Web lists-archives.com

Re: comment and new question--when do upgrades take effect (side question)




Sorry for the hijack, but has this also to do with this newly enabled default kernel options?

grep STACKPROTECTOR /boot/config-3.16.0-5-amd64
CONFIG_HAVE_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR=y
# CONFIG_CC_STACKPROTECTOR_NONE is not set
CONFIG_CC_STACKPROTECTOR_REGULAR=y
# CONFIG_CC_STACKPROTECTOR_STRONG is not set

because dkms now fails and so my geoip support in iptables is now broken, as the module is missing.

BR, Spacerat

Am 29.01.2018 um 15:15 schrieb Andy Smith:
Hi,

On Mon, Jan 29, 2018 at 08:18:35AM -0500, rhkramer@xxxxxxxxx wrote:
iiuc, the fixes for Spectre and Meltdown have been "backported"
(probably not the right word) to Wheezy (which is my "everyday"
machine).  If I'm wrong about that, somebody can let me know.
The confusion here is that "Spectre and Meltdown" comprise multiple
different (but related) vulnerabilities.

The dangerous effects of Meltdown are avoided in Linux by use of the
KPTI feature which is now in Debian's supported kernels.

Fixing one of the Spectre vulnerabilities requires new CPU
microcode, possibly a new BIOS, new kernel features and kernel to be
compiled with an as-yet unreleased version of GCC. For this you
would currently need to get a few things from sid and build your own
kernel. The risk/reward calculation for these actions requires some
thought because a suitable kernel update is likely to appear soon.

As for the other known Spectre vulnerability: no one has much of an
idea how to avoid yet, but probably will in the near future.

There are likely to be further vulnerabilities in this class that
are as-yet unknown at least to the public. There are also likely to
be new mitigations developed that get around known problems in less
expensive ways. So expect a lot more kernel updates in our near
future.

Cheers,
Andy