Announcement

**GreyGeek** · Jan 09, 2018, 10:50 AM

Well, the big release date for patched kernels is today. In checking the repository I see that some of the new kernels are there, but not the one I run, 4.8 for 16.04

I'm not worried. Bad guys will have to break through my router firewall and my ufw firewall (Yes, I am being redundant). Meanwhile, I'll wait till the patch comes down the pipe. The BIG question I have is "how much slower will this Acer run with the patched kernel in place?"

**chimak111** · Jan 09, 2018, 11:06 AM

Nothing for 4.10 either so far.

**jpenguin** · Jan 09, 2018, 01:14 PM

Apparently, Google discovered these flaws I'm April...

I update to the mainline kernel in my fedora install, it should enable sound from my RX480 too, but it runs on a Ryzen 1700X.
My other compuer has a Core 2 Duo Wolfdale CPU. I have Windows 7 on it, I'm going to play around with Mint though.

These flaws do need fixing, but they're not as big of deals as they are made out to be

**acheron** · Jan 09, 2018, 01:36 PM

Originally posted by chimak111 View Post

Nothing for 4.10 either so far.

There won't be for 4.10 as far as I have seen.

Zesty 4.10 kernel will not be fixed as Zesty goes EOL in a few days anyway, and I read that the 4.10 HWE kernel for Xenial will get an earlier upgrade to a fixed 4.13 kernel instead.

EDIIT: here https://wiki.ubuntu.com/SecurityTeam...treAndMeltdown

Ubuntu 17.04 and 4.10 HWE early end of life

Ubuntu 17.04's note that it will not be getting the Meltdown/Spectre fixes.
The Rolling HWE kernel for Ubuntu 16.04 will go to 4.13 early, instead of also fixing 4.10 HWE kernel.

**acheron** · Jan 09, 2018, 05:34 PM

Update:

2018 Jan 09: Ubuntu kernel updates are made available in:

USN 3522-1 (Ubuntu 16.04 LTS),

USN 3523-1 (Ubuntu 17.10), and

USN 3522-2 (Ubuntu 14.04 LTS).

**chimak111** · Jan 09, 2018, 06:14 PM

Originally posted by acheron View Post

There won't be for 4.10 as far as I have seen.

Zesty 4.10 kernel will not be fixed as Zesty goes EOL in a few days anyway, and I read that the 4.10 HWE kernel for Xenial will get an earlier upgrade to a fixed 4.13 kernel instead.

EDIIT: here https://wiki.ubuntu.com/SecurityTeam...treAndMeltdown

Thank you for clarifying!

**jglen490** · Jan 09, 2018, 07:46 PM

So I downloaded a script to check for Spectre and Meltdown - and ran it.

Code:

john@John-Desktop:/tmp$ sudo sh spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.21 

Checking for vulnerabilities against live running kernel Linux 4.4.0-104-generic #127-Ubuntu SMP Mon D
ec 11 12:16:50 UTC 2017 i686 **************************************************************************

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' 
* Checking count of LFENCE opcodes in kernel: *YES *(745 opcodes found, which is >= 70) 
> STATUS: *NOT VULNERABLE *(heuristic to be improved when official patches become available) 

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' 
* Mitigation 1 
* **Hardware (CPU microcode) support for mitigation: *NO *
* **Kernel support for IBRS: *NO *
* **IBRS enabled for Kernel space: *NO *
* **IBRS enabled for User space: *NO *
* Mitigation 2 
* **Kernel compiled with retpoline option: *NO *
* **Kernel compiled with a retpoline-aware compiler: *NO *
> STATUS: *VULNERABLE *(IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate
the vulnerability) 

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' 
* Kernel supports Page Table Isolation (PTI): *NO *
* PTI enabled and active: *NO *
> STATUS: *VULNERABLE *(PTI is needed to mitigate the vulnerability) 

A false sense of security is worse than no security at all, see --disclaimer

Kinda what I expected, based on what the discussions are saying.

So after getting the latest kernel and rebooting, I ran it again.

Code:

john@John-Desktop:/tmp$ sudo sh spectre-meltdown-checker.sh
[sudo] password for john: 
Spectre and Meltdown mitigation detection tool v0.21

Checking for vulnerabilities against live running kernel Linux 4.4.0-108-generic #131-Ubuntu SMP Sun Jan 7 14:33:55 UTC 2018 i686

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  YES  (745 opcodes found, which is >= 70)
> STATUS:  NOT VULNERABLE  (heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

No change. So I'm confused ... not the first time mind you, but I sort of expected something to be different. Not worried, after all this condition has been around a very long time, just puzzled.

**vinnywright** · Jan 09, 2018, 09:18 PM

ya I got a different result ,,,,,,,,with the

Code:

vinny@vinny-Bonobo-Extreme:~$ uname -a
Linux vinny-Bonobo-Extreme 4.13.0-25-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 12:16:39 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

I just got tonight

Code:

vinny@vinny-Bonobo-Extreme:~/Documents/testing/spector,meltdown/spectre-meltdown-checker$ sudo sh spectre-meltdown-checker.sh 
[sudo] password for vinny: 
Spectre and Meltdown mitigation detection tool v0.21

Checking for vulnerabilities against live running kernel Linux 4.13.0-25-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 12:16:39 UTC 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO  (only 42 opcodes found, should be >= 70)
> STATUS:  VULNERABLE  (heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

it seems that only 'Variant 3' got patched ,,,so far ?

VINNY

**dibl** · Jan 10, 2018, 02:02 AM

Good description of the status of kernel patching (as of Saturday 6 JAN):

http://kroah.com/log/blog/2018/01/06/meltdown-status/

**jglen490** · Jan 10, 2018, 05:41 AM

I'll be watching for more kernel updates over the next few weeks, as recommended in the article. It's just strange that an update to one of the "stable" kernels came out but changed nothing. This situation has existed for a very long time, so I guess a couple more weeks won't be a problem.

**GreyGeek** · Jan 10, 2018, 12:37 PM

Originally posted by dibl View Post

Good description of the status of kernel patching (as of Saturday 6 JAN):

http://kroah.com/log/blog/2018/01/06/meltdown-status/

From that article:

This means that the latest 4.14 release (4.14.12 at this moment in time), is what you should be running.
...
If you rely on any other kernel tree other than 4.4, 4.9, or 4.14 right now, and you do not have a distribution supporting you, you are out of luck.

It seems that 4.9 is not in the repository and my NVidia is usings 4.8, which won't be patched. The gcp and azure kernels don't apply to my situation. There is no 4.14 kernel I can use. So, I am OOL with my 4.8 kernel in Neon User Edition. Unless, of course, I try the 4.14.13 kernel from git.kernel.org

**jglen490** · Jan 10, 2018, 02:07 PM

Something of a goat rope, with a little bit of cat herding thrown in for good measure.

No blame being directed at the devs because whether it's karma or coincidence or unfortunate timing, they've had to jump hoops, too. I'm thankful for their hard work, and will just focus on solutions as they are pushed.

**Snowhog** · Jan 10, 2018, 03:08 PM

Originally posted by GreyGeek View Post

From that article:

It seems that 4.9 is not in the repository and my NVidia is usings 4.8, which won't be patched. The gcp and azure kernels don't apply to my situation. There is no 4.14 kernel I can use. So, I am OOL with my 4.8 kernel in Neon User Edition. Unless, of course, I try the 4.14.13 kernel from git.kernel.org

But, in reality, the true likliehood that 'you' are at any risk is slim at worst, and non-existant at best.

**GreyGeek** · Jan 10, 2018, 04:43 PM

Originally posted by Snowhog View Post

But, in reality, the true likliehood that 'you' are at any risk is slim at worst, and non-existant at best.

True. That's why I'm not concerned about it, especially since the perps would have to break through a firewall to get to the kernel. And, if they got in they'd find nothing. Ransom? Btrfs rollback. Personal info? Nothing the Feds don't already have.
So, basically, I don't care.
And, your comments about the devs I agree with 1000%

**TWPonKubuntu** · Jan 10, 2018, 05:34 PM

I found this article today:

Intel Releases Processor Microcode Patch for Linux OSes, Here's How to Update

http://news.softpedia.com/news/intel...e-519316.shtml

The instructions are moderately technical and if you don't feel comfortable doing this, then perhaps find someone you trust to do it...

DO NOTE that it is specific to Linux. I assume a comparable set of instructions exist for Windows(r), but frankly, I don't care.

I'm NOT ready to attempt this at this point, but acknowledge that it may be a necessary update for some CPU's.

I will wait to see if this comes down via a normal OS patch from the repositories. Since some testing will be needed, don't expect this to happen overnight...

Announcement

About the processor vulnerabilities Meltdown, Spectre, some articles

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment