:01 either the update is broken, or the way we generate the .bin is 2023-07-25 05:06:18 i'll test it after reboot 2023-07-25 05:13:07 rebooting now 2023-07-25 05:14:32 ah maybe it needs the new kernel too 2023-07-25 05:14:41 there's a kernel-level zenbleed fix 2023-07-25 05:14:43 i'll bump that too 2023-07-25 05:16:09 all sent 2023-07-25 05:16:12 will take a while to build 2023-07-25 05:20:56 yeah just updating and rebooting doesn't work and it's still live 2023-07-25 05:22:09 i guess next reboot with new kernel will fix it, but that doesn't fix the ucode.. 2023-07-25 05:22:20 all https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.1.y&id=ed9b87010aa84c157096f98c322491e9af8e8f07 is doing is applying the chicken bit when ucode doesn't work 2023-07-25 05:22:34 so we still have to figure that out 2023-07-25 05:23:19 could you post a dmesg from the host 2023-07-25 05:24:16 https://tpaste.us/vN15 2023-07-25 05:24:52 microcode: CPU0: patch_level=0x0830104d 2023-07-25 05:25:19 yeah, but that comes from the bios 2023-07-25 05:25:28 if it actually applies the file it prints something about updating from/to 2023-07-25 05:25:44 i assume it's grub and there's a `initrd amd-ucode.bin` line 2023-07-25 05:25:49 img* 2023-07-25 05:27:11 there is no such line in /boot/grub/grub.cfg 2023-07-25 05:27:43 mm 2023-07-25 05:27:45 there should be 2023-07-25 05:28:07 is there a /boot/amd-ucode.bin 2023-07-25 05:28:12 no 2023-07-25 05:28:19 apk add amd-ucode and regenerate the grub config 2023-07-25 05:28:22 then check again 2023-07-25 05:28:26 if it's there, then reboot after 2023-07-25 05:28:48 in this case it was just never installed, afaik if it was grub would generate it 2023-07-25 05:28:53 yes 2023-07-25 05:28:58 initrd /boot/amd-ucode.img /boot/initramfs-lts 2023-07-25 05:29:02 correct 2023-07-25 05:29:10 it automatically regenerated 2023-07-25 05:29:14 sweet 2023-07-25 05:29:16 time for round 2 2023-07-25 05:29:43 send it (intentionally without waiting for kernel) 2023-07-25 05:34:19 back 2023-07-25 05:34:30 it sure takes a long time to boot 2023-07-25 05:34:41 yes, it's bare metal 2023-07-25 05:35:02 needs to initialize firmware first 2023-07-25 05:35:19 yeah, big lad 2023-07-25 05:35:31 it's fixed 2023-07-25 05:35:32 no leaks 2023-07-25 05:35:36 now look at dmesg again 2023-07-25 05:36:25 microcode: microcode updated early to new patch_level=0x0830107a 2023-07-25 05:36:32 :) 2023-07-25 05:36:52 i guess limine just fails to actually load it for some reason since that's what i use 2023-07-25 05:37:17 or my 3700x rejects it 2023-07-25 07:01:57 > Also, the firmware fixes are apparently only targeting EPYC at this point, not consumer CPUs. 2023-07-25 07:01:59 ok makes sense 2023-07-25 07:02:08 so that ucode is just for our nld server 2023-07-25 07:02:10 :D 2023-07-25 07:03:44 > AMD has patches ready for its EPYC 7002 'Rome' processors now, but it will not patch its consumer Zen 2 Ryzen 3000, 4000, and some 5000-series chips until November and December of this year. 2023-07-25 07:03:47 ..... 2023-07-25 07:05:20 Oof 2023-07-25 07:05:28 RIP 2023-07-25 07:05:43 🐔 bit it is until then 2023-07-25 07:05:49 G 2023-07-25 07:09:42 yeah 2023-07-25 07:09:49 new kernel sets it so nothin to do, just sucks 2023-07-25 12:14:58 grep microcode /proc/cpuinfo 2023-07-31 17:46:13 omni: apparently xen released a new revision of their zenbleed patches 2023-07-31 20:43:01 ikke: I think they only updated with the CVE number 2023-07-31 20:43:07 the .patch files seem to be the same 2023-07-31 20:43:21 or do you mean this? https://xenbits.xen.org/xsa/xsa433-bugfix.patch 2023-07-31 20:43:29 hmm, they mentioned they set some unspecified bits potentially leading to unexpected behavior 2023-07-31 20:47:40 ah, yes, it is the -bugfix.patch 2023-07-31 20:47:41 thanks 2023-07-31 21:22:01 !49360 !49364 !49365 !49366 !49367