Confira os detalhes nessa matéria.
Para maior entendimento dessa versão do Linux.
Meltdown e Spectre
The Register apontou que todos os computadores fabricados desde 1995 com chipsets Intel sofrem de graves vulnerabilidades que permitem que pessoas não autorizadas acessem áreas nas máquinas de usuários que não deveriam estar acessíveis para ninguém, muito menos para desconhecidos. Com a falha, quaisquer programas têm permissão para ler (e compartilhar!) os conteúdos protegidos. Isso se dá porque as falhas impactam o bom funcionamento do kernel, que é o núcleo do controle do sistema operacional e que conecta os aplicativos ao processador, memória e demais hardwares.
Fonte
Linux 4.15
SegurançaLinux 4.15 com proteção total as falhas Meltdown e Spetre.
Novidades
E tem muito mais novidades, confira no changelogs abaixo.
linux (4.15.4-1) unstable; urgency=medium
* New upstream release: https://kernelnewbies.org/Linux_4.15
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.1
- Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops
- tools/gpio: Fix build error with musl libc
- gpio: stmpe: i2c transfer are forbiden in atomic context
- gpio: Fix kernel stack leak to userspace
- scsi: storvsc: missing error code in storvsc_probe()
- staging: lustre: separate a connection destroy from free struct kib_conn
- staging: ccree: NULLify backup_info when unused
- staging: ccree: fix fips event irq handling build
- usb: option: Add support for FS040U modem
- serial: 8250_dw: Revert "Improve clock rate setting"
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.2
- [x86] KVM: Make indirect calls in emulator speculation safe
- [x86] KVM: VMX: Make indirect call speculation safe
- module/retpoline: Warn about missing retpoline in module
- [x86] cpufeatures: Add CPUID_7_EDX CPUID leaf
- [x86] cpufeatures: Add Intel feature bits for Speculation Control
- [x86] cpufeatures: Add AMD feature bits for Speculation Control
- [x86] msr: Add definitions for new speculation control MSRs
- [x86] pti: Do not enable PTI on CPUs which are not vulnerable to
Meltdown
- [x86] cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2
microcodes
- [x86] speculation: Add basic IBPB (Indirect Branch Prediction Barrier)
support
- [x86] alternative: Print unadorned pointers
- [x86] nospec: Fix header guards names
- [x86] bugs: Drop one "mitigation" from dmesg
- [x86] cpu/bugs: Make retpoline module warning conditional
- [x86] cpufeatures: Clean up Spectre v2 related CPUID flags
- [x86] retpoline: Simplify vmexit_fill_RSB()
- [x86] speculation: Simplify indirect_branch_prediction_barrier()
- [x86] KVM: nVMX: Eliminate vmcs02 pool
- [x86] KVM: VMX: introduce alloc_loaded_vmcs
- objtool: Improve retpoline alternative handling
- objtool: Add support for alternatives at the end of a section
- objtool: Warn on stripped section symbol
- [x86] mm: Fix overlap of i386 CPU_ENTRY_AREA with FIX_BTMAP
- [x86] spectre: Check CONFIG_RETPOLINE in command line parser
- [x86] entry/64: Remove the SYSCALL64 fast path
- [x86] entry/64: Push extra regs right away
- [x86] asm: Move 'status' from thread_struct to thread_info
- Documentation: Document array_index_nospec
- array_index_nospec: Sanitize speculative array de-references
- [x86] Implement array_index_mask_nospec
- [x86] Introduce barrier_nospec
- [x86] Introduce __uaccess_begin_nospec() and uaccess_try_nospec
- [x86] usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
- [x86] uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
- [x86] get_user: Use pointer masking to limit speculation
- [x86] syscall: Sanitize syscall table de-references under speculation
- vfs, fdtable: Prevent bounds-check bypass via speculative execution
- nl80211: Sanitize array index in parse_txq_params
- [x86] spectre: Report get_user mitigation for spectre_v1
- [x86] spectre: Fix spelling mistake: "vunerable"-> "vulnerable"
- [x86] cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
- [x86] speculation: Use Indirect Branch Prediction Barrier in context
switch
- [x86] paravirt: Remove 'noreplace-paravirt' cmdline option
- [x86] KVM: VMX: make MSR bitmaps per-VCPU
- [x86] kvm: Update spectre-v1 mitigation
- [x86] retpoline: Avoid retpolines for built-in __init functions
- [x86] spectre: Simplify spectre_v2 command line parsing
- [x86] pti: Mark constant arrays as __initconst
- [x86] speculation: Fix typo IBRS_ATT, which should be IBRS_ALL
- [x86] KVM: Update the reverse_cpuid list to include CPUID_7_EDX
- [x86] KVM: Add IBPB support
- [x86] KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
- [x86] KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
- [x86] KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
- serial: core: mark port as initialized after successful IRQ change
- fpga: region: release of_parse_phandle nodes after use
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.3
- ip6mr: fix stale iterator
- net: igmp: add a missing rcu locking section
- qlcnic: fix deadlock bug
- qmi_wwan: Add support for Quectel EP06
- r8169: fix RTL8168EP take too long to complete driver initialization.
- tcp: release sk_frag.page in tcp_disconnect
- vhost_net: stop device during reset owner
- ipv6: addrconf: break critical section in addrconf_verify_rtnl()
- ipv6: change route cache aging logic
- Revert "defer call to mem_cgroup_sk_alloc()"
- net: ipv6: send unsolicited NA after DAD
- rocker: fix possible null pointer dereference in
rocker_router_fib_event_work
- tcp_bbr: fix pacing_gain to always be unity when using lt_bw
- cls_u32: add missing RCU annotation.
- ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only
- soreuseport: fix mem leak in reuseport_add_sock()
- net_sched: get rid of rcu_barrier() in tcf_block_put_ext()
- net: sched: fix use-after-free in tcf_block_put_ext
- crypto: tcrypt - fix S/G table for test_aead_speed()
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.4
- cifs: Fix missing put_xid in cifs_file_strict_mmap
- cifs: Fix autonegotiate security settings mismatch
- CIFS: zero sensitive data when freeing
- cpufreq: mediatek: add mediatek related projects into blacklist
- [arm64] watchdog: gpio_wdt: set WDOG_HW_RUNNING in gpio_wdt_stop
- Revert "drm/i915: mark all device info struct with __initconst"
- sched/rt: Use container_of() to get root domain in
rto_push_irq_work_func()
- sched/rt: Up the root domain ref count when passing it around via IPIs
- [arm64] mm: Use non-global mappings for kernel space
- [arm64] mm: Temporarily disable ARM64_SW_TTBR0_PAN
- [arm64] mm: Move ASID from TTBR0 to TTBR1
- [arm64] mm: Remove pre_ttbr0_update_workaround for Falkor erratum #E1003
- [arm64] mm: Rename post_ttbr0_update_workaround
- [arm64] mm: Fix and re-enable ARM64_SW_TTBR0_PAN
- [arm64] mm: Allocate ASIDs in pairs
- [arm64] mm: Add arm64_kernel_unmapped_at_el0 helper
- [arm64] mm: Invalidate both kernel and user ASIDs when performing TLBI
- [arm64] entry: Add exception trampoline page for exceptions from EL0
- [arm64] mm: Map entry trampoline into trampoline and kernel page tables
- [arm64] entry: Explicitly pass exception level to kernel_ventry macro
- [arm64] entry: Hook up entry trampoline to exception vectors
- [arm64] erratum: Work around Falkor erratum #E1003 in trampoline code
- [arm64] cpu_errata: Add Kryo to Falkor 1003 errata
- [arm64] tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks
- [arm64] entry: Add fake CPU feature for unmapping the kernel at EL0
- [arm64] kaslr: Put kernel vectors address in separate data page
- [arm64] use RET instruction for exiting the trampoline
- [arm64] Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0
- [arm64] Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry
- [arm64] Take into account ID_AA64PFR0_EL1.CSV3
- [arm64] capabilities: Handle duplicate entries for a capability
- [arm64] mm: Introduce TTBR_ASID_MASK for getting at the ASID in the TTBR
- [arm64] kpti: Fix the interaction between ASID switching and software PAN
- [arm64] cputype: Add MIDR values for Cavium ThunderX2 CPUs
- [arm64] Turn on KPTI only on CPUs that need it
- [arm64] kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0()
- [arm64] mm: Permit transitioning from Global to Non-Global without BBM
- [arm64] kpti: Add ->enable callback to remap swapper using nG mappings
- [arm64] Force KPTI to be disabled on Cavium ThunderX
- [arm64] entry: Reword comment about post_ttbr_update_workaround
- [arm64] idmap: Use "awx" flags for .idmap.text .pushsection directives
- [arm64] barrier: Add CSDB macros to control data-value prediction
- [arm64] Implement array_index_mask_nospec()
- [arm64] Make USER_DS an inclusive limit
- [arm64] Use pointer masking to limit uaccess speculation
- [arm64] entry: Ensure branch through syscall table is bounded under
speculation
- [arm64] uaccess: Prevent speculative use of the current addr_limit
- [arm64] uaccess: Don't bother eliding access_ok checks in __{get,
put}_user
- [arm64] uaccess: Mask __user pointers for __arch_{clear, copy_*}_user
- [arm64] futex: Mask __user pointers prior to dereference
- [arm64] cpufeature: __this_cpu_has_cap() shouldn't stop early
- [arm64] Run enable method for errata work arounds on late CPUs
- [arm64] cpufeature: Pass capability structure to ->enable callback
- drivers/firmware: Expose psci_get_version through psci_ops structure
- [arm64] Move post_ttbr_update_workaround to C code
- [arm64] Add skeleton to harden the branch predictor against aliasing
attacks
- [arm64] Move BP hardening to check_and_switch_context
- [arm64] KVM: Use per-CPU vector when BP hardening is enabled
- [arm64] entry: Apply BP hardening for high-priority synchronous
exceptions
- [arm64] entry: Apply BP hardening for suspicious interrupts from EL0
- [arm64] cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75
- [arm64] Implement branch predictor hardening for affected Cortex-A CPUs
- [arm64] Implement branch predictor hardening for Falkor
- [arm64] Branch predictor hardening for Cavium ThunderX2
- [arm64] KVM: Increment PC after handling an SMC trap
- [armhf,arm64] KVM: Consolidate the PSCI include files
- [armhf,arm64] KVM: Add PSCI_VERSION helper
- [armhf,arm64] KVM: Add smccc accessors to PSCI code
- [armhf,arm64] KVM: Implement PSCI 1.0 support
- [armhf,arm64] KVM: Advertise SMCCC v1.1
- [arm64] KVM: Make PSCI_VERSION a fast path
- [armhf,arm64] KVM: Turn kvm_psci_version into a static inline
- [arm64] KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support
- [arm64] KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
- firmware/psci: Expose PSCI conduit
- firmware/psci: Expose SMCCC version through psci_ops
- arm/arm64: smccc: Make function identifiers an unsigned quantity
- arm/arm64: smccc: Implement SMCCC v1.1 inline primitive
- [arm64] Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support
- [arm64] Kill PSCI_GET_VERSION as a variant-2 workaround
- mtd: cfi: convert inline functions to macros
- mtd: nand: brcmnand: Disable prefetch by default
- mtd: nand: Fix nand_do_read_oob() return value
- mtd: nand: sunxi: Fix ECC strength choice
- ubi: Fix race condition between ubi volume creation and udev
- ubi: fastmap: Erase outdated anchor PEBs during attach
- ubi: block: Fix locking for idr_alloc/idr_remove
- ubifs: free the encrypted symlink target
- nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds
- nfs41: do not return ENOMEM on LAYOUTUNAVAILABLE
- NFS: Add a cond_resched() to nfs_commit_release_pages()
- NFS: Fix nfsstat breakage due to LOOKUPP
- NFS: commit direct writes even if they fail partially
- NFS: reject request for id_legacy key without auxdata
- NFS: Fix a race between mmap() and O_DIRECT
- nfsd: Detect unhashed stids in nfsd4_verify_open_stid()
- kernfs: fix regression in kernfs_fop_write caused by wrong type
- ahci: Annotate PCI ids for mobile Intel chipsets as such
- ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI
- ahci: Add Intel Cannon Lake PCH-H PCI ID
- crypto: hash - introduce crypto_hash_alg_has_setkey()
- crypto: cryptd - pass through absence of ->setkey()
- crypto: mcryptd - pass through absence of ->setkey()
- crypto: poly1305 - remove ->setkey() method
- crypto: hash - annotate algorithms taking optional key
- crypto: hash - prevent using keyed hashes without setting key
- media: v4l2-ioctl.c: use check_fmt for enum/g/s/try_fmt
- media: v4l2-ioctl.c: don't copy back the result for -ENOTTY
- media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF
- media: v4l2-compat-ioctl32.c: fix the indentation
- media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32
- media: v4l2-compat-ioctl32.c: avoid sizeof(type)
- media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32
- media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer
- media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32
- media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type
- media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors
- media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic
- media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs
- crypto: caam - fix endless loop when DECO acquire fails
- crypto: sha512-mb - initialize pending lengths correctly
- crypto: talitos - fix Kernel Oops on hashing an empty file
- [armhf,arm64 KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
- [x86] KVM: nVMX: Fix races when sending nested PI while dest
enters/leaves L2
- [x86] KVM: nVMX: Fix bug of injecting L2 exception into L1
- [powerpc*] KVM: PPC: Book3S HV: Make sure we don't re-enter guest
without XIVE loaded
- [powerpc*] KVM: PPC: Book3S HV: Drop locks before reading guest memory
- [armhf,arm64] KVM: Handle CPU_PM_ENTER_FAILED
- [powerpc*] KVM: PPC: Book3S PR: Fix broken select due to misspelling
- watchdog: imx2_wdt: restore previous timeout after suspend+resume
- afs: Add missing afs_put_cell()
- afs: Need to clear responded flag in addr cursor
- afs: Fix missing cursor clearance
- afs: Fix server list handling
- btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker
- Btrfs: raid56: iterate raid56 internal bio with bio_for_each_segment_all
- kasan: don't emit builtin calls when sanitization is off
- kasan: rework Kconfig settings
- media: dvb_frontend: be sure to init dvb_frontend_handle_ioctl() return
code
- media: dvb-frontends: fix i2c access helpers for KASAN
- media: dt-bindings/media/cec-gpio.txt: mention the CEC/HPD max voltages
- media: ts2020: avoid integer overflows on 32 bit machines
- media: vivid: fix module load error when enabling fb and no_error_inj=1
- media: cxusb, dib0700: ignore XC2028_I2C_FLUSH
- fs/proc/kcore.c: use probe_kernel_read() instead of memcpy()
- kernel/async.c: revert "async: simplify lowest_in_progress()"
- kernel/relay.c: revert "kernel/relay.c: fix potential memory leak"
- pipe: actually allow root to exceed the pipe buffer limits
- pipe: fix off-by-one error when checking buffer limits
- HID: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working
- Bluetooth: btsdio: Do not bind to non-removable BCM43341
- Revert "Bluetooth: btusb: fix QCA Rome suspend/resume"
- Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten"
version
- ipmi: use dynamic memory for DMI driver override
- signal/openrisc: Fix do_unaligned_access to send the proper signal
- signal/sh: Ensure si_signo is initialized in do_divide_error
- alpha: fix crash if pthread_create races with signal delivery
- alpha: osf_sys.c: fix put_tv32 regression
- alpha: Fix mixed up args in EXC macro in futex operations
- alpha: fix reboot on Avanti platform
- alpha: fix formating of stack content
- xtensa: fix futex_atomic_cmpxchg_inatomic
- EDAC, octeon: Fix an uninitialized variable warning
- genirq: Make legacy autoprobing work again
- pinctrl: intel: Initialize GPIO properly when used through irqchip
- pinctrl: mcp23s08: fix irq setup order
- pinctrl: sx150x: Unregister the pinctrl on release
- pinctrl: sx150x: Register pinctrl before adding the gpiochip
- pinctrl: sx150x: Add a static gpio/pinctrl pin range mapping
- pktcdvd: Fix pkt_setup_dev() error path
- pktcdvd: Fix a recently introduced NULL pointer dereference
- blk-mq: quiesce queue before freeing queue
- clocksource/drivers/stm32: Fix kernel panic with multiple timers
- lib/ubsan.c: s/missaligned/misaligned/
- lib/ubsan: add type mismatch handler for new GCC/Clang
- objtool: Fix switch-table detection
- [arm64] dts: marvell: add Ethernet aliases
- drm/i915: Avoid PPS HW/SW state mismatch due to rounding
- ACPI: sbshc: remove raw pointer from printk() message (CVE-2018-5750)
- acpi, nfit: fix register dimm error handling
- ovl: force r/o mount when index dir creation fails
- ovl: fix failure to fsync lower dir
- ovl: take mnt_want_write() for work/index dir setup
- ovl: take mnt_want_write() for removing impure xattr
- ovl: hash directory inodes for fsnotify
- devpts: fix error handling in devpts_mntget()
- ftrace: Remove incorrect setting of glob search field
- scsi: core: Ensure that the SCSI error handler gets woken up
- scsi: lpfc: Fix crash after bad bar setup on driver attachment
- scsi: cxlflash: Reset command ioasc
- rcu: Export init_rcu_head() and destroy_rcu_head() to GPL modules
[ Bastian Blank ]
* Add cloud-amd64 kernel flavour.
- Support Microsoft Azure.
- Support Amazon EC2.
- Support Google Compute Engine.
* Enable NUMA_BALANCING_DEFAULT_ENABLED, enabled by all others.
* Enable INET_ESP_OFFLOAD, INET6_ESP_OFFLOAD, IPV6_SEG6_LWTUNNEL,
IPV6_SEG6_HMAC, NF_LOG_NETDEV, IP_SET_HASH_IPMAC, NET_ACT_SAMPLE,
IPVTAP, VIRTIO_MMIO, CRYPTO_RSA, CRYPTO_DH, CRYPTO_ECDH.
* x86: Enable SCHED_MC_PRIO, HYPERV_VSOCKETS.
* Enable NVME_MULTIPATH, NVME_FC, NVME_TARGET_FC, move nvme module into
scsi-modules installer udeb.
* Switch to SLUB as kernel allocator. (Closes: #862718)
- Enable SLUB_DEBUG, SLAB_FREELIST_HARDENED except on armel/marvell.
(Closes: #883069)
* Fix building of liblockdep.
[ Uwe Kleine-König ]
* [arm64] enable I2C_PXA for espressobin (Closes: #886983)
[ Ben Hutchings ]
* Enable CGROUP_BPF (except for armel) (Closes: #872560)
* usb: Enable USBIP_CORE, USBIP_VHCI_HCD, USBIP_HOST, USBIP_VUDC as
modules on all architectures (Closes: #888042)
* [x86] Rewrite "Make x32 syscall support conditional on a kernel parameter"
to use a static key
[ Salvatore Bonaccorso ]
* (Temporarily) disable armel kernel image build.
The armel/marvell kernel size is growing to large and the compressed
image is over the limit.
Given the armel architecture will most likely not be part of Buster,
disable the image build.
Cf. https://lists.debian.org/debian-kernel/2018/01/msg00278.html
* Set ABI to 1
-- Salvatore Bonaccorso
Debian
Por hora essa versão do Linux está disponível apenas no Unstable, mas em breve já estará nas demais versões.
Instalação
Se você usa o repositório unstable, basta instalar a nova versão do Linux com o comando abaixo.
Para sistemas amd64 ( 64 bits ) de o comando abaixo no terminal.
sudo apt install linux-image-4.15.0-1-amd64 linux-headers-4.15.0-1-amd64Para sistemas i386 ( 32 bits ) de o comando abaixo no terminal.
sudo apt install linux-image-4.15.0-1-686 linux-headers-4.15.0-1-686
Feita a instalação reinicie a maquina para carregar o novo kernel Linux.
Comentários
Postar um comentário
olá, seja bem vindo ao Linux Dicas e suporte !!