An update on Meltdown and Spectre


  • Galactic Empire Netgate Administrator





  • Sweet!!  Meanwhile the hackers and the NSA are having a party!

    I agree it's a mess and hope this will get patched soon.



  • I actually wouldn't apply any of these patches to a pfsense running on hardware.  You risk performance and stability hits and I think pfsense isn't really at risk unless its running as a VM.  I'd only apply these patches to a machine hosting VMs.  I wouldn't even do that right now actually.  I'd wait for the chip makers to get their act together.



  • @https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html:

    The FreeBSD developers will likely wait a bit before starting the backport of these patches to both FreeBSD 11 and 10. Once these backports are available, snapshots including the fixes will only be available for pfSense® 2.4.x and amd64 architecture.

    Again, why is that?



  • @jahonix:

    @https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html:

    The FreeBSD developers will likely wait a bit before starting the backport of these patches to both FreeBSD 11 and 10. Once these backports are available, snapshots including the fixes will only be available for pfSense® 2.4.x and amd64 architecture.

    Again, why is that?

    First revision of patches from Intel were buggy and causing all sorts of fun. Once they have a stable fix that they are more or less happy with then the back-porting will start likely.



  • The sane thing to do is hold station I reckon

    A good security approach is always layered means you never need to rely on one particular mitigation, and mitigation's which are unstable or bad performing can then be skipped over.

    These mitigation's are not desirable with the performance and stability impacts been reported.



  • @Patrick_:

    First revision of patches from Intel were buggy …

    You didn't get it: why are patches not rolled out to the 2.3.x branch when available?
    Having security fixes applied to that branch until roughly end of 2018 was promised when support for 32-bit hardware ceased with the 2.4 branch.

    Sure I know the answer, I just want someone to officially reveal it.


  • Galactic Empire Netgate Administrator

    Are you repeating the question I already answered to you on a different thread? We can’t implement fixes we don’t have. We will have 64-bit fixes for pfSense 2.4.x but we don’t have anything yet for i386 and it's unclear when or if fixes will be available. You don't seem to understand the magnitude of these vulnerabilities.

    @jahonix:

    Sure I know the answer, I just want someone to officially reveal it.

    I am interested in learning what do you think the answer is.



  • Reading up a little I found this quote:

    "While 32-bit Linux users may be able to leverage grsecurity patches, x86 Windows users are currently left out in the cold since mitigating this issue on 32-bit systems is even more complex and costly, potentially eliminating the risk/benefit ratio."

    To me it sounds like it can be done and it is being done by some but perhaps some of the OS makers are thinking if it is worth doing or not.  I'd bet on BSD patching 32 bit OS.



  • @ivor:

    … I already answered to you on a different thread...

    We had this discussion earlier and you never gave an answer why the official announcement definitely says: "2.4.x branch and AMD64 only"
    It does NOT say: "2.4.x branch and AMD64 shortly, 2.3.x and 32-bit later when/if a fix is available"

    FreeBSD will backport the patches to FreeBSD 11 and 10 branches meaning they will be available sooner or later. According to JWT's announcement the last 32-bit pfSense 2.3.x will not get them, regardless of availability.

    @ivor:

    You don't seem to understand the magnitude of these vulnerabilities.

    Making uneducated assumptions never helps but roughens the sound of a conversation.
    I never affronted you personally, did I? As a netgate employee and an administrator of this forum you shouldn't either.

    @ivor:

    I am interested in learning what do you think the answer is.

    I will not forestall project lead.


  • Galactic Empire Netgate Administrator

    For the last time: we cannot make a statement on something we don't have enough info about. We cannot implement fixes we do not have.

    @jahonix:

    We had this discussion earlier and you never gave an answer why the official announcement definitely says: "2.4.x branch and AMD64 only"
    It does NOT say: "2.4.x branch and AMD64 shortly, 2.3.x and 32-bit later when/if a fix is available"

    You're pulling that single line out of context to prove what ever you are attempting to prove. Blog post talks about variant 3, based on information we had at the time. I really don't understand where you're going with this. Did you read the discussion about this?

    @jahonix:

    FreeBSD will backport the patches to FreeBSD 11 and 10 branches meaning they will be available sooner or later. According to JWT's announcement the last 32-bit pfSense 2.3.x will not get them, regardless of availability.

    Actually, chances are it won't be backported by FreeBSD. But i we don't know yet.

    @jahonix:

    Making uneducated assumptions never helps but roughens the sound of a conversation.
    I never affronted you personally, did I? As a netgate employee and an administrator of this forum you shouldn't either.

    No, you really do not understand how troublesome these issues are. I didn't offend you but you sure did engage in twisting my words and nitpicking to prove what ever you are attempting to prove.

    @jahonix:

    I will not forestall project lead.

    Fine, but please leave speculation out of this forum. We will do what we promised if possible. We can't implement fixes we don't have.



  • Kejianshi reply #3 above (24 Jan) is enough to give me the comfort I seek from this forum.

    I believe nobody is allowed access to my device : webGUI, console, SSH, physical, other. All closed. Thanks kejianshi.



  • No problem.  Glad you aren't panicked.



  • Any timeline for when a patch may be coming out?


  • Galactic Empire Netgate Administrator

    Follow our Twitter account for progress updates. This is from yesterday https://twitter.com/pfsense/status/966385843568078848



  • FreeBSD implemented a Meltdown and Spectre patch into FreeBSD 11 stable as far as I know on 17 February 2018:

    https://svnweb.freebsd.org/base?view=revision&revision=329462

    Will there be a 2.4.2-release-p2 soon to implent the patches soon?
    Or do we have to wait for 2.4.3?

    Edit: Oh sorry, I did not see the post above. So we have to wait for 2.4.3, hope it will be released soon.



  • I am not panicking.

    I dont run a web browser on my unit, and I dont give public users access to my unit either, it has no WAN entry allowed at all.

    People need to remember these "potential" exploits dont have super powers, they dont bypass other barriers.  So yes I do think meltdown and spectre have had excessive public attention compared to other exploits.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy