From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Core Update 149
Date: Wed, 19 Aug 2020 14:09:15 +0100 [thread overview]
Message-ID: <B4498579-BA0D-4128-BCA3-600C80ED49C8@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2321 bytes --]
Hello boys and girls,
I would like to start a little conversation about Core Update 149.
As you might have seen already, a large number of patches went into it and it updates the whole toolchain and brings many new features! Yay!
Here is an excerpt from the change log:
IPFire is based on glibc 2.32, the standard library for all C programs, and GCC 10.2, the GNU Compiler Collection. Both bring various bug fixes and improvements.
The most notable change is that we have decided to remove a mitigation Spectre 2 which caused that user space programs in IPFire were running about 50% slower due to using a microcode feature which is called "retpoline". Those "return trampolines" disable the branch prediction engine in out-of-order processors which was considered to help with mitigating leaking any information from any unaccessible kernel space.
This is however not as effective as thought and massively decreases performance in the user land which mainly affects features like our Intrusion Prevention System, Web Proxy and URL filter. We still use this mechanism to avoid leaking any kernel memory into the user space.
On top of that, we have updated various tools used for building IPFire as well as core libraries.
We have also enabled a new GCC feature called "stack clash protection" on x86_64 and aarch64 which adds additional checks to mitigate exploits and we have enabled "CF protection" which hardens all software against attackers gaining control over a program flow and circumventing security checks like password or signature validation.
https://blog.ipfire.org/post/ipfire-2-25-core-update-149-is-available-for-testing (not published, yet)
To make sure that this is not introducing any issues, I would like to ask everyone to install this as soon as they can.
We have also updated GRUB which should run fine - Arne performed lots of testing - but I would like to know if there are still some corner cases on obscure updates that might render IPFire non-bootable after the update has been applied.
We are going to release Core Update 148 next week and I would like to merge Core Update 149 into master the same day. That way we have a fresh update available for our community to test :)
Please report any feedback here or on BZ.
Happy testing!
-Michael
reply other threads:[~2020-08-19 13:09 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B4498579-BA0D-4128-BCA3-600C80ED49C8@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox