Meltdown and Spectre

Support for security such as Firewalls and securing linux
bobykus
Posts: 1
Joined: 2018/01/04 08:12:48

Meltdown and Spectre

Post by bobykus » 2018/01/04 08:16:07

RH announced a fix in new kernel kernel-2.6.32-696.18.7.el6.x86_64.rpm

https://access.redhat.com/errata/RHSA-2018:0008

However it is still unavailable in CentOS repo, right?

Package kernel-2.6.32-696.16.1.el6.x86_64 already installed and latest version

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Meltdown and Spectre

Post by TrevorH » 2018/01/04 08:35:49

Patches for this were released late last night by Redhat for RHEL. CentOS has to rebuild those from source (and debrand them) and then test the resulting packages to make sure they function. I would expect a release sooner rather than later.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mace07
Posts: 1
Joined: 2018/01/04 20:16:46

Re: Meltdown and Spectre

Post by mace07 » 2018/01/04 20:21:06

I'm a little confused - I'm running Centos 6 and my kernel version is 2.6.32-042stab120.16. But all the references to the meltdown kernel fix say the new kernel version is kernel-2.6.32-696. I guess i must be using an old kernel, but how do I update to make sure my kernel is protected? Yum says no packages marked for update.

Thanks

rorysavage77
Posts: 1
Joined: 2018/01/04 20:48:26

Re: Meltdown and Spectre

Post by rorysavage77 » 2018/01/04 20:50:43

What is the typical turn around time for Centos to release updates for a critical vulnerability like this?

shreyas0509
Posts: 1
Joined: 2018/01/04 23:11:45

Re: Meltdown and Spectre

Post by shreyas0509 » 2018/01/04 23:14:17

Where can I track the release of these patches? Where will it be announced?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Meltdown and Spectre

Post by TrevorH » 2018/01/04 23:31:36

Patches for CentOS 7 were released and pushed to the mirror network at around 11:00 UTC today.

Patches for CentOS 6 were released and pushed to the mirror network at around 21:00 UTC today.

Turnaround for these patches was about average I'd guess. The CentOS 7 updates were built overnight and then pushed in the morning. CentOS 6 updates came out from RH slightly later and were in the queue to be built after the el7 ones.

mace07I'm afraid that is not a CentOS system and you need to talk to your hoster about any update for that. The "stab" string in the kernel version number shows that it's an openvz container and not a real system at all.

For CentOS 6 the updated packages (so far) for this are kernel, libvirt, qemu-kvm and microcode_ctl.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

rickyng
Posts: 1
Joined: 2018/01/05 19:10:23

Re: Meltdown and Spectre

Post by rickyng » 2018/01/05 19:11:31

After running "yum update" and rebooting, how do we verify if the patch was applied?

r31ellis
Posts: 1
Joined: 2018/01/03 18:35:07

Re: Meltdown and Spectre

Post by r31ellis » 2018/01/05 21:33:45

What if you need to remain on a specific release? Will installing the security packages only satisfy the advisory notice?

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: Meltdown and Spectre

Post by tunk » 2018/01/05 21:41:17

The following command shows the current running kernel: uname -a

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Meltdown and Spectre

Post by TrevorH » 2018/01/06 04:36:10

What if you need to remain on a specific release? Will installing the security packages only satisfy the advisory notice?
CentOS doesn't allow you to do that. Once a new point release comes out, the previous one is deprecated and receives no more updates. The update _is_ the new release. There is also no security metadata in the CentOS yum repos so you cannot use yum-plugin-security.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply