[ubuntu-hardened] 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

[daniel curtis]

Hello.

What a shame! I've wrote, that using journalctl(1) command I can check
a microcode updates etc., but I'm wrong, right? All these
kernel:microcode informations; about CPU0/1, sig and so on are not
something, that will tell me if a microcode package is installed.

I think, that if I will install an 'intel-microcode' (it's valid in my
case) the result about microcode, gathered e.g. via dmesg(1) will be
significantly different, from these mentioned in my previous message.
So, it will, probably, looks this way:

[~]$ sudo dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x12,
date = 2017-11-20
[    0.000000] Intel Spectre v2 broken microcode detected; disabling
Speculation Control
[    0.326377] microcode: sig=0x00000, pf=1x2, revision=0x34
[    0.326507] microcode: Microcode Update Driver: v2.2.

Note: I've changed 'sig=' and 'revision=' values. As we can see, there
are some informations about "Spectre_V2" mitigations etc. But, it's
just an example of how everything will be looks like after
'intel-microcode' package installation. So, 'journalctl -k | grep
microcode' command result (see my previous message) is not sufficient
without 'intel-microcode' package, right?

I'm sorry for my naive and pretty stupid questions.

Thank, best regards.
_________________

By the way: where is the best place to write about an application
(available in 16.04 LTS) that is missing a few CVE security fixes:
CVE-2017-*? (Mostly, it's about Heap-based buffer overflow, Out of
bounds read, Stack-based buffer over-read etc.) I'm asking, because
this application has been updated with security patches even in 14.04
LTS, Bionic version is also corrected etc. Should it be a Maintainer
or this mailing list is okay?