Welcome to SparkyLinux forumsZapraszamy również na polsko-języczne Forum https://forum.linuxiarze.pl
Started by witek, January 07, 2018, 12:01:16 PM
QuoteAgain, update your kernels, don't delay, and don't stop. The updates to resolve these problems will be continuing to come for a long period of time. Also, there are still lots of other bugs and security issues being resolved in the stable and LTS kernel releases that are totally independent of these types of issues, so keeping up to date is always a good idea.
QuoteRight now, there are a lot of very overworked, grumpy, sleepless, and just generally pissed off kernel developers working as hard as they can to resolve these issues that they themselves did not cause at all. Please be considerate of their situation right now. They need all the love and support and free supply of their favorite beverage that we can provide them to ensure that we all end up with fixed systems as soon as possible.
Quote from: pavroo on January 07, 2018, 10:50:28 PMTalking about the Meltdown security issue - Sparky's Linux kernel 4.14.12 has the option set to yes as default:CONFIG_PAGE_TABLE_ISOLATION=y
sudo apt update
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'* Checking count of LFENCE opcodes in kernel: NO > STATUS: VULNERABLE (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'* Mitigation 1* Hardware (CPU microcode) support for mitigation* The SPEC_CTRL MSR is available: YES * The SPEC_CTRL CPUID feature bit is set: YES * Kernel support for IBRS: NO * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * Mitigation 2* Kernel compiled with retpoline option: NO * Kernel compiled with a retpoline-aware compiler: NO > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'* Kernel supports Page Table Isolation (PTI): YES * PTI enabled and active: YES * Checking if we're running under Xen PV (64 bits): NO > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
QuoteThere are no Spectre patches available yet. That's because, as Kroah-Hartman explained, "Spectre issues were the last to be addressed by the kernel developers. All of us were working on the Meltdown issue, and we had no real information on exactly what the Spectre problem was at all, and what patches were floating around were in even worse shape than what have been publicly posted."
View the most recent posts on the forum