Community Forum

Share this post:
Responses (10)
  • Accepted Answer

    Friday, February 23 2018, 10:09 PM - #Permalink
    Resolved
    0 votes
    In case you have not been watching the IT news over the past couple of months, this Intel thing just goes on and on. As was covered by Wired Magazine, it has been a total train wreck.

    What we have done so far is to follow RedHat; when they released their original fix, we followed suit. They subsequently withdrew their patch as it was causing issues with stability. If you had crashes and reboots during that timeframe, my apologies. Now, it seems, Intel is ready to push some new firmware. This will only benefit the security of recent processors...what a joke.

    In the meantime, keep your systems buttoned up. And cross your fingers or whatever else you can do to give yourself peace over this situation that is largely, still unresolved.

    As this affects kernel space, you will likely need to reboot after this patch in order to determine whether it affects your system positively or negatively. Feel free to post your experiences. Especially if you are using virtualization on ClearOS.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 26 2018, 09:16 PM - #Permalink
    Resolved
    0 votes
    Please don't run "yum update" with "--enablerepo=*". You can bring in al sorts of rubbish - if it even works. I had to pull some tricks with my repos to make the command work at all and I only ever do it like that when searching for packages.

    What is the output of:
    rpm -q kernel
    uname -r
    If you can see kernel-3.10.0-693.11.6.v7.x86_64 listed from the first command and the version does not appear in the second command, please reboot for the latest kernel to take effect.
    The reply is currently minimized Show
  • Accepted Answer

    DirkCassin
    DirkCassin
    Offline
    Friday, January 26 2018, 03:56 AM - #Permalink
    Resolved
    0 votes
    I am on ClearOS 7.4.0 Final and kernel 3.10.0-514.26.2.v7.x86_64. yum update did not give me a new kernel. Even yum update --enablerepo=* does not give me a newer kernel than this.

    Here are the repos that I have:

    -rw-r--r-- 1 root root 892 Dec 15 11:08 centos-sclo-scl-rh-unverified.repo
    -rw-r--r-- 1 root root 916 Dec 15 11:08 centos-sclo-scl-unverified.repo
    -rw-r--r-- 1 root root 2452 Dec 15 11:08 centos-unverified.repo
    -rw-r--r-- 1 root root 2739 Oct 25 11:35 clearos-centos.repo
    -rw-r--r-- 1 root root 438 Dec 15 11:08 clearos-centos-sclo-scl-rh.repo
    -rw-r--r-- 1 root root 501 Oct 25 11:35 clearos-epel.repo
    -rw-r--r-- 1 root root 433 Sep 13 14:19 clearos-fast-updates.repo
    -rw-r--r--. 1 root root 2352 Jul 22 2017 clearos.repo
    -rw-r--r-- 1 root root 910 Dec 15 11:08 epel-unverified.repo
    -rw-rw-r-- 1 root root 156 Jun 28 2017 plex.repo

    How do I get the kernel update?
    The reply is currently minimized Show
  • Accepted Answer

    Mansoor
    Mansoor
    Offline
    Tuesday, January 09 2018, 05:04 PM - #Permalink
    Resolved
    1 votes
    Thank you.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 07 2018, 06:43 AM - #Permalink
    Resolved
    0 votes
    The following are links to the Common Vulnerabilities and Exposures (CVE) documentation on ClearOS.com:

    CVE-2017-5715

    CVE-2017-5753

    CVE-2017-5754
    The reply is currently minimized Show
  • Accepted Answer

    Robert
    Robert
    Offline
    Sunday, January 07 2018, 02:03 AM - #Permalink
    Resolved
    0 votes
    Dear Dave,

    Thank you. I am looking forward to the release.

    Best wishes,

    Robert
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 07 2018, 01:51 AM - #Permalink
    Resolved
    0 votes
    I've asked the release manager a similar question. Right now it is in the hands of the community and we are validating any problems that may have occurred with the dissemination of the package. It should be promoted soon. Like you, I am eager for the package in the verified repos. I have several projects that require them before I can push, for example, a new Q1 ISO for Home, Business, and Community that includes the newer kernel and rolled up packages for 2018.
    The reply is currently minimized Show
  • Accepted Answer

    Robert
    Robert
    Offline
    Saturday, January 06 2018, 09:32 PM - #Permalink
    Resolved
    0 votes
    Dear Dave,

    Thank for the info. I did yum update (and got some updates, auto-update is also on all the time) and also restarted the system (Clearos Business 7.4). Though, I am still on 3.10.0-693.2.2.v7.x86_64 and not 3.10.0-693.11.6.v7 or later.

    Am I too impatient or do I need to activate some test repositories for that?

    Thank you.

    Best wishes,

    Robert
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 05 2018, 08:38 PM - #Permalink
    Resolved
    0 votes
    Original research on these bugs was provided by the Project Zero team at Google:

    https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 05 2018, 08:33 PM - #Permalink
    Resolved
    0 votes
    For more detail on these vulnerabilities, please consult the following from Redhat:

    CVE-2017-5753 (variant #1/Spectre) is a Bounds-checking exploit during branching. This issue is fixed with a kernel patch. Variant #1 protection is always enabled; it is not possible to disable the patches. Red Hat’s performance testing for variant #1 did not show any measurable impact.

    CVE-2017-5715 (variant #2/Spectre) is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software. This vulnerability requires both updated microcode and kernel patches. Variant #2 behavior is controlled by the ibrs and ibpb tunables (noibrs/ibrs_enabled and noibpb/ibpb_enabled), which work in conjunction with the microcode.

    CVE-2017-5754 (variant #3/Meltdown) is an exploit that uses speculative cache loading to allow a local attacker to be able to read the contents of memory. This issue is corrected with kernel patches. Variant #3 behavior is controlled by the pti tunable (nopti/pti_enabled).
    Source: Redhat
    The reply is currently minimized Show
Your Reply