CLD-202 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-5715 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) Spectre

Basic Information:

Affected Package(s) linux
Deficiency Type SECURITY
Date Created 2018-01-07 13:45:12
Date Last Modified 2018-05-14 18:15:06

Version Specific Information:

Cucumber 1.0 i686 fixed in linux-4.9.77-i686-1
Cucumber 1.0 x86_64 fixed in linux-4.9.77-x86_64-1

Cucumber 1.1 i686 fixed in linux-4.9.77-i686-1
Cucumber 1.1 x86_64 fixed in linux-4.9.77-x86_64-1

Details:

==================================== Edit #5 ===================================

Mon May 14 18:44:12 EDT 2018:
The kernel has been rebuilt using the new kernel-gcc compiler to enable the
retpoline mitigation against this vulnerability. Here are the details from the
relevant changelog entry:

Mon May 14 18:08:17 EDT 2018
base/linux rebuilt (build 2) to enable the retpoline mitigation against the
	Spectre v2 security vulnerability (CVE-2017-5715). Starting with this
	build, the kernel-gcc package is now required to build the linux
	package. It is necessary to use the newer kernel-gcc (GCC v7.3.0)
	instead of the standard Cucumber Linux 1.1 gcc (GCC v5.3.0) because this
	mitigation requires the kernel to be compiled with a retpoline aware
	compiler, which GCC 5.3.0 is not but GCC 7.3.0 is. For more information
	see:
		https://security.cucumberlinux.com/security/details.php?id=202
		https://www.mail-archive.com/lfs-support@lists.linuxfromscratch.org/msg04844.html
* SECURITY FIX *


==================================== Edit #4 ===================================

Fri Apr 20 16:51:06 EDT 2018:
This has been even further mitigated against in version 4.9.95 of the Linux
kernel. For more information see:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.95

==================================== Edit #3 ===================================

This vulnerability has been further mitigated against in version 4.9.81 of the
Linux kernel. For further details see:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.81

==================================== Edit #2 ===================================

While this vulnerability was originally addressed in version 4.9.77 of the
Linux kernel, it has been further addressed in version 4.9.79 where BPF was
disabled. Here are some more details from the relevant changelog entry:

Thu Feb 1 16:29:37 EST 2018
base/linux upgraded from 4.9.78 to 4.9.79 to further address the Spectre 2
	attack (CVE-2017-5715). This update enables the new BPF_JIT_ALWAYS_ON
	feature of the Linux kernel, which removes the kernel's BPF interpreter.
	This interpreter was used in the Spectre 2 attack that Google published.
	It should be noted that this change does not completely prevent this
	attack, it just makes it more difficult to exploit. For more information
	see:
		https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.79
		http://security.cucumberlinux.com/security/details.php?id=202
* SECURITY FIX *

==================================== Edit #1 ===================================

In version 4.9.77 of the Linux kernel, patches were introduced attempting to
mitigate against this vulnerability.

================================= Original Post ================================

This is a hardware vulnerability, and as of Sun Jan  7 14:15:45 EST 2018 there 
is no known fix for it or known way to mitigate the effects of it.

See https://meltdownattack.com/ for more information about this vulnerability.