Basics of Spectre and Meltdown Video
-
@stacksofplates said in Basics of Spectre and Meltdown Video:
Kind of concerning that Fedora hasn't patched Spectre Variant 1 yet but CentOS and RHEL have.
hmm interesting if it is true. Kind shows that I am right with all my Centos Love and Fedora hate (i just hate it for servers).
Same goes with debian :thumbs_up: and , especially the ppl that use Ubuntu as KVM server :thumbs_down: .
-
@emad-r said in Basics of Spectre and Meltdown Video:
@stacksofplates said in Basics of Spectre and Meltdown Video:
Kind of concerning that Fedora hasn't patched Spectre Variant 1 yet but CentOS and RHEL have.
hmm interesting if it is true. Kind shows that I am right with all my Centos Love and Fedora hate (i just hate it for servers).
But it was handled long ago, wasn't it? What was missed?
https://fedoramagazine.org/kpti-new-kernel-feature-mitigate-meltdown/
-
@scottalanmiller said in Basics of Spectre and Meltdown Video:
@emad-r said in Basics of Spectre and Meltdown Video:
@stacksofplates said in Basics of Spectre and Meltdown Video:
Kind of concerning that Fedora hasn't patched Spectre Variant 1 yet but CentOS and RHEL have.
hmm interesting if it is true. Kind shows that I am right with all my Centos Love and Fedora hate (i just hate it for servers).
But it was handled long ago, wasn't it? What was missed?
https://fedoramagazine.org/kpti-new-kernel-feature-mitigate-meltdown/
That’s only for meltdown.
-
@tim_g said in Basics of Spectre and Meltdown Video:
@stacksofplates said in Basics of Spectre and Meltdown Video:
Kind of concerning that Fedora hasn't patched Spectre Variant 1 yet but CentOS and RHEL have.
https://mangolassi.it/post/369202 doesn't cover It? I thought it was in the kernel updates?
Not spectre. Only meltdown.
-
Both the Red Hat checker and another checker written by someone else show CentOS as patched against variant 1 and Fedora as not for either.
CentOS 7.4:
Fedora 27:
-
The Red Hat one shows vulnerable for Meltdown but it lets you know it may give you wrong information if it's not RHEL or CentOS.
-
Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.
Anyways:
Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre. -
@emad-r said in Basics of Spectre and Meltdown Video:
especially the ppl that use Ubuntu as KVM server .
https://www.qemu.org/2018/01/04/spectre/
https://marc.info/?l=kvm&m=151543506500957&w=2 -
@tim_g said in Basics of Spectre and Meltdown Video:
Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.
Anyways:
Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.
-
@stacksofplates said in Basics of Spectre and Meltdown Video:
@tim_g said in Basics of Spectre and Meltdown Video:
Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.
Anyways:
Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.
Is CentOS is missing the Meltdown microcode fix? (according to your above screenshot)
-
@tim_g said in Basics of Spectre and Meltdown Video:
@stacksofplates said in Basics of Spectre and Meltdown Video:
@tim_g said in Basics of Spectre and Meltdown Video:
Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.
Anyways:
Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.
But CentOS is missing the Meltdown microcode fix? (according to your above screenshot)
No. Top two images are CentOS. They show variants 1 and 3 are mitigated. The second two images are Fedora. Both show vulnerable for variants 1 and 2. The fourth image is the RHEL check and shows vulnerable for Meltdown but I'm assuming that's because it's a RHEL specific check and it's a kernel the check isn't expecting.
The first and third image are the non-RHEL created checks. The second and fourth are made by RHEL.
-
@stacksofplates said in Basics of Spectre and Meltdown Video:
@tim_g said in Basics of Spectre and Meltdown Video:
@stacksofplates said in Basics of Spectre and Meltdown Video:
@tim_g said in Basics of Spectre and Meltdown Video:
Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.
Anyways:
Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.
But CentOS is missing the Meltdown microcode fix? (according to your above screenshot)
No. Top two images are CentOS. They show variants 1 and 3 are mitigated. The second two images are Fedora. Both show vulnerable for variants 1 and 2. The second image is the RHEL check and shows vulnerable for Meltdown but I'm assuming that's because it's a RHEL specific check and it's a kernel the check isn't expecting.
The first and third image are the non-RHEL created checks. The second and fourth are made by RHEL.
Ahh I see.
-
And so we wait on Fedora...
https://docs.ovh.com/fr/dedicated/meltdown-spectre-kernel-update-per-operating-system/
-
@tim_g said in Basics of Spectre and Meltdown Video:
@stacksofplates said in Basics of Spectre and Meltdown Video:
@tim_g said in Basics of Spectre and Meltdown Video:
@stacksofplates said in Basics of Spectre and Meltdown Video:
@tim_g said in Basics of Spectre and Meltdown Video:
Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.
Anyways:
Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.
But CentOS is missing the Meltdown microcode fix? (according to your above screenshot)
No. Top two images are CentOS. They show variants 1 and 3 are mitigated. The second two images are Fedora. Both show vulnerable for variants 1 and 2. The second image is the RHEL check and shows vulnerable for Meltdown but I'm assuming that's because it's a RHEL specific check and it's a kernel the check isn't expecting.
The first and third image are the non-RHEL created checks. The second and fourth are made by RHEL.
Ahh I see.
Ya that's just an assumption I'm making about the RHEL check because the other shows it's patched. And I had to edit the script and comment out the function that checks if it's anything other than RHEL/CentOS.
-
I'm not too terribly worried about this. I get the concern, and when patches come out, they will definitely get applied. But until there's some remotely exploitable POC stuff out there, it's not going to be too damaging before then, IMO.
-
@dafyre said in Basics of Spectre and Meltdown Video:
I'm not too terribly worried about this. I get the concern, and when patches come out, they will definitely get applied. But until there's some remotely exploitable POC stuff out there, it's not going to be too damaging before then, IMO.
And especially not if you are on your own servers (not shared) or not on Intel, etc. Lots of people affected, a lot of people not so much.
-
@scottalanmiller said in Basics of Spectre and Meltdown Video:
or not on Intel,
Spectre is everyone. So my point still stands here.