Meltdown + Spectre patches?

8 posts / 0 new
Last post
#1 Thu, 2018-01-04 22:20
iceshaft07
  • iceshaft07's picture
  • Offline
  • Last seen: 2 weeks 1 day ago
  • Joined: 2018-01-04

I wanted to know if there are patches required for MeltdDown / Spectre for Alpine Linux? How can I get them?

http://money.cnn.com/2018/01/04/technology/spectre-meltdown-cpu-flaws-explainer/index.html

Fri, 2018-01-05 21:56
cddm
  • cddm's picture
  • Offline
  • Last seen: 1 week 6 days ago
  • Joined: 2018-01-05
Mon, 2018-01-08 10:18
cddm
  • cddm's picture
  • Offline
  • Last seen: 1 week 6 days ago
  • Joined: 2018-01-05

update: Meltdown should be fixed in linux-vanilla 4.9.75 (https://pkgs.alpinelinux.org/package/edge/main/x86_64/linux-vanilla)

Mon, 2018-01-08 18:14
iceshaft07
  • iceshaft07's picture
  • Offline
  • Last seen: 2 weeks 1 day ago
  • Joined: 2018-01-04

Ok.

So my docker container would look something like this?

FROM alpine:3.7
RUN apk add linux-vanilla

Thanks!

Mon, 2018-01-08 23:06
streamnsight
  • streamnsight's picture
  • Offline
  • Last seen: 2 weeks 1 day ago
  • Joined: 2018-01-08

Docker runs on top of the host, which kernels' needs to be patched. Docker doesn't run a kernel itself.

So, technically your Docker image is not vulnerable, it's the host that is.
If you run Docker on Ubuntu, you need to patch the Ubuntu host, not the Alpine image. If you run on CoreOS, CentOS etc... same thing: patch the host!

Sun, 2018-01-14 00:08
templar
  • templar's picture
  • Offline
  • Last seen: 1 week 1 day ago
  • Joined: 2018-01-13

Is this true that there will be no hardened kernel?

Mon, 2018-01-15 21:17 (Reply to #6)
Head_on_a_Stick
  • Head_on_a_Stick's picture
  • Offline
  • Last seen: 6 days 12 hours ago
  • Joined: 2016-05-01

@templar: Alpine has decided to remove the linux-hardened version and has also switched the "vanilla" type to track the non-LTS upstream version so as to gain the full protection of the KPTI patch.

See this mailing list post for details:

http://lists.alpinelinux.org/alpine-devel/6022.html

The new linux-vanilla version uses most of the recommendations given by the Kernel Self Protection Project[1] and so is relatively "hardened" compared to most other distribution's kernels.

[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Tue, 2018-01-16 02:46
templar
  • templar's picture
  • Offline
  • Last seen: 1 week 1 day ago
  • Joined: 2018-01-13

Thank you Head_on_a_Stick, I will have to subscribe to that list too to get recent news. Something like that could be also here too (posted already).

Log in or register to post comments