-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, On Wed, 2018-08-22 at 19:36 +0200, Peter Müller wrote: > Hello, > > since yesterday Core Update 123 is running on one of my firewall systems. > After a reboot, I noticed average load has decreased a little bit (RAM > consumption stays the same). That should only be caused by the reboot itself... > Further, CPU frequency graphs are now working again (Thanks to Arne) and > show some flapping freqs between 1.2kHz and 2.0kHz for each core. Before > Core Update 121/122, idle frequencies were about 700MHz - not sure what > this means. > > IDS, squid proxy (with URL filter and upstream proxy enabled), fireinfo > and IPsec (N2N connections only) work fine. > > The OpenVPN WebUI page now displays a warning about a host certificate > being not compliant to RFC3280, saying all host and root certificates > should be replaced as soon as possible. This is probably related to > https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=400c8afd9841bed350c192099a34bc84f3a04535 . Yes. I asked Erik to add some documentation about it. > GeoIP database results in WebUI are now as expected. > > A check script for CPU vulnerabilities (Spectre, Meltdown, ...) claims > system is still vulnerable against CVE-2018-3640 (Spectre v3a), which > requires up-to-date µ-codes. The overall results do not differ from a > system running 121/122, which surprises me as new microcodes are shipped > with this update. It looks like we have to rollback the microcode update. Intel has changed the licensing terms in such a way that we won't be able (and no third party either) to provide any performance benchmarks. So if someone says on the forum that IPFire is "a little bit slower since the last update", that would violate that license. Testing the throughput of your firewall is a common thing to do and would probably not be possible anymore either. Basically, it isn't an option to ship this. Other distributions think the same. > > [root(a)firewall ~]# grep "." /sys/devices/system/cpu/vulnerabilities/* > > /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI > > /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected > > /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization > > /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW > > Besides of the microcode issue, I did not notice any issues. Output of > "uname -a" is: > > > Linux firewall 4.14.50-ipfire #1 SMP Fri Jun 29 16:40:29 GMT 2018 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux > > Thanks, and best regards, > Peter Müller Best, - -Michael -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt+t/wACgkQgHnw/2+Q CQfHUw//Sx8APljvN3yr9omypRFjttHO1R3tMpUkCb7ZdCcQgdX2U07d2HxqWPhL J0RAFWA1BHUy7qs3Cz9nLqTO53NXyRgLmMQXNBj2dKagW1jv7OGV613pXYYSw+vQ QS8ggvxa8MpEGBU+pKGxUmW5e3b16OGjShAW9tdSXIanIs8GUHV+ywXZXy47H5cx 4lBi+lLIlSihPx//HYT2JQFDBnv+OUFgUstBvfrhK8kjW/4EeRrUhpD8dsrC9L/f ZqCyY8cRueacq+qDuvheKgEQxDY54Wd1I8rpwQxcRXKhi4lYHgKdRowOnYzUBl7z qlWcERF59cddKSvIKS7miGY9B8YRqX/wpS95FwkpZGNO529vk0tuN0DjUGbZGZGR qnyikLKwr+PFtfC+BJ3CyuTc4rE89qmLJyBKMs208P2xuQqm4f58deKUt91bCiG2 L9D6yWokmXf/rQIn8zbsiWw6ACO71cNb0ybz8uspgVYhEZJOH/rPK5py5I7IME3g +Wcr2N5k7OB34B2mdpA/NFCWxKuzakjY+aTKP6q40h7qOK5oc97umL0qJPaOsAJv yeYx3ikSBFRKw5dclVtF2HXZOjfZA/BIm8gH1MCyGuUtNBPhiRTAwANRtkI/1ZKN nidjVLrJGZv4l7gynarWoQ5Pgr0W7y/oNGPKoscpoBoaz2ddrmA= =tg4M -----END PGP SIGNATURE-----