16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

daniel curtis
Hello.

What a shame! I've wrote, that using journalctl(1) command I can check
a microcode updates etc., but I'm wrong, right? All these
kernel:microcode informations; about CPU0/1, sig and so on are not
something, that will tell me if a microcode package is installed.

I think, that if I will install an 'intel-microcode' (it's valid in my
case) the result about microcode, gathered e.g. via dmesg(1) will be
significantly different, from these mentioned in my previous message.
So, it will, probably, looks this way:

[~]$ sudo dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x12,
date = 2017-11-20
[    0.000000] Intel Spectre v2 broken microcode detected; disabling
Speculation Control
[    0.326377] microcode: sig=0x00000, pf=1x2, revision=0x34
[    0.326507] microcode: Microcode Update Driver: v2.2.

Note: I've changed 'sig=' and 'revision=' values. As we can see, there
are some informations about "Spectre_V2" mitigations etc. But, it's
just an example of how everything will be looks like after
'intel-microcode' package installation. So, 'journalctl -k | grep
microcode' command result (see my previous message) is not sufficient
without 'intel-microcode' package, right?

I'm sorry for my naive and pretty stupid questions.

Thank, best regards.
_________________

By the way: where is the best place to write about an application
(available in 16.04 LTS) that is missing a few CVE security fixes:
CVE-2017-*? (Mostly, it's about Heap-based buffer overflow, Out of
bounds read, Stack-based buffer over-read etc.) I'm asking, because
this application has been updated with security patches even in 14.04
LTS, Bionic version is also corrected etc. Should it be a Maintainer
or this mailing list is okay?

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

Seth Arnold
On Wed, Feb 28, 2018 at 03:08:49PM +0000, daniel curtis wrote:
> So, 'journalctl -k | grep
> microcode' command result (see my previous message) is not sufficient
> without 'intel-microcode' package, right?

Hello Daniel,

Note that the intel-microcode package that we published on 22 January 2018
reverted to Intel's version 20170707, after consulting with Intel. This
version of the microcode does not have any mitigations for Meltdown or
Spectre v1 or Spectre v2.

At this point we're waiting on our partners for more information.

This issue won't go away quickly.

> By the way: where is the best place to write about an application
> (available in 16.04 LTS) that is missing a few CVE security fixes:
> CVE-2017-*? (Mostly, it's about Heap-based buffer overflow, Out of
> bounds read, Stack-based buffer over-read etc.) I'm asking, because
> this application has been updated with security patches even in 14.04
> LTS, Bionic version is also corrected etc. Should it be a Maintainer
> or this mailing list is okay?

This mail list, or IRC (#ubuntu-hardened on irc.freenode.net), both
work. Which package and CVEs are you curious about?

Note that packages in universe are community supported. The answer might
be as simple as "because no one has given us fixes yet".

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (484 bytes) Download Attachment