http://www.eweek.com/security/linux-...ectre-response
The latest variant of Spectre/Meltdown is called "Foreshadow".
http://www.eweek.com/security/intel-...ecution-attack
Kroah-Hartman said that when Intel finally decided to tell Linux developers, the disclosure was siloed."Normally when we get a kernel security bug, it goes to the Linux kernel security team, we drag in the right people, we work with the distributions getting everyone on the same page and push out patches," he said. "Intel siloed SUSE, they siloed Red Hat, they siloed Canonical. They never told Oracle, and they wouldn't let us talk to each other."
For an initial set of vulnerabilities, Kroah-Hartman said the different Linux vendors that typically work together. However, in this case they ended up working on their own, and each came up with different solutions.
"It really wasn't working, and a number of us kernel developers yelled at [Intel] and pleaded, and we finally got them to allow us to talk to each other the last week of December [2017]," he said. "All of our Christmas vacations were ruined.
...
"The majority of the world runs Debian or they run their own kernel," Kroah-Hartman said. "Debian was not allowed to be part of the disclosure, so the majority of the world was caught with their pants down, and that's not good."
...
An interesting side effect of the Meltdown and Spectre vulnerabilities is that Linux and Windows developers are now working together, since both operating systems face similar risks from the CPU vulnerabilities.
"Windows and Linux kernel developers now have this wonderful back channel. We're talking to each other and we're fixing bugs for each other," Kroah-Hartman said. "We are working well together. We have always wanted that."
...
For an initial set of vulnerabilities, Kroah-Hartman said the different Linux vendors that typically work together. However, in this case they ended up working on their own, and each came up with different solutions.
"It really wasn't working, and a number of us kernel developers yelled at [Intel] and pleaded, and we finally got them to allow us to talk to each other the last week of December [2017]," he said. "All of our Christmas vacations were ruined.
...
"The majority of the world runs Debian or they run their own kernel," Kroah-Hartman said. "Debian was not allowed to be part of the disclosure, so the majority of the world was caught with their pants down, and that's not good."
...
An interesting side effect of the Meltdown and Spectre vulnerabilities is that Linux and Windows developers are now working together, since both operating systems face similar risks from the CPU vulnerabilities.
"Windows and Linux kernel developers now have this wonderful back channel. We're talking to each other and we're fixing bugs for each other," Kroah-Hartman said. "We are working well together. We have always wanted that."
...
http://www.eweek.com/security/intel-...ecution-attack
Foreshadow is the latest in a series of side-channel vulnerabilities that have been reported in 2018, the first being Meltdown and Spectre, which were disclosed on Jan. 3. Additional variants were disclosed on May 22 and on July 26 with the NetSpectre
Comment