Peterborough Linux User Group (Canada) Forum

Linux & Android => Security and Privacy => Topic started by: Jason on January 10, 2018, 12:47:43 PM

Title: Ubuntu updates released for Spectre and Meltdown CPU bugs
Post by: Jason on January 10, 2018, 12:47:43 PM
In my screenshot below, it shows my Linux Mint 18.3 desktop with 3 pending updates. Click on it for a full-sized version. The top two are regarding the recent flaws revealed in processors with speculative processing and fix them and it also looks like they might also have code to handle the AMD issue, judging by the release notes.

Still, these are serious patches. The urgency is marked as low for them probably because there haven't been any vulnerabilities in the wild (yet), though the CVE rates this issue as Medium. But the bigger thing here is that the impact is 4. Note that the numbers used beside updates in LM isn't the priority, it's the impact on the system as a whole. And because these are kernel-related updates, things could break.

Apply them one at a time as recommended in the legend and do an image beforehand. I assume this means to apply an update and then reboot and use your computer enough to make sure it works before applying another update. With level 4 updates, I tend to just install one each day until they're all done. Timeshift, which comes with Linux Mint 18.3 is great for backing up an image, btw. But you could use Clonezilla if you prefer.

These updates are upstream from Ubuntu so other Ubuntu-derived distros should have them now, too.

This is one of the features I like about Linux Mint. Any other distro, you might apply all these patches together and not prepare an image backup beforehand and end up with an unbootable system. The impact level warns you of this.

Title: Re: Ubuntu updates released for Spectre and Meltdown CPU bugs
Post by: buster on January 11, 2018, 11:31:55 AM
Checked my up-to-date openSuse system. The kernel is a 4.4 variant! Just a wee bit behind. And it is the default. And auto updates (with notification) is set to on.

Just read - This is a long term kernel (or whatever), same as used in Mint, and it appears to be up to date.
Title: Re: Ubuntu updates released for Spectre and Meltdown CPU bugs
Post by: Jason on January 11, 2018, 05:34:36 PM
Yeah, it is. I forgot I updated my kernel a while back in LM to 4.13 series. I don't recall why :D But there are also updates for 4.4 kernel series.

You don't want to have auto-update on for at least the next little while unless it's just a VM (then you can do a snapshot before you apply them to roll back). You should apply these updates carefully and not carte-blanche unless you really just like living life dangerously.

I noticed now I have an update for microcode today but it's rated as impact 2.
Title: Re: Ubuntu updates released for Spectre and Meltdown CPU bugs
Post by: Jason on January 11, 2018, 05:36:21 PM
If you want the latest greatest OpenSUSE system, you have to use the Tumblewood version instead of Leap. It's rolling release like Arch is.
Title: Re: Ubuntu updates released for Spectre and Meltdown CPU bugs
Post by: Jason on January 11, 2018, 09:31:55 PM
Just noticed this Security Notice blog post (https://blog.linuxmint.com/?p=3496) on the Linux Mint site. Meltdown and Spectre are already forcing updates to several programs and the blog post talks about them. Expect lots more in the future. It also has some good advice at the bottom of the post which I'll share here:

QuoteGeneral Advice

Locally, you should backup your personal data and set up daily system snapshots (timeshift is recommended for that).

Apply security updates as they become available on all your devices.

Review any sensitive information stored online.

Stay away from 3rd party applications, proprietary in particular and do not visit websites you don’t trust on devices which haven’t been patched.

Consider securing access to your important data (your email account in particular) with 2 factor authentication.