-
Notifications
You must be signed in to change notification settings - Fork 655
Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 #2206
Comments
Updated info from http://news.softpedia.com/news/linux-kernels-4-14-11-4-9-74-4-4-109-3-16-52-and-3-2-97-patch-meltdown-flaw-519215.shtml it looks like we should take kernel 4.9.74 to mitigate CVE-2017-5754 (aka Meltdown). |
Please, remember to backport to 1.0 LTS. |
@niusmallnan Any way we could get this before or in place of 1.1.3? I'd like a straight security patch release. |
Looks like the mitigation for Meltdown (CVE-2017-5754) will land in 4.9.75 upstream: https://www.spinics.net/lists/kernel/msg2688700.html |
@ryansch The intent is to have this go out with ROS 1.1.3. |
@aemneina Understood. Keep in mind that it increases the amount of new stuff I/we have to review alongside the security update before we can adopt the new version in production. |
1.1.3 will only contain the kernel update. Sorry, I didn't make that clear. Shipping all the changes in the originally scoped 1.1.3 + cve fix would have slowed down the release of this important fix. |
Fantastic! |
Please please please, backport to 1.0.x LTS |
@niusmallnan Kernel 4.9.76 is now out and apparently has some more meltdown and spectre fixes http://news.softpedia.com/news/linux-kernels-4-14-13-4-9-76-and-4-4-111-bring-more-security-fixes-update-now-519321.shtml |
Again, please backport kernel upgrade to RancherOS 1.0.x LTS. Thanks! |
@mikemoate |
@niusmallnan Will you forget those users who put their confidence in the 1.0.x LTS version? Jumping to 1.1.x is a no-go due to Docker 1.10 being unsupported, so please tell us your plans about it including the case in which there aren't any, so we can find alternatives. Thanks. |
@albertdb |
The problem is this: #2056 Thank you. |
BTW, 1.0.x was announced as a Long Term Support and it was released less than a year ago. |
@niusmallnan thanks and understood on the kernel versions, my mistake! |
@albertdb If only for Docker 1.10 support, you can use any RancherOS version. We will ship v1.0.5, both Meltdown and Spectre(var.2 ) fixes will be included. BTW, after v1.0.5, there will not be a new 1.0.x version. |
Mitigations for CVE-2017-5753 (spectre_v1) are available in newer kernel releases. I think Kernel 4.9.81 (previous LTS) or Kernel 4.14.18 (current LTS) is needed. Note #2361 will also require a kernel update, to even later versions, so solving that will address this. |
Test with our latest release v1.4.0-rc1:
Both Meltdown and Spectre have been addressed, It's a long journey. |
https://googleprojectzero.blogspot.hk/2018/01/reading-privileged-memory-with-side.html
So far, there are three known variants of the issue:
The text was updated successfully, but these errors were encountered: