This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 7caecf45fbaab7f681d0aa3d5ea87ca660ff4f3d (commit) via 67261075a370b0baa62a25d11ba2773569020785 (commit) via 7ee2eec3a2fe6aedbdf3b0db952d6cb0fdc3dbce (commit) from 1f82d37eae1d938143600b8e8b194f773a2ab8d3 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 7caecf45fbaab7f681d0aa3d5ea87ca660ff4f3d Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jul 11 15:07:22 2022 +0000
linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try
Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
> Significance: Critical > > In support of Kernel Address Space Layout Randomization (KASLR) this randomizes > the physical address at which the kernel image is decompressed and the virtual > address where the kernel image is mapped as a security feature that deters > exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things may have been improved, so let's give this low-hanging fruit another try.
Fixes: #12363 Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 67261075a370b0baa62a25d11ba2773569020785 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Aug 1 10:19:46 2022 +0000
Core Update 170: Ship vulnerabilities.cgi
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 7ee2eec3a2fe6aedbdf3b0db952d6cb0fdc3dbce Author: Peter Müller peter.mueller@ipfire.org Date: Mon Aug 1 09:32:51 2022 +0000
vulnerabilities.cgi: Add Retbleed (CVE-2022-29900, CVE-2022-29901)
Please refer to https://comsec.ethz.ch/research/microarch/retbleed/ for further details on this vulnerability.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/kernel/kernel.config.aarch64-ipfire | 2 +- config/rootfiles/common/aarch64/linux | 1 + config/rootfiles/core/170/filelists/files | 1 + html/cgi-bin/vulnerabilities.cgi | 1 + langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 6 files changed, 6 insertions(+), 1 deletion(-)
Difference in files: diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 469884b20..9232335ff 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -471,7 +471,7 @@ CONFIG_ARM64_SVE=y CONFIG_ARM64_MODULE_PLTS=y # CONFIG_ARM64_PSEUDO_NMI is not set CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y # end of Kernel Features diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 6de30d1a0..dbd6e8f2f 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -9427,6 +9427,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ #lib/modules/KVER-ipfire/build/include/config/RAID6_PQ_BENCHMARK #lib/modules/KVER-ipfire/build/include/config/RAID_ATTRS +#lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_BASE #lib/modules/KVER-ipfire/build/include/config/RANDOMIZE_KSTACK_OFFSET_DEFAULT #lib/modules/KVER-ipfire/build/include/config/RAS #lib/modules/KVER-ipfire/build/include/config/RASPBERRYPI_FIRMWARE diff --git a/config/rootfiles/core/170/filelists/files b/config/rootfiles/core/170/filelists/files index 458aba96f..2519119bb 100644 --- a/config/rootfiles/core/170/filelists/files +++ b/config/rootfiles/core/170/filelists/files @@ -6,6 +6,7 @@ srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/ipblocklist.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/services.cgi +srv/web/ipfire/cgi-bin/vulnerabilities.cgi srv/web/ipfire/cgi-bin/logs.cgi/ids.dat srv/web/ipfire/cgi-bin/logs.cgi/ipblocklists.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat diff --git a/html/cgi-bin/vulnerabilities.cgi b/html/cgi-bin/vulnerabilities.cgi index 61b69210e..0edd127d7 100644 --- a/html/cgi-bin/vulnerabilities.cgi +++ b/html/cgi-bin/vulnerabilities.cgi @@ -35,6 +35,7 @@ my %VULNERABILITIES = ( "mds" => "$Lang::tr{'fallout zombieload ridl'} (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091)", "meltdown" => "$Lang::tr{'meltdown'} (CVE-2017-5754)", "mmio_stale_data" => "$Lang::tr{'mmio stale data'} (CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166)", + "retbleed" => "$Lang::tr{'retbleed'} (CVE-2022-29900, CVE-2022-29901)", "spec_store_bypass" => "$Lang::tr{'spectre variant 4'} (CVE-2018-3639)", "spectre_v1" => "$Lang::tr{'spectre variant 1'} (CVE-2017-5753)", "spectre_v2" => "$Lang::tr{'spectre variant 2'} (CVE-2017-5715)", diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 6a5ce1117..d3b4c8687 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2195,6 +2195,7 @@ 'restore defaults' => 'Voreinstellungen wiederherstellen', 'restore hardware settings' => 'Hardwareeinstellungen wiederherstellen', 'restore settings' => 'Einstellungen wiederherstellen', +'retbleed' => 'Retbleed', 'reverse sort' => 'In umgekehrter chronologischer Reihenfolge sortieren', 'root' => 'Root', 'root certificate' => 'Root-Zertifikat', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 73aa4d04a..36f97de38 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2250,6 +2250,7 @@ 'restore defaults' => 'Restore defaults', 'restore hardware settings' => 'Restore hardware settings', 'restore settings' => 'Reset Settings', +'retbleed' => 'Retbleed', 'reverse sort' => 'Sort in reverse chronological order', 'root' => 'Root', 'root certificate' => 'Root Certificate',
hooks/post-receive -- IPFire 2.x development tree