[ubuntu-hardened] 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).
Seth Arnold
seth.arnold at canonical.com
Thu Mar 1 06:41:43 UTC 2018
On Wed, Feb 28, 2018 at 03:08:49PM +0000, daniel curtis wrote:
> So, 'journalctl -k | grep
> microcode' command result (see my previous message) is not sufficient
> without 'intel-microcode' package, right?
Hello Daniel,
Note that the intel-microcode package that we published on 22 January 2018
reverted to Intel's version 20170707, after consulting with Intel. This
version of the microcode does not have any mitigations for Meltdown or
Spectre v1 or Spectre v2.
At this point we're waiting on our partners for more information.
This issue won't go away quickly.
> By the way: where is the best place to write about an application
> (available in 16.04 LTS) that is missing a few CVE security fixes:
> CVE-2017-*? (Mostly, it's about Heap-based buffer overflow, Out of
> bounds read, Stack-based buffer over-read etc.) I'm asking, because
> this application has been updated with security patches even in 14.04
> LTS, Bionic version is also corrected etc. Should it be a Maintainer
> or this mailing list is okay?
This mail list, or IRC (#ubuntu-hardened on irc.freenode.net), both
work. Which package and CVEs are you curious about?
Note that packages in universe are community supported. The answer might
be as simple as "because no one has given us fixes yet".
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20180228/8b79cb61/attachment.sig>
More information about the ubuntu-hardened
mailing list