How to fix vulnerabilities related to Spectre and Meltdown bugs in Ubuntu?

ubuntu security bugs

12,504

Solution 1

Updates are available now !

2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA

2018 Jan 03: issue becomes public a few days before the CRD

2018 Jan 09: Ubuntu kernel updates available (for patching Meltdown) for Ubuntu 16.04 LTS, Ubuntu 17.10, Ubuntu 14.04 LTS (HWE) and Ubuntu 14.04 LTS.

2018 Jan 10: Cloud images are available (for patching Meltdown) from http://cloud-images.ubuntu.com:

<TBD>: Core image updates

Source : Ubuntu Wiki & Blog post

Solution 2

Does this mean that the fix for such bug is not available for Ubuntu?

The fix is not available in the Ubuntu repos yet. You can check this page to see the status. The page is updated by the Ubuntu security team. It's about both vulnerabilities, contains links to the various CVEs.

Solution 3

As previously stated, as of now (January 4, 2018) there are no official fixes available for Ubuntu, what you can do though is to update your kernel to the latest release manually. Keep in mind that updating the kernel will only fix Meltdown, since there's no known fix for Spectre yet. The latest kernel stable is 4.14.11, you can download the compiled files from the Kernel PPA here: http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.14.11/

If your system is 32-bit you'll want these files:

linux-headers-4.14.11-041411_4.14.11-041411.201801022143_all.deb

linux-headers-4.14.11-041411-generic_4.14.11-041411.201801022143_i386.deb

linux-image-4.14.11-041411-generic_4.14.11-041411.201801022143_i386.deb

If your system is 64-bit you'll want these files:

linux-headers-4.14.11-041411_4.14.11-041411.201801022143_all.deb

linux-headers-4.14.11-041411-generic_4.14.11-041411.201801022143_amd64.deb

linux-image-4.14.11-041411-generic_4.14.11-041411.201801022143_amd64.deb

Just download the three for your system, put them in a folder and do sudo dpkg -i *.deb, then reboot your PC.

Another thing you could consider (which is what I do), you can try using a rolling release distro. Antergos (https://antergos.com/) is great because it allows you to use pretty much any desktop environment with no setup (except for Unity) and it's Arch Linux based.

12,504

Author by

Margaret

Updated on September 18, 2022

Comments

Margaret almost 2 years

I just learned about Meltdown and Spectre bugs. I read that:

There are patches against Meltdown for Linux (KPTI (formerly KAISER)), Windows, and OS X.

Following the link in the quote I get to an article which is too obscure for me to understand. Still, it says:

The resulting patch set (still called "KAISER") is in its third revision and seems likely to find its way upstream in a relatively short period of time.

Following again the link in the above quote I get into a page, updated the 10th of Novermber of 2017, where I read the following:

KAISER makes it harder to defeat KASLR, but makes syscalls and interrupts slower. These patches are based on work from a team at Graz University of Technology posted here[1]. The major addition is support for Intel PCIDs which builds on top of Andy Lutomorski's PCID work merged for 4.14. PCIDs make KAISER's overhead very reasonable for a wide variety of use cases.

The above page also links to the code of the fix (?), here, where I can also see kernel 4.14.

From this I conclude that the fix is available only for kernels 4.14 (and above?). However, all currently supported versions of Ubuntu use a lower kernel.

The latest Ubuntu (17.10) uses kernel 4.13. The latest LTS Ubuntu (16.04) uses 4.4.

Does this mean that the fix for such bug is not available for Ubuntu? It seems that Ubuntu 18.04 will be based on kernel 4.15, but this is still not released.

Notice also that the fix seems to refer only to Meltdown and not to Spectre. This would mean that there is currently no fix for such bug anywhere.
- user4556274 over 6 years
  
  Ubuntu supports LTS releases for 5 years, so Ubuntu 16.04 should be actively maintained and patched through April, 2021.
- user4556274 over 6 years
  
  Ubuntu's cve list indicates that this fix is in critical "needs triage" stage for all supported releases. This page should indicate when the fix is available for each of the six supported versions, which may or may not be simultaneous. Upgrading to 17.10 would provide no advantage at this time wrt this issue. If you want the fix faster than any official update, you'd need to patch and recompile your own kernel. Mixing a hand-rolled kernel on top of a standard distro comes with its own potential challenges.
- Margaret over 6 years
  
  @user4556274 Thanks. Which one is exactly?
- user4556274 over 6 years
  
  CVE-2017-5753..