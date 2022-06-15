Security Leftovers: WordPress 6.0.1, Retbleed (CVE-2022-29900 and CVE-2022-29901), Istio 1.12.9
-
WordPress 6.0.1 Maintenance Release
This maintenance release features 13 bug fixes in Core and 18 bug fixes for the Block Editor. WordPress 6.0.1 is a short-cycle maintenance release. You can review a summary of the key updates in this release by reading the RC1 announcement.
The next major release will be version 6.1 planned for later in 2022.
-
The "Retbleed" speculative execution vulnerabilities
Some researchers at ETH Zurich have disclosed a new set of speculative-execution vulnerabilities known as "Retbleed". In short, the retpoline defenses added when Spectre was initially disclosed turn out to be insufficient on x86 machines because return instructions, too, can be speculatively executed.
-
Retbleed: Arbitrary Speculative Code Execution with Return Instructions
Retbleed (CVE-2022-29900 and CVE-2022-29901) is the new addition to the family of speculative execution attacks that exploit branch target injection to leak information, which we call Spectre-BTI. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions. This means a great deal, since it undermines some of our current Spectre-BTI defenses.
[...]
We found that we can trigger the microarchitectural conditions, on both AMD and Intel CPUs, that forces returns to be predicted like indirect branches. We also built the necessary tools to discover locations in the Linux kernel where these conditions are met.
-
Announcing Istio 1.12.9
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.12.8 and Istio 1.12.9.
-
