[SOLVED] Kernel update for Spectre & meltdown vulnerabilites

This forum is dedicated to advanced help and support :

Ask here your questions about advanced usage of Mageia. For example you may post here all your questions about network and automated installs, complex server configurations, kernel tuning, creating your own Mageia mirrors, and all tasks likely to be touchy even for skilled users.

[SOLVED] Kernel update for Spectre & meltdown vulnerabilites

Postby Micromet » Jan 12th, '18, 19:38

Will there be a kernel update soon for Mageia 5 mitigating against the Spectre and Meltdown vulnerabilities?

I'm running an AMD FX6300 Black Edition 6 Core CPU in a Gigabyte 970A-DS3P Motherboard. My Mageia 5.1 distro is using kernel 4.4.105-desktop-1.mga5. While it seems that AMD chips are largely unffected by the Meltdown vulnerability, they are for the Spectre one. Running the spectre-meltdown-checker https://github.com/speed47/spectre-meltdown-checker on this kernel indicates Vulnerable status on CVE-2017-5753 (Spectre Variant 1) - but not Vulnerable on CVE-2017-5715 (Spectre Variant 2) or CVE-2017-5754 (Meltdown or Variant 3).

This status above also affects, as you might expect, kernel modules present on my machine: 3.19.8-desktop-3.mga5, 4.4.30-desktop-2.mga5 and 4.4.92-desktop-1.mga5.

For a normal home system - what ramifications will the above vulnerability have for my system? Where will any possible exploit come from?
Last edited by Micromet on Jan 14th, '18, 19:34, edited 1 time in total.
Micromet
 
Posts: 50
Joined: Dec 6th, '14, 19:00

Re: Kernel update for Spectre & meltdown vulnerabilites

Postby isadora » Jan 12th, '18, 19:45

Mageia 5 is end-of-life, as to been found at our blog:
https://blog.mageia.org/en/2018/01/08/w ... 18-week-1/
..........bird from paradise..........

Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
—Antoine de Saint-Exupéry
User avatar
isadora
 
Posts: 2742
Joined: Mar 25th, '11, 16:03
Location: Netherlands

Re: Kernel update for Spectre & meltdown vulnerabilites

Postby dbg » Jan 12th, '18, 20:30

The blog also says: "we have decided to apply specific updates to the kernel and to Firefox, just to deal with the Spectre and Meltdown vulnerabilities." I see there was a kernel 4.4.110 in mga5 update/testing for a couple days but a regression was found. Now update/testing has 4.4.111 so hopefully it will move to the update repo soon.
dbg
 
Posts: 70
Joined: Mar 30th, '11, 22:28
Location: Grants Pass, Oregon

Re: Kernel update for Spectre & meltdown vulnerabilites

Postby filip » Jan 14th, '18, 13:35

You can check on http://madb.mageia.org/tools/updates and QA mailing list.
filip
 
Posts: 474
Joined: May 4th, '11, 22:10
Location: Kranj, Slovenia

Re: Kernel update for Spectre & meltdown vulnerabilites

Postby Micromet » Jan 14th, '18, 16:19

Kernel 4.4.111 duly arrived in my updates when I turned on PC an hour ago - so all good there.
Micromet
 
Posts: 50
Joined: Dec 6th, '14, 19:00

Re: Kernel update for Spectre & meltdown vulnerabilites

Postby isadora » Jan 14th, '18, 17:22

When your inquiry is solved satisfactory, would you mind to mark the topic solved?
..........bird from paradise..........

Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
—Antoine de Saint-Exupéry
User avatar
isadora
 
Posts: 2742
Joined: Mar 25th, '11, 16:03
Location: Netherlands

Re: Kernel update for Spectre & meltdown vulnerabilites

Postby Micromet » Jan 14th, '18, 18:46

isadora wrote:When your inquiry is solved satisfactory, would you mind to mark the topic solved?


Is there a special way to do that?
Micromet
 
Posts: 50
Joined: Dec 6th, '14, 19:00

Re: Kernel update for Spectre & meltdown vulnerabilites

Postby isadora » Jan 14th, '18, 19:20

You can do so by editing the title/subject of the first message in the topic.
Place [SOLVED] in front of subject/title.
..........bird from paradise..........

Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
—Antoine de Saint-Exupéry
User avatar
isadora
 
Posts: 2742
Joined: Mar 25th, '11, 16:03
Location: Netherlands

Re: Kernel update for Spectre & meltdown vulnerabilites

Postby Micromet » Jan 14th, '18, 19:33

isadora wrote:You can do so by editing the title/subject of the first message in the topic.
Place [SOLVED] in front of subject/title.


Thanks - will do
Micromet
 
Posts: 50
Joined: Dec 6th, '14, 19:00

Re: [SOLVED] Kernel update for Spectre & meltdown vulnerabil

Postby viking60 » Jan 18th, '18, 13:00

As far as I can see there is no patch for Meltdown or Spectre on Kernel 4.4.

The patch is provided with kernel 4.14.

False security is worse than no security.

To check you can download the spectre-meltdown-checker:
Code: Select all
wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh

And run the script as root.

https://bjoernvold.com/forum/viewtopic. ... 545#p24544
Image Flexibility is good and inxi is good... install both!
User avatar
viking60
 
Posts: 255
Joined: Mar 19th, '11, 22:26

Re: [SOLVED] Kernel update for Spectre & meltdown vulnerabil

Postby Micromet » Jan 18th, '18, 13:34

viking60 wrote:As far as I can see there is no patch for Meltdown or Spectre on Kernel 4.4.

The patch is provided with kernel 4.14.



In fact kernel 4.4.111 is worse than my original 4.4.105. My system is now vulnerable to Spectre Variant 1 and 2 (before it was just Variant 1) - but not Meltdown. Why has the kernel 4.4 gone backwards in terms of security?
Mageia 6 ships with kernel 4.9 - which I presume, from your comment above, is not protected. As I usually upgrade my Mageia distro at the first update of the new one i.e 5.1 and now 6.1 - I see no advantage at present with regards to security in upgrading to Mageia 6. Will kernel 4.14 be shipped out to Mageia 6 as a matter of urgency any time soon?
Micromet
 
Posts: 50
Joined: Dec 6th, '14, 19:00

Re: [SOLVED] Kernel update for Spectre & meltdown vulnerabil

Postby viking60 » Jan 18th, '18, 13:54

Spectre is not patched fully in any kernel and might haunt us for quite some time (my Centos install seems to have fixed the most). Meltdown is easier to exploit so it is a good thing that it is fixed.
If it is patched in Kernel 4.4 (I did not think so) then it is fairly OK to keep this marked as solved.

I believe Kernel 4.14 was shipped yesterday.

In addition to the Kernel part you will definitely need to harden your browser against Spectre.

https://bjoernvold.com/forum/viewtopic.php?f=25&t=4468
Image Flexibility is good and inxi is good... install both!
User avatar
viking60
 
Posts: 255
Joined: Mar 19th, '11, 22:26


Return to Advanced support

Who is online

Users browsing this forum: No registered users and 1 guest

cron