fixing Linux Mint 18.3 for Meltdown and Spectre

[wpshooter]

Are there any steps that a Linux Mint 18.3 OS user needs to take to mitigate
Meltdown and Spectre threats other than applying the latest available BIOS
update for their computer (in my case DELL bios A17 - June 2017) and also applying all available
kernel updates for the default Linux kernel version for 18.3 ?

Thanks.

[ClixTrix]

I'm keeping an eye on the Kernel development issues for this among other needs. The only current kernels are "Mainstream" and not available using Update Manager. I believe they have a fix for Meltdown, but not Spectre (yet). Last I looked at kernel.org, the patch was on 4.14.11 and 4.15-rc. It will take awhile to trickle down to the older kernels, but I expect it will get applied to current-LTS Ubuntu kernels first.

I would check periodically for kernel updates for 4.10 and 4.13. Update Manager should post them as a Security Update as well as the available kernel list.

When I last checked at Ubuntu, no changes yet.

[Sir Charles]

The only current kernels are "Mainstream" and not available using Update Manager. I believe they have a fix for Meltdown, but not Spectre (yet). Last I looked at kernel.org. The patch was on 4.14.11 and 4.15-rc. It will take awhile to trickle down to the older kernels, but I expect it will get applied to current-LTS Ubuntu kernels first.

Do you think it is a good idea to run 4.14.11 while waiting for the patches to come for the kernels in the Update Manager?
regards

[ClixTrix]

I "had" a plan to adopt 4.14 because of Turbo support added for my Ryzen in that kernel. It's still getting heavily patched since release, so haven't used it yet. To install mainstream kernels, you can install the ukuu utility in Software Manager. That gives you a list of all kernels available from Ubuntu. Use that utility to install and remove the mainstream kernels from Ubuntu's repository.

If you decide to install and test 4.14.11 or newer, be sure to post any bug issues at kernel.org bugzilla.

[Pjotr]

Firefox 57.0.4 contains a (partial) fix for this:
https://www.mozilla.org/en-US/firefox/5 ... ox-browser

For the kernel: I advise to wait a few days. All supported kernel series will probably be patched this weekend.

[wpshooter]

I'm keeping an eye on the Kernel development issues for this among other needs. The only current kernels are "Mainstream" and not available using Update Manager. I believe they have a fix for Meltdown, but not Spectre (yet). Last I looked at kernel.org, the patch was on 4.14.11 and 4.15-rc. It will take awhile to trickle down to the older kernels, but I expect it will get applied to current-LTS Ubuntu kernels first.

I would check periodically for kernel updates for 4.10 and 4.13. Update Manager should post them as a Security Update as well as the available kernel list.

When I last checked at Ubuntu, no changes yet.

Thanks for your reply.

If I am reading this correct, the kernel version for my 18.3 installation is 4.4.0-104-generic x86_64.
Is that older or newer than the 4.10 and 4.13 you refer to ?
If older, do I need to change to newer version or just wait ?
Thanks.

[Sir Charles]

Firefox 57.0.4 contains a (partial) fix for this:
https://www.mozilla.org/en-US/firefox/5 ... ox-browser

For the kernel: I advise to wait a few days. All supported kernel series will probably be patched this weekend.

Yes, you are right. There is probably no need to panic since I don't think I run the risk of an imminent attack.
Thanks for the tips on Firefox, I'll have look at it.
Do you know if there will be a fix for Chromium as well?

[Sir Charles]

If you decide to install and test 4.14.11 or newer, be sure to post any bug issues at kernel.org bugzilla.

Actually I have 4.14.11 installed, but since I realized that it is not supported through Update Manager yet, I rolled back to 4.13.0-21 which is the most recent supported version. Anyhow, during the short while I was running 4.14.11 I didn't notice any problem and it seemed to work fine. Maybe I would give it a shot from time to time and if I run to any bugs I will surely post that.

[wpshooter]

Am I correct that these security issues do NOT apply to 32 bit systems ?

Thanks.

[ClixTrix]

If you decide to install and test 4.14.11 or newer, be sure to post any bug issues at kernel.org bugzilla.

Actually I have 4.14.11 installed, but since I realized that it is not supported through Update Manager yet, I rolled back to 4.13.0-21 which is the most recent supported version. Anyhow, during the short while I was running 4.14.11 I didn't notice any problem and it seemed to work fine. Maybe I would give it a shot from time to time and if I run to any bugs I will surely post that.

Yeah, was thinking of trying 4.14.11 or 12. Just busy since the holidays. Thanks for the tip.

[ClixTrix]

Am I correct that these security issues do NOT apply to 32 bit systems ? Thanks.

Problem exists on all Intel processors back to Pentium Pro (1995).

[wpshooter]

Am I correct that these security issues do NOT apply to 32 bit systems ? Thanks.

Problem exists on all Intel processors back to Pentium Pro (1995).

Some of the articles I have been reading regarding these problems "SEEMS" to indication
that it may be only on 64 bit processors, in one article it refers to "MODERN" processors but
is not really specific.

Thanks.

[Sir Charles]

If I am reading this correct, the kernel version for my 18.3 installation is 4.4.0-104-generic x86_64.
Is that older or newer than the 4.10 and 4.13 you refer to ?
If older, do I need to change to newer version or just wait ?

If I am not mistaken, 18.3 comes with 4.10.38 as its default kernel. You can always install more recent kernel version through Update Manager > View > Linux kernels, without the older ones being removed from your system. The most recent supported version in the Update Manger is 4.13.0-21. I am not in a position to advise you for or against kernel upgrades, since it involves extensive modification of your system. Currently I am running 4.13.0-21 and up until now it seems to run fine on my rather low spec machine. It seems even to be running slightly more smoothly or at least that's my impression.

[ClixTrix]

I've seen the older pre-2000 processors mentioned in a number of articles. I think this article targets the exact cause and why.

https://arstechnica.com/gadgets/2018/01 ... s-patches/

Speculative execution is the problem and it was introduced back with the Pentium Pro in 1995....just as other articles have suggested, that's pre-x64.

[Sir Charles]

Very good, informative article, thanks for posting the link!

[ClixTrix]

For those running Chromium/Chrome, this feature helps against Spectre.

https://support.google.com/chrome/answer/7623121

Found it here:

http://fortune.com/2018/01/05/spectre-s ... -explorer/

[Pepi]

Firefox 57.0.4 contains a (partial) fix for this:
https://www.mozilla.org/en-US/firefox/5 ... ox-browser

For the kernel: I advise to wait a few days. All supported kernel series will probably be patched this weekend.

Wonder why this hasn't been released to us yet? I know I can get it but I like doing everything via Update Manger

[Sir Charles]

For those running Chromium/Chrome, this feature helps against Spectre.
https://support.google.com/chrome/answer/7623121
Found it here:
http://fortune.com/2018/01/05/spectre-s ... -explorer/

Do you think script blocker extensions can be of any help to some extent?

[ClixTrix]

Do you think script blocker extensions can be of any help to some extent?

Since the discussed vulnerability is via JavaScript, I suppose. However, most websites use JavaScript. I'd at least give the feature a chance, as Google was part of the team that discovered Spectre and Meltdown.

I've turned-on the "Strict-Site-Isolation" on my Chromium for now to see if that experimental feature has any problems.

[Sir Charles]

I've turned-on the "Strict-Site-Isolation" on my Chromium for now to see if that experimental feature has any problems.

I have done the same. We just have to wait and see what comes next.

"Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018. Future Chrome releases will include additional mitigations and hardening measures which will further reduce the impact of this class of attack. Additionally, the SharedArrayBuffer feature is being disabled by default. The mitigations may incur a performance penalty." (source: https://www.chromium.org/Home/chromium-security/ssca)