Meltdown + Spectre patches?

8 posts / 0 new
Last post
#1 Thu, 2018-01-04 22:20
iceshaft07
  • iceshaft07's picture
  • Offline
  • Last seen: 3 months 2 weeks ago
  • Joined: 2018-01-04

I wanted to know if there are patches required for MeltdDown / Spectre for Alpine Linux? How can I get them?

http://money.cnn.com/2018/01/04/technology/spectre-meltdown-cpu-flaws-explainer/index.html

Fri, 2018-01-05 21:56
cddm
  • cddm's picture
  • Offline
  • Last seen: 3 months 2 weeks ago
  • Joined: 2018-01-05
Mon, 2018-01-08 10:18
cddm
  • cddm's picture
  • Offline
  • Last seen: 3 months 2 weeks ago
  • Joined: 2018-01-05

update: Meltdown should be fixed in linux-vanilla 4.9.75 (https://pkgs.alpinelinux.org/package/edge/main/x86_64/linux-vanilla)

Mon, 2018-01-08 18:14
iceshaft07
  • iceshaft07's picture
  • Offline
  • Last seen: 3 months 2 weeks ago
  • Joined: 2018-01-04

Ok.

So my docker container would look something like this?

FROM alpine:3.7
RUN apk add linux-vanilla

Thanks!

Mon, 2018-01-08 23:06
streamnsight
  • streamnsight's picture
  • Offline
  • Last seen: 3 months 2 weeks ago
  • Joined: 2018-01-08

Docker runs on top of the host, which kernels' needs to be patched. Docker doesn't run a kernel itself.

So, technically your Docker image is not vulnerable, it's the host that is.
If you run Docker on Ubuntu, you need to patch the Ubuntu host, not the Alpine image. If you run on CoreOS, CentOS etc... same thing: patch the host!

Sun, 2018-01-14 00:08
templar
  • templar's picture
  • Offline
  • Last seen: 1 day 6 hours ago
  • Joined: 2018-01-13

Is this true that there will be no hardened kernel?

Mon, 2018-01-15 21:17 (Reply to #6)
Head_on_a_Stick
  • Head_on_a_Stick's picture
  • Offline
  • Last seen: 1 week 3 days ago
  • Joined: 2016-05-01

@templar: Alpine has decided to remove the linux-hardened version and has also switched the "vanilla" type to track the non-LTS upstream version so as to gain the full protection of the KPTI patch.

See this mailing list post for details:

http://lists.alpinelinux.org/alpine-devel/6022.html

The new linux-vanilla version uses most of the recommendations given by the Kernel Self Protection Project[1] and so is relatively "hardened" compared to most other distribution's kernels.

[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Tue, 2018-01-16 02:46
templar
  • templar's picture
  • Offline
  • Last seen: 1 day 6 hours ago
  • Joined: 2018-01-13

Thank you Head_on_a_Stick, I will have to subscribe to that list too to get recent news. Something like that could be also here too (posted already).

Log in or register to post comments