Announcement

Collapse
No announcement yet.

New Kernel release with a Security Update

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    New Kernel release with a Security Update

    Canonical Outs New Ubuntu Kernel Update with Compiler-Based Retpoline Mitigation

    http://news.softpedia.com/news/canon...n-519909.shtml

    Disclaimer: I saw this version release announced about two days ago. It appeared in my repository this morning. That is quick.
    Last edited by TWPonKubuntu; Feb 22, 2018, 09:26 AM.
    Kubuntu 24.11 64bit under Kernel 6.12.1, Hp Pavilion, 6MB ram. Stay away from all things Google...

    #2
    and ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

    Code:
    vinny@vinny-Bonobo-Extreme:~/Downloads/metdown-checker/spectre-meltdown-checker-0.28$ sudo ./spectre-meltdown-checker.sh 
    [sudo] password for vinny:                                                                                                                                            
    Spectre and Meltdown mitigation detection tool v0.28                                                                                                                  
                                                                                                                                                                         
    Checking for vulnerabilities against running kernel Linux 4.13.0-36-generic #40-Ubuntu SMP Fri Feb 16 20:07:48 UTC 2018 x86_64                                        
    CPU is Intel(R) Core(TM) i7-4910MQ CPU @ 2.90GHz                                                                                                                      
                                                                                                                                                                         
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'                                                                                                           
    * Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)                                                  
    > STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))                                                                               
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
    
    A false sense of security is worse than no security at all, see --disclaimer
    yes it LOOKS like we are good

    VINNY
    i7 4core HT 8MB L3 2.9GHz
    16GB RAM
    Nvidia GTX 860M 4GB RAM 1152 cuda cores

    Comment


      #3
      confirmed here on older kernel as well.

      Code:
      Spectre and Meltdown mitigation detection tool v0.28
      
      Checking for vulnerabilities against running kernel Linux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
      CPU is Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
      
      CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
      * Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
      > STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))
      
      CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
      * Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
      > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
      
      CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
      * Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
      > STATUS:  NOT VULNERABLE  (Mitigation: PTI)

      Comment


        #4
        I noticed this on my Neon system:

        Code:
        $ ls /boot
        abi-4.13.0-38-generic     efi                           memtest86+_multiboot.bin      System.map-4.4.0-119-generic
        abi-4.13.0-39-generic     grub                          refind_linux.conf             System.map-4.4.0-121-generic
        abi-4.4.0-119-generic     initrd.img-4.13.0-38-generic  retpoline-4.13.0-38-generic   vmlinuz-4.13.0-38-generic
        abi-4.4.0-121-generic     initrd.img-4.13.0-39-generic  retpoline-4.13.0-39-generic   vmlinuz-4.13.0-39-generic
        config-4.13.0-38-generic  initrd.img-4.4.0-119-generic  retpoline-4.4.0-119-generic   vmlinuz-4.4.0-119-generic
        config-4.13.0-39-generic  initrd.img-4.4.0-121-generic  retpoline-4.4.0-121-generic   vmlinuz-4.4.0-119-generic.efi.signed
        config-4.4.0-119-generic  memtest86+.bin                System.map-4.13.0-38-generic  vmlinuz-4.4.0-121-generic
        config-4.4.0-121-generic  memtest86+.elf                System.map-4.13.0-39-generic  vmlinuz-4.4.0-121-generic.efi.signed
        What is this all about? What is retpoline? I found this, but it goes on about some James-Bond-sounding thing call Spectre 2. I have found some info on that, but nothing specific to ... well, my system.

        Should I care? Any useful pointers?
        'I must have a prodigious quantity of mind; it takes me as much as a week sometimes to make it up.' Mark Twain

        Comment


          #5
          joneall;

          More than a couple of months back (as I recall) there was an announcement about some security risks discovered in the processor micro-code itself. That is very deep in the system. It affected multiple different processor families, produced by different companies, including but not limited to, Intel.

          There have been a series of "fixes" issued for these problems. Some worked (kinda) and some did not. Hence the need for more than one update.

          This latest update is another in this series.

          My Advice: DO INSTALL. Particularly if you are actively using the Internet. There are exploits searching for unpatched systems...

          If you are curious, you can do a (NON-Google(r), please) websearch on the terms "retpoline", "Spectre 2", etc. There will be a large amount of information about what these are and about the attempts to fix the code.

          You can search this forum for threads which discussed this, also.

          I'll point out that there are patches for both the Linux Kernel code and for the individual processor micro-code.

          Finally (I'm long winded), use whatever Update Manager is available on your Neon installation to check, regularly, for updates. I do this daily because of the frequency of "security" updates in the last couple of months. It seem safer to keep my system(s) as up-to-date as I can.

          Hope this helps.
          Kubuntu 24.11 64bit under Kernel 6.12.1, Hp Pavilion, 6MB ram. Stay away from all things Google...

          Comment


            #6
            Thanks.
            'I must have a prodigious quantity of mind; it takes me as much as a week sometimes to make it up.' Mark Twain

            Comment


              #7
              Originally posted by TWPonKubuntu View Post
              I'll point out that there are patches for both the Linux Kernel code and for the individual processor micro-code.

              Finally (I'm long winded), use whatever Update Manager is available on your Neon installation to check, regularly, for updates. I do this daily because of the frequency of "security" updates in the last couple of months. It seem safer to keep my system(s) as up-to-date as I can.

              Hope this helps.
              Good advice ,,,,,I personally , do not like the update managers to do my updates , they are getting better , but I do this every day I am in one of my systems ...

              Code:
              sudo apt-get update && sudo apt-get  dist-upgrade
              I like this for 2 reasons 1-you get to see exactly whats going to happen and get a chance to cancel if you do not like what you see .
              2- if there are errors you will see some suggestions/hints as to fixes .

              But thats just me and my 2 cents worth

              VINNY
              i7 4core HT 8MB L3 2.9GHz
              16GB RAM
              Nvidia GTX 860M 4GB RAM 1152 cuda cores

              Comment


                #8
                New Kernel release with a Security Update

                Ditto, VINNY!
                "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                – John F. Kennedy, February 26, 1962.

                Comment


                  #9
                  TWP
                  Your are NOT "long winded".
                  You ARE "complete and concise".
                  woodlikescompleteandconsisesmoke

                  Originally posted by TWPonKubuntu View Post
                  joneall;

                  My Advice: DO INSTALL. Particularly if you are actively using the Internet. There are exploits searching for unpatched systems...

                  Hope this helps.

                  Comment


                    #10
                    Woodsmoke:

                    Kubuntu 24.11 64bit under Kernel 6.12.1, Hp Pavilion, 6MB ram. Stay away from all things Google...

                    Comment


                      #11
                      Originally posted by vinnywright View Post
                      Good advice ,,,,,I personally , do not like the update managers to do my updates , they are getting better , but I do this every day I am in one of my systems ...

                      Code:
                      sudo apt-get update && sudo apt-get  dist-upgrade
                      I like this for 2 reasons 1-you get to see exactly whats going to happen and get a chance to cancel if you do not like what you see .
                      2- if there are errors you will see some suggestions/hints as to fixes .

                      But thats just me and my 2 cents worth

                      VINNY
                      Vinny, You're right. I also do both GUI (update manager) and CLI because I've found that the GUI sometimes does not find all the updates from my set of repositories. Same repository list. It is rare, but it does happen.
                      Kubuntu 24.11 64bit under Kernel 6.12.1, Hp Pavilion, 6MB ram. Stay away from all things Google...

                      Comment


                        #12
                        Problem is, I never know what all those things in /boot are. Looks like vmlinuz... is the system, since that's been there all along. But what about retpoline...? Is that automatically taken into account when you boot vmlinuz... or should you boot that?
                        'I must have a prodigious quantity of mind; it takes me as much as a week sometimes to make it up.' Mark Twain

                        Comment


                          #13
                          vmlinuz - https://infogalactic.com/info/Vmlinux

                          The filename of the bootable image is not important, but many popular distributions use vmlinuz.
                          The name vmlinux is a mutation of vmunix, while in vmlinuz the letter z at the end denotes that it is compressed (gzipped).[1]
                          Retpoline is a fix, developed by Google(r) (which, IMO, does not make Google(r) more trustworthy) for the Spectre processor vulnerability. If you have it, then it is (should be) already installed on your system and (should be) automatically applied when you boot Linux. It was delivered in one of the kernel security updates (thread topic) in the past several months.

                          If you're curious about files in /boot then by all means locate (web search with InfoGalactic not Google(r) ) the documentation. Remember the "curiosity killed the cat" and don't mess around with the /boot files until you know what you're doing... Voice of experience speaking here... "Here Lay Dragons".

                          If you do choose to attempt manual changes in /boot, remember that backups are your friends .
                          Last edited by TWPonKubuntu; May 15, 2018, 01:01 PM. Reason: Changed registration symbol case
                          Kubuntu 24.11 64bit under Kernel 6.12.1, Hp Pavilion, 6MB ram. Stay away from all things Google...

                          Comment


                            #14
                            Uh, what is Google(R)? I've seen it before. Is it different from Google?
                            'I must have a prodigious quantity of mind; it takes me as much as a week sometimes to make it up.' Mark Twain

                            Comment


                              #15
                              Call it an overabundance of caution on my part. Google(r) is the registered trademark of that company... This editing tool doesn't appear to offer the registration mark "circle r", so I use (r) which is an accepted alternative.

                              My fingers typed a Cap r when I meant lower case, fixed it in the post. Thanks.
                              Last edited by TWPonKubuntu; May 15, 2018, 01:02 PM.
                              Kubuntu 24.11 64bit under Kernel 6.12.1, Hp Pavilion, 6MB ram. Stay away from all things Google...

                              Comment

                              Working...
                              X