[MODERATED] Debian problem with Slow Randomizing Boosts DoS

[MODERATED] Debian problem with Slow Randomizing Boosts DoS

[Salvatore Bonaccorso]

Hi

A human error caused today that the changelog entry for the planned
4.9.210-1+deb9u1 upload in Debian covering the SRBDS mitigation
changes were for a short time leaked on
https://tracker.debian.org/linux (the message was sent as well to 56
subscribers for the tracker entry).

The leaked information covers the following changelog entries:

 linux (4.9.210-1+deb9u1) stretch-security; urgency=high
[...]
   * [x86] Add support for mitigation of Special Register Buffer Data Sampling
     (SRBDS) (CVE-2020-0543):
     - x86/cpu: Add 'table' argument to cpu_matches()
     - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
       mitigation
     - x86/speculation: Add SRBDS vulnerability and mitigation documentation
     - x86/speculation: Add Ivy Bridge to affected list
   * [x86] speculation: Do not match steppings, to avoid an ABI change
[...]

The packages itself were not exposed. The NEWS entry on
https://tracker.debian.org/linux was removed.

On behalf I want to apologies for this mistake, and steps were taken
to avoid this in future.

Salvatore

[MODERATED] Re: Debian problem with Slow Randomizing Boosts DoS

[Stewart, David C]

Salvatore - thank you for the heads up. We made folks here at Intel aware. Thanks also for the process improvement.

Dave

On 6/8/20, 12:07 PM, "speck for Salvatore Bonaccorso" <speck@linutronix.de> wrote:

> A human error caused today that the changelog entry for the planned
> 4.9.210-1+deb9u1 upload in Debian covering the SRBDS mitigation
> changes were for a short time leaked on
> https://tracker.debian.org/linux (the message was sent as well to 56
> subscribers for the tracker entry).