From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Testing report for Core Update 132 Date: Tue, 28 May 2019 12:24:57 +0100 Message-ID: <80EC9595-86F3-4015-9BF6-4BA8EDE3F700@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2184162076092001949==" List-Id: --===============2184162076092001949== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 27 May 2019, at 21:26, Peter M=C3=BCller wr= ote: >=20 > Hello all, >=20 > after testing too little in the past months, I am hereby > trying to catch up for announced Core Update 132. Cool! >=20 > Most services are running as expected: > - IPsec > - OpenVPN (tested with RW connections only) > - DDNS > - Squid (non-transparent, including upstream proxy) > - Suricata (IPS mode, activated on all interfaces) >=20 > Tor suffers from missing libseccomp dependency and a permission > bug (see #12088), but starts correctly after installing the > library and fixing /var/lib/tor permissions manually. >=20 > I can confirm IDS rulesets download works in combination > with an upstream proxy now (tested with Emerging Threats). >=20 > Suricata seems to drop some packets (as internal connections > sometimes take ages to establish), but does not log anything. > This requires some further investigation, and it is kind > of an evident-missing blame at the moment. Yes. I am aware of this and we have a ticket for it: https://bugzilla.ipfire.org/show_bug.cgi?id=3D12078 >=20 > Talking about the all-new-and-improved Intel CPU vulnerabilities, > disabling SMT automatically seems to work: >=20 >> [root(a)maverick ~]# grep . /sys/devices/system/cpu/vulnerabilities/* >> /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected >> /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers;= SMT disabled >> /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI >> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected >> /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user poin= ter sanitization >> /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generi= c retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling You got a royal flush there. Almost hit them all. > (CPU is an Intel Celeron N3150 4x 1.60 GHz .) >=20 > However, the new WebUI CGI is partly missing German translations, > and claims "Simultaneous Multi-Threading (SMT) is not supported". The > latter is confusing, as the system states the opposite. This is what we get from the kernel. > Talking about aesthetics, the CGI is a bit messy, but that > is not a functionality problem and might be fixed in an upcoming > update. Yes I know. I mentioned I did this as quickly as possible to make the release= . Please send in patches :) -Michael >=20 > Thanks, and best regards, > Peter M=C3=BCller > --=20 > The road to Hades is easy to travel. > -- Bion of Borysthenes --===============2184162076092001949==--