The release of Linux kernel 5.17, postponed by the appearance of the new version of the Specter attack

The release of Linux kernel 5.17, postponed by the appearance of the new version of the Specter attack

The goal of Linus Torvalds, creator and developer of the Linux kernel, was to be able to have released yesterday the stable version of Linux 5.17. However, instead we only have a ‘release candidate’ (Linux 5.17-rc8) and the final version available. postponed until next weekend (March 20). But why has this happened?

Everything is due to the spread of a new version of the Specter vulnerability, which caused so many headaches a few years ago to the manufacturers of Intel and ARM CPUs: this time, the so-called Spectre-BHI (from ‘Branch History Injection’) allows a potential attacker to bypass the eIBRS and CSV2 protection mechanisms…

…built into processors precisely as a way to stay safe from old versions of Specter (and not dragging down CPU performance, as software-based solutions did).

The thing is, apart from the fact that Spectre-BHI uses a version history buffer instead of a version target buffer as a way to perform a possible leak of sensitive data from the kernel’s privileged memory spacethis new attack is identical to the old Spectre-v2.

LINUX and GNU: LINUX: WHAT IT IS AND HOW IT WORKS

Statement by Linus Torvalds

Torvalds has admitted in a statement that the past week was “a bit chaotic […] but naively I thought I’d be able to pull off the final launch East [pasado] weekend”.

What dissuaded him from doing it, finally, was that the patches applied against Spectre-BHI had not been able to undergo the usual automated testing process:

“I don’t think we have any issues on our hands that are going to stop the launch, but on the other hand, we also had no reason not to give him another week of leeway to [poder finalizar] all automated tests”

“So that’s what we’ve done, and that’s why we now have a -rc8 release instead of making a final 5.17 release. […] because of the Spectre thing, about half of the -rc8 patch is architecture updates.”

In any case, Linus recommends not leaving kernel testing solely in the hands of automated tests.:

Read:  Jujutsu Kaisen 0 already has a release date on Crunchyroll

“Real-life tasks are always more interesting than those carried out by automation farms, so please try this latest RC quickly.”