Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?
Colin Watson
cjwatson at ubuntu.com
Thu Mar 1 18:18:28 UTC 2018
On Fri, Mar 02, 2018 at 01:54:50AM +0800, Bret Busby wrote:
> On 19/02/2018, Colin Watson <cjwatson at ubuntu.com> wrote:
> > On Mon, Feb 19, 2018 at 08:11:05PM +0800, Turritopsis Dohrnii Teo En Ming
> > wrote:
> >> What are the patches that I can download and install to be protected
> >> against the Meltdown and Spectre security vulnerabilities?
> >
> > https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
> > has details on this.
>
> From the wording on that web page, relating to the updates released on
> 21 February, is it correct that the problem of the three (S1, S2 and
> Meltdown) problems are now fixed, and that the threat is now overcome?
As far as the kernel goes, I think that's at least somewhere in the
general area of being correct, but updated microcode is necessary to
defend against Spectre variant 2 attacks without recompiling all of
userspace (which will likely happen over time at least for sensitive
targets, but won't happen quickly). As that web page says, "No
microcode updates are currently available for AMD or Intel, which means
Spectre v2 is still unmitigated out of the box on Ubuntu on x86 CPUs for
userspace."
These are not simple attacks where one can reasonably and confidently
say that the work is complete, in any case: they're essentially a whole
class of vulnerabilities. Expect more updates as time goes on, both to
extend the existing mitigations and to improve the performance of what
we have.
> I had the impression that one or more of the three problems required
> new CPU hardware microcode, to fix the problem,
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ#Retpoline
> and that, apart from keeping the operating system updated, as security
> updates became available, we need to wait for a new generation of
> CPU's - at least six months in the future, to get the three problems
> fixed beyond mitigations (as partial fixes) as they become available.
That seems like a reasonable summary.
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-users
mailing list