CPU vulnerability - CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715

Howdy all,

While we don’t distribute any software directly impacted by this issue, it is a big enough issue that I felt it worth mentioning, just in case anyone has missed the news elsewhere. A variety of serious data exposure bugs have been discovered in most major CPUs of the past decade or so. It is most dangerous on multi-tenant systems of all kinds (like Cloudmin and Virtualmin systems with untrusted users), as an attack could be used by non-privileged users with any sort of shell access to discover sensitive information, such as passwords or private keys.

Linux distributions have begun rolling out new kernels with mitigations, but not all distros have made them available yet. But, be on the lookout for those updates from your OS vendor(s), and plan to reboot into the new kernel ASAP after it becomes available. I see that RHEL has the default kernel available (which would also cover KVM users), but no Xen kernel yet.

Some relevant coverage of the topic:



Be careful out there. Also, now is a good time to check your backups and disaster recovery processes to make sure they’re doing the right thing.



Centos is already shipping the patched kernel. Probably is the same situation with any other major OS. The question is, when and if people will update their machines.

Debian also.
Debian Security Advisory
DSA-4078-1 linux – security update

The other vulnerabilities (named Spectre) published at the same time are not addressed in this update and will be fixed in a later update.

For the oldstable distribution (jessie), this problem will be fixed in a separate update.

For the stable distribution (stretch), this problem has been fixed in version 4.9.65-3+deb9u2.

We recommend that you upgrade your linux packages.