Spectre mitigation updates available for testing in Ubuntu Proposed
Dustin Kirkland
on 17 January 2018
Tags: cloud , Security , Server , Ubuntu Desktop
Canonical holds Ubuntu to the highest standards of security and quality. This week we published candidate Ubuntu kernels providing mitigation for CVE-2017-5715 and CVE-2017-5753 (ie, Spectre / Variants 1 & 2) to their respective -proposed pockets for Ubuntu 17.10 (Artful), 16.04 LTS (Xenial), and 14.04 LTS (Trusty). We have also expanded mitigation to cover s390x and ppc64el.
- https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html
- https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html
You are invited to test and provide feedback for the following updated Linux kernels. We have also rebased all derivative kernels such as the public cloud kernels (Amazon, Google, Microsoft, etc) and the Hardware Enablement (HWE) kernels.
- 17.10 (Artful): linux-4.13.0-30.33
- 16.04 LTS (Xenial): linux-4.4.0-111.134
- 14.04 LTS (Trusty): linux-3.13.0-140.189
- 17.04 is end-of-life and won’t be patched for either Meltdown or Spectre
Updates for Ubuntu 12.04 ESM are in progress, and will be available for Canonical’s Ubuntu Advantage customers. UA customers should reach out to Canonical support for access to candidate kernels.
We intend to promote the candidate kernels to the -security/-updates pocket for General Availability (GA) on Monday, January 22, 2018.
There is a corresponding intel-microcode update for many Intel CPUs, as well as an eventual amd64-microcode update, that will also need to be applied in order to fully mitigate Spectre. In the interest of full disclosure, we understand from Intel that there are currently known issues with the intel-microcode binary:
Canonical QA and Hardware Certification teams are engaged in extensive, automated and manual testing of these kernels and the Intel microcode kernel updates on Ubuntu certified hardware, and Ubuntu certified public clouds. The primary focus is on regression testing and security effectiveness. We are actively investigating Google’s “Retpoline” toolchain-based approach, which requires rebuilding Ubuntu binaries but reduce performance impact of the mitigation.
For your reference, the following links explain how to enable Ubuntu’s Proposed repositories, and how to file Linux kernel bugs:
- https://wiki.sne.bianheman.eu.org/Testing/EnableProposed
- https://wiki.sne.bianheman.eu.org/Kernel/Bugs
The most current information will continue to be available at:
@Canonical
Ubuntu cloud
Ubuntu offers all the training, software infrastructure, tools, services and support you need for your public and private clouds.
Newsletter signup
Related posts
Imagining the future of Cybersecurity
October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu...
Migrating from CentOS to Ubuntu: a guide for system administrators and DevOps
CentOS 7 is on track to reach its end-of-life (EoL) on June 30, 2024. Post this date, the CentOS Project will cease to provide updates or support, including...
6 facts for CentOS users who are holding on
Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started!