search for: spectre

Appears some change between 2.2.6 and 2.2.7 altered the response codes for LMTP user verification probes. Dovecot 2.2.6: Nov 2 15:50:48 spectre postfix/qmgr[627]: 3dBjr80wMgz1s: from=<double-bounce at spectre.leuxner.net>, size=271, nrcpt=1 (queue active) Nov 2 15:50:48 spectre postfix/cleanup[6226]: 3dBjr80xbYz1w: message-id=<20131102145047.2D3C6824147 at sam.dfn-cert.de> Nov 2 15:50:48 spectre postfix/lmtp[6228]: 3dBjr80wMg...

Hi, some change between ff5c341f8838 and f30437ed63dc seems to have broken auth: => Bad Login Mar 23 09:01:46 spectre dovecot: master: Dovecot v2.1.3 (f30437ed63dc) starting up [...] Mar 23 10:25:44 spectre dovecot: auth: Debug: auth client connected (pid=7266) Mar 23 10:25:45 spectre dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=188.138.0.199#011rip=80.187.102.243#011lport=...

On 6 February 2018 at 20:09, David Newall <openssh at davidnewall.com> wrote: > Do we need to do anything? It's not clear to me how SSH is vulnerable to > Spectre -- that is, how SSH can be used to execute a Spectre attack? I am more concerned with it being the target of a Spectre style attack. There's some long lived private data (host keys in the case of sshd, session keys in the case of ssh and sshd and user keys in the case of ssh-agent) and there&...

Since updating to the latest HG these errors occur. Nothing else changed in the config: $ dovecot --version 2.2.beta1 (62a930eb22b5) ==> /var/log/dovecot/dovecot.log <== Feb 18 09:47:32 spectre dovecot: lmtp(14340): Connect from local Feb 18 09:47:32 spectre dovecot: lmtp(14340, tlx at leuxner.net): Error: mkdir_parents(/var/vmail/domains/leuxner.net/tlx/mdbox) failed: File exists Feb 18 09:47:32 spectre dovecot: lmtp(14340, tlx at leuxner.net): Error: mkdir_parents(/var/vmail/domains/leu...

Hi. Both GCC and clang are adding mitigations for Spectre variant 2 although neither have yet made a release and neither are on by default. After trolling through and building release candidate branches for both I believe this is what is required for the ssh programs (although all the dependent libraries will also need to be built with mitigations, and I...

Suppose this one breaks it: http://hg.dovecot.org/dovecot-2.2/rev/c4a85c9df948 ==> /var/log/mail.log <== Jun 1 14:01:30 spectre postfix/lmtp[456]: 3bN0qP5kwFzSy: to=<tlx at leuxner.net>, relay=spectre.leuxner.net[private/dovecot-lmtp], delay=1481, delays=1481/0/0.01/0.01, dsn=4.3.0, status=deferred (host spectre.leuxner.net[private/dovecot-lmtp] said: 451 4.3.0 <tlx at leuxner.net> Temporary internal error (in r...

...; for testing today: # dsync convert -u user at domain mdbox:~/mdbox Set mail location to mdbox in 'mail.conf' and restarted server: mail_location = mdbox:~/mdbox Dovecot panicked instantly upon login with different clients. Tried to disable several plugins to no avail: Feb 28 14:43:02 spectre dovecot: imap(user at domain): Panic: file mailbox-list-fs.c: line 170 (fs_list_get_path): assertion failed: (mailbox_list_is_valid_pattern(_list, name)) Feb 28 14:43:02 spectre dovecot: imap(user at domain): Raw backtrace: /usr/lib/dovecot/libdovecot.so.0 [0x7f0a0d891e72] -> /usr/lib/dovecot/li...

Hi all! I'm running an up-to-date Centos-7 on an AMD Vishera 6300, 6 core CPU. I note that when I run the redhat script to test for spectre & meltdown I get this result for variant 2: Variant #2 (Spectre): Vulnerable CVE-2017-5715 - speculative execution branch target injection - Kernel with mitigation patches: OK - HW support / updated microcode: NO - IBRS: Not disabled on kernel commandline - IBPB: Not disabled on ke...

Let me say this is a rather cosmetic issue, but it appears with the latest commits (around 2.2.5 release) the scheme of 'Received' headers has changed for LMTP: 1) Inet socket: Return-Path: <dfn-adv-bounces at dfn-cert.de> Delivered-To: <tlx at leuxner.net> Received: from spectre.leuxner.net ([188.138.0.199]) by spectre.leuxner.net (Dovecot) with LMTP id 8AkXDF5cA1LvDgAAZ53dLw for <tlx at leuxner.net>; Thu, 08 Aug 2013 10:52:46 +0200 2) UNIX socket: Return-Path: <dfn-adv-bounces at dfn-cert.de> Delivered-To: <tlx at leuxner.net> Received: from spectre.l...

Hi All, Over the last few weeks I have been developing an LLVM Utility pass to check a program at the IR level for Spectre variant 1 (bounds check bypass) vulnerabilities. The pass was initially developed for internal use. However, as it has proved to be useful we have decided to share it with the LLVM community. The pass currently must be enabled with -mllvm -enable-sceptre. When it finds a vulnerability it outpu...

...nd all its derivatives. I asked CentOS community because that's the community I'm member of. Not to say that CentOS is not secure or anything like that. Anyway, I'm stuck with a few 32bit systems exposed to customers and I have to come up with an answer to their question about meltdown/spectre. At this point all I can say is that Red Hat hasn't patched 32bit systems but that is hard to believe so I assumed that I'm wrong and decided to ask the community. Thank you, -- Peter On Fri, Mar 9, 2018 at 7:52 AM, Johnny Hughes <johnny at centos.org> wrote: > I have built al...

Hi, We don't normally do X.Y.2 releases, but there has been some interest in getting a 5.0.2 release out with the Spectre mitigations included, so I am proposing the following schedule for a 5.0.2 release: LLVM 5.0.2 -rc1 Mon Mar 19 -final Mon Mar 26 To keep things easy for testers, 5.0.2 will be for Spectre related fixes only and won't be opened up for general bugs. And here is the schedule for 6.0.1:...

I have a clean install, fully updated CentOS 6 32-bit. When I run the Red Hat detection script: https://access.redhat.com/sites/default/files/spectre-meltdown--a79614b.sh it finds that the system is vulnerable. Is this false positive or there is no patches for CentOS 6 32-bit systems? Thank you, -- Peter

By now, we're sure most everyone have heard of the Meltdown and Spectre attacks. If not, head over to https://meltdownattack.com/ and get an overview. Additional technical details are available from Google Project Zero. https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html The FreeBSD Security Team was notified of the issue in late De...

By now, we're sure most everyone have heard of the Meltdown and Spectre attacks. If not, head over to https://meltdownattack.com/ and get an overview. Additional technical details are available from Google Project Zero. https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html The FreeBSD Security Team was notified of the issue in late De...

What are the patches that I can download and install to be protected against the Meltdown and Spectre security vulnerabilities? ===BEGIN SIGNATURE=== Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017 [1] https://tdtemcerts.wordpress.com/ [2] http://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming ===END SIGNATURE===

On 16/03/18 18:24, Fred Smith wrote: > Hi all! > > I'm running an up-to-date Centos-7 on an AMD Vishera 6300, 6 core CPU. > What kernel are you running (uname -r)? > I note that when I run the redhat script to test for spectre & meltdown > I get this result for variant 2: > > Variant #2 (Spectre): Vulnerable > CVE-2017-5715 - speculative execution branch target injection > - Kernel with mitigation patches: OK > - HW support / updated microcode: NO > - IBRS: Not disabled on kernel com...

Hi, unfortunately no core was dumped. Let me know if you need more info to debug. ==> /var/log/dovecot.log <== Mar 27 08:13:38 spectre dovecot: lmtp(8362): Connect from local Mar 27 08:13:38 spectre dovecot: lmtp(8362): Panic: file settings-parser.c: line 1501 (settings_link_get_new): assertion failed: (diff + sizeof(*old_link->array) <= old_link->parent->info->struct_size) Mar 27 08:13:38 spectre dovecot: lmtp(8362...

Hi, latest Mercurial seems to have problems with the Config Module unloads: May 5 19:18:16 spectre dovecot: master: Dovecot v2.0.beta4 (5d76f5b13883) starting up May 5 19:18:34 spectre dovecot: managesieve: Error: fd_read() partial input (54/88) May 5 19:18:34 spectre dovecot: imap-login: Fatal: Error reading configuration: read(/var/run/dovecot/config) failed: EOF May 5 19:18:34 spectre dove...

Patch http://hg.dovecot.org/dovecot-2.1/rev/3d8a25a4394d breaks auth May 5 09:01:52 spectre dovecot: lmtp(24442): Connect from local May 5 09:01:52 spectre dovecot: lmtp(24442): Error: userdb lookup(tlx at leuxner.net): Disconnected unexpectedly May 5 09:01:52 spectre dovecot: auth: Fatal: master: service(auth): child 24443 killed with signal 11 (core not dumped) May 5 09:01:52 spectre...