andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
supersandro2000 has quit [Disconnected by services]
supersandro20004 has joined #nixos-security
rajivr has joined #nixos-security
WilliButz has quit [Ping timeout: 256 seconds]
WilliButz has joined #nixos-security
tokudan has quit [Ping timeout: 240 seconds]
tokudan has joined #nixos-security
ajs124 has quit [Ping timeout: 240 seconds]
ajs124 has joined #nixos-security
danderson has quit [Remote host closed the connection]
danderson has joined #nixos-security
Raito_Bezarius has quit [Ping timeout: 272 seconds]
cole-h has quit [Quit: Goodbye]
FRidh has joined #nixos-security
cole-h has joined #nixos-security
cole-h has quit [Ping timeout: 245 seconds]
hexa- has quit [Quit: WeeChat 2.9]
hexa- has joined #nixos-security
tnias has quit [Quit: leaving]
supersandro20004 is now known as supersandro2000
<hexa-> so, is there anything we should do about the most recent spectre exploits?
<hexa-> it says they're using /proc/kallsyms
<Foxboron> hexa-: The thing is that there shouldn't by anything you need to do. Spectre should be mitigated with recent gcc/kernel mitigtations. kallsyms is only used to bypass KASLR
<Foxboron> So it's only a problem on older servers
<Foxboron> recent as in 2019 :p
<hexa-> brrr
<Foxboron> thats my understanding of the exploit at least :)
<hexa-> yeah, should unprivileged users be able to read out kallsyms?
<Foxboron> It's only special since it's the first time it's been spotted in the wild. Not because it's been broken again
<hexa-> yep
<Foxboron> vidal72[m] : Foxboron: there is kptr_restrict sysctl that obscures /proc/kallsyms output for unpriv users
<Foxboron> anthraxx : or to be more specific, linux-hardened patches the default and doesn't use a sysctl conf file
<Foxboron> anthraxx : vidal72[m]: Foxboron: whose default unfortunatly can't be changed as long as you have CONFIG_KALLSYMS except via sysctl, which linux-hardened btw does by default
<Foxboron> so hardened patches it to reverse the flag (like with other stuff). I'm not quite sure what the best approach there is
<hexa-> and what other impact it has
<Foxboron> No clue :)
<hexa-> thanks for looking into this
<Foxboron> nps!
cole-h has joined #nixos-security
FRidh has quit [Ping timeout: 276 seconds]
FRidh has joined #nixos-security
<bennofs> why don't we have PIE by default?
Mrmaxmeier has joined #nixos-security
<ajs124> bennofs: idk, but there's #104091 which is still a draft
<{^_^}> https://github.com/NixOS/nixpkgs/pull/104091 (by TredwellGit, 14 weeks ago, open): treewide: enable security hardening flags
rajivr has quit [Quit: Connection closed for inactivity]
<hexa-> (CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707) - sys-devel/grub: Multiple vulnerabilities (CVE-2020-{10713,14308,14309,14310,14311,15705,15706,15707})
<Foxboron> hexa-: that's the boothole ones fwiw
<hexa-> yep
<Foxboron> (probably)
FRidh has quit [Quit: Konversation terminated!]
energizer has quit [Ping timeout: 256 seconds]
energizer has joined #nixos-security
adisbladis is now known as ADISBLADIS
V is now known as v
v is now known as V
edef is now known as EDEF
cole-h is now known as COLE-H
lassulus is now known as LASSULUS
hexa- is now known as H
H is now known as hexa-
tv is now known as TV