From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Core Update 149 Date: Wed, 19 Aug 2020 14:09:15 +0100 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2746224902862835804==" List-Id: --===============2746224902862835804== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello boys and girls, I would like to start a little conversation about Core Update 149. As you might have seen already, a large number of patches went into it and it= updates the whole toolchain and brings many new features! Yay! Here is an excerpt from the change log: IPFire is based on glibc 2.32, the standard library for all C programs, and = GCC 10.2, the GNU Compiler Collection. Both bring various bug fixes and impro= vements. The most notable change is that we have decided to remove a mitigation Spect= re 2 which caused that user space programs in IPFire were running about 50% s= lower due to using a microcode feature which is called "retpoline". Those "re= turn trampolines" disable the branch prediction engine in out-of-order proces= sors which was considered to help with mitigating leaking any information fro= m any unaccessible kernel space. This is however not as effective as thought and massively decreases performa= nce in the user land which mainly affects features like our Intrusion Prevent= ion System, Web Proxy and URL filter. We still use this mechanism to avoid le= aking any kernel memory into the user space. On top of that, we have updated various tools used for building IPFire as we= ll as core libraries. We have also enabled a new GCC feature called "stack clash protection" on x8= 6_64 and aarch64 which adds additional checks to mitigate exploits and we hav= e enabled "CF protection" which hardens all software against attackers gainin= g control over a program flow and circumventing security checks like password= or signature validation. https://blog.ipfire.org/post/ipfire-2-25-core-update-149-is-available-for-tes= ting (not published, yet) To make sure that this is not introducing any issues, I would like to ask eve= ryone to install this as soon as they can. We have also updated GRUB which should run fine - Arne performed lots of test= ing - but I would like to know if there are still some corner cases on obscur= e updates that might render IPFire non-bootable after the update has been app= lied. We are going to release Core Update 148 next week and I would like to merge C= ore Update 149 into master the same day. That way we have a fresh update avai= lable for our community to test :) Please report any feedback here or on BZ. Happy testing! -Michael --===============2746224902862835804==--