16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

daniel curtis
Hello Seth.

I'm so sorry for such a long time without answer, but I'm still busy
etc. Yes, I know, that 'intel-microcode' package published on 22.
January, 2018 does not have any mitigations for Meltdown or
Spectre_v12. So, I will wait for a proper package and updates.

If it's about a package, which is missing some security fixes: it's
GIMP. In "Trusty" the available version is: '2.8.10-0ubuntu1.2'
(please see [1]). "Bionic" has '2.8.20-1.1' version (please see [2]).
Both contains security fixes for a couple of CVE-2017-* issues.
However, GIMP version in "Xenial" is 2.8.16-1ubuntu1.1 and does not
contain any updates from 2017. (The last one is from Thu, 30 Jun
2016.; please see [3]).

Updates with fixes for CVE's (Seth, please compare changes in 1. and
2. with 3.) were released on Thu, 18 Jan 2018 - for "Trusty" and Tue,
26 Dec 2017 - for "Bionic". In "Xenial", the last security update is
from 2016 (fixed for CVE-2016-4994) and there is no next security
update! GIMP is in "Universe/Security" section. Here is a CVE list,
which are not available in "Xenial", but in "Trusty" and "Bionic"
only:

CVE-2017-17786
CVE-2017-17789
CVE-2017-17784
CVE-2017-17787
CVE-2017-17785
CVE-2017-17788

Quite a lot. Seth, what do You think about this? Why these CVE are not
available in GIMP version from "Xenial" release? And what should be
done in such a case: write an email to Developer or create a bug
report, for example, on Launchpad? Maybe, I'm wrong and everything is
okay and code related to the above CVE's number is not present in
"Xenial" GIMP version?

Seth, can You take care of it?

Thanks, best regards.
__________________
1. http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog
2. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog
3. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

Seth Arnold
On Mon, Mar 12, 2018 at 07:29:16PM +0000, daniel curtis wrote:
> I'm so sorry for such a long time without answer, but I'm still busy
> etc. Yes, I know, that 'intel-microcode' package published on 22.
> January, 2018 does not have any mitigations for Meltdown or
> Spectre_v12. So, I will wait for a proper package and updates.

Hello Daniel, good news, we have new intel-microcode packages from Intel:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

If feedback from users shows no problems we'll probably release this
Monday.

> Quite a lot. Seth, what do You think about this? Why these CVE are not
> available in GIMP version from "Xenial" release? And what should be
> done in such a case: write an email to Developer or create a bug

The gimp package is in main in 14.04 LTS but in universe in 16.04 LTS
and newer. Because gimp is in universe it is community supported. No
one in the community has provided us with debdiffs for gimp for Xenial
and newer, so it remains unfixed. If you have the time and inclination to
provide fixes for it, you can find some guidance on:

https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (484 bytes) Download Attachment