[ubuntu-hardened] 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

daniel curtis sidetripping at gmail.com
Mon Mar 12 19:29:16 UTC 2018 

Hello Seth.

I'm so sorry for such a long time without answer, but I'm still busy
etc. Yes, I know, that 'intel-microcode' package published on 22.
January, 2018 does not have any mitigations for Meltdown or
Spectre_v12. So, I will wait for a proper package and updates.

If it's about a package, which is missing some security fixes: it's
GIMP. In "Trusty" the available version is: '2.8.10-0ubuntu1.2'
(please see [1]). "Bionic" has '2.8.20-1.1' version (please see [2]).
Both contains security fixes for a couple of CVE-2017-* issues.
However, GIMP version in "Xenial" is 2.8.16-1ubuntu1.1 and does not
contain any updates from 2017. (The last one is from Thu, 30 Jun
2016.; please see [3]).

Updates with fixes for CVE's (Seth, please compare changes in 1. and
2. with 3.) were released on Thu, 18 Jan 2018 - for "Trusty" and Tue,
26 Dec 2017 - for "Bionic". In "Xenial", the last security update is
from 2016 (fixed for CVE-2016-4994) and there is no next security
update! GIMP is in "Universe/Security" section. Here is a CVE list,
which are not available in "Xenial", but in "Trusty" and "Bionic"
only:

CVE-2017-17786
CVE-2017-17789
CVE-2017-17784
CVE-2017-17787
CVE-2017-17785
CVE-2017-17788

Quite a lot. Seth, what do You think about this? Why these CVE are not
available in GIMP version from "Xenial" release? And what should be
done in such a case: write an email to Developer or create a bug
report, for example, on Launchpad? Maybe, I'm wrong and everything is
okay and code related to the above CVE's number is not present in
"Xenial" GIMP version?

Seth, can You take care of it?

Thanks, best regards.
__________________
1. http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog
2. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog
3. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog

More information about the ubuntu-hardened mailing list