Announcement

**vinnywright** · Feb 22, 2018, 03:18 PM

and ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Code:

vinny@vinny-Bonobo-Extreme:~/Downloads/metdown-checker/spectre-meltdown-checker-0.28$ sudo ./spectre-meltdown-checker.sh 
[sudo] password for vinny:                                                                                                                                            
Spectre and Meltdown mitigation detection tool v0.28                                                                                                                  
                                                                                                                                                                     
Checking for vulnerabilities against running kernel Linux 4.13.0-36-generic #40-Ubuntu SMP Fri Feb 16 20:07:48 UTC 2018 x86_64                                        
CPU is Intel(R) Core(TM) i7-4910MQ CPU @ 2.90GHz                                                                                                                      
                                                                                                                                                                     
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'                                                                                                           
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)                                                  
> STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))                                                                               

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

yes it LOOKS like we are good

VINNY

**MoonRise** · Mar 09, 2018, 02:18 PM

confirmed here on older kernel as well.

Code:

Spectre and Meltdown mitigation detection tool v0.28

Checking for vulnerabilities against running kernel Linux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

**joneall** · May 12, 2018, 07:30 AM

I noticed this on my Neon system:

Code:

$ ls /boot
abi-4.13.0-38-generic     efi                           memtest86+_multiboot.bin      System.map-4.4.0-119-generic
abi-4.13.0-39-generic     grub                          refind_linux.conf             System.map-4.4.0-121-generic
abi-4.4.0-119-generic     initrd.img-4.13.0-38-generic  retpoline-4.13.0-38-generic   vmlinuz-4.13.0-38-generic
abi-4.4.0-121-generic     initrd.img-4.13.0-39-generic  retpoline-4.13.0-39-generic   vmlinuz-4.13.0-39-generic
config-4.13.0-38-generic  initrd.img-4.4.0-119-generic  retpoline-4.4.0-119-generic   vmlinuz-4.4.0-119-generic
config-4.13.0-39-generic  initrd.img-4.4.0-121-generic  retpoline-4.4.0-121-generic   vmlinuz-4.4.0-119-generic.efi.signed
config-4.4.0-119-generic  memtest86+.bin                System.map-4.13.0-38-generic  vmlinuz-4.4.0-121-generic
config-4.4.0-121-generic  memtest86+.elf                System.map-4.13.0-39-generic  vmlinuz-4.4.0-121-generic.efi.signed

What is this all about? What is retpoline? I found this, but it goes on about some James-Bond-sounding thing call Spectre 2. I have found some info on that, but nothing specific to ... well, my system.

Should I care? Any useful pointers?

**TWPonKubuntu** · May 12, 2018, 07:53 AM

joneall;

More than a couple of months back (as I recall) there was an announcement about some security risks discovered in the processor micro-code itself. That is very deep in the system. It affected multiple different processor families, produced by different companies, including but not limited to, Intel.

There have been a series of "fixes" issued for these problems. Some worked (kinda) and some did not. Hence the need for more than one update.

This latest update is another in this series.

My Advice: DO INSTALL. Particularly if you are actively using the Internet. There are exploits searching for unpatched systems...

If you are curious, you can do a (NON-Google(r), please) websearch on the terms "retpoline", "Spectre 2", etc. There will be a large amount of information about what these are and about the attempts to fix the code.

You can search this forum for threads which discussed this, also.

I'll point out that there are patches for both the Linux Kernel code and for the individual processor micro-code.

Finally (I'm long winded), use whatever Update Manager is available on your Neon installation to check, regularly, for updates. I do this daily because of the frequency of "security" updates in the last couple of months. It seem safer to keep my system(s) as up-to-date as I can.

Hope this helps.

**joneall** · May 12, 2018, 09:07 AM

Thanks.

**vinnywright** · May 12, 2018, 02:54 PM

Originally posted by TWPonKubuntu View Post

I'll point out that there are patches for both the Linux Kernel code and for the individual processor micro-code.

Finally (I'm long winded), use whatever Update Manager is available on your Neon installation to check, regularly, for updates. I do this daily because of the frequency of "security" updates in the last couple of months. It seem safer to keep my system(s) as up-to-date as I can.

Hope this helps.

Good advice ,,,,,I personally , do not like the update managers to do my updates , they are getting better , but I do this every day I am in one of my systems ...

Code:

sudo apt-get update && sudo apt-get  dist-upgrade

I like this for 2 reasons 1-you get to see exactly whats going to happen and get a chance to cancel if you do not like what you see .
2- if there are errors you will see some suggestions/hints as to fixes .

But thats just me and my 2 cents worth

VINNY

**GreyGeek** · May 14, 2018, 06:38 AM

New Kernel release with a Security Update

Ditto, VINNY!

**woodsmoke** · May 14, 2018, 08:45 PM

TWP
Your are NOT "long winded".
You ARE "complete and concise".
woodlikescompleteandconsisesmoke

Originally posted by TWPonKubuntu View Post

joneall;

My Advice: DO INSTALL. Particularly if you are actively using the Internet. There are exploits searching for unpatched systems...

Hope this helps.

**TWPonKubuntu** · May 15, 2018, 07:01 AM

Woodsmoke:

**TWPonKubuntu** · May 15, 2018, 07:04 AM

Originally posted by vinnywright View Post

Good advice ,,,,,I personally , do not like the update managers to do my updates , they are getting better , but I do this every day I am in one of my systems ...

Code:

sudo apt-get update && sudo apt-get  dist-upgrade

I like this for 2 reasons 1-you get to see exactly whats going to happen and get a chance to cancel if you do not like what you see .
2- if there are errors you will see some suggestions/hints as to fixes .

But thats just me and my 2 cents worth

VINNY

Vinny, You're right. I also do both GUI (update manager) and CLI because I've found that the GUI sometimes does not find all the updates from my set of repositories. Same repository list. It is rare, but it does happen.

**joneall** · May 15, 2018, 09:30 AM

Problem is, I never know what all those things in /boot are. Looks like vmlinuz... is the system, since that's been there all along. But what about retpoline...? Is that automatically taken into account when you boot vmlinuz... or should you boot that?

**TWPonKubuntu** · May 15, 2018, 10:21 AM

vmlinuz - https://infogalactic.com/info/Vmlinux

The filename of the bootable image is not important, but many popular distributions use vmlinuz.

The name vmlinux is a mutation of vmunix, while in vmlinuz the letter z at the end denotes that it is compressed (gzipped).^[1]

Retpoline is a fix, developed by Google(r) (which, IMO, does not make Google(r) more trustworthy) for the Spectre processor vulnerability. If you have it, then it is (should be) already installed on your system and (should be) automatically applied when you boot Linux. It was delivered in one of the kernel security updates (thread topic) in the past several months.

If you're curious about files in /boot then by all means locate (web search with InfoGalactic not Google(r) ) the documentation. Remember the "curiosity killed the cat" and don't mess around with the /boot files until you know what you're doing... Voice of experience speaking here... "Here Lay Dragons".

If you do choose to attempt manual changes in /boot, remember that backups are your friends

.

**joneall** · May 15, 2018, 12:41 PM

Uh, what is Google(R)? I've seen it before. Is it different from Google?

**TWPonKubuntu** · May 15, 2018, 12:56 PM

Call it an overabundance of caution on my part. Google(r) is the registered trademark of that company... This editing tool doesn't appear to offer the registration mark "circle r", so I use (r) which is an accepted alternative.

My fingers typed a Cap r when I meant lower case, fixed it in the post. Thanks.

Announcement

New Kernel release with a Security Update

New Kernel release with a Security Update

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment