[EN]
Hello everyone,
I’m up to date with latest yunohost (2.7.9) and I experience the pop up warning for Meltdown. I don’t have any updates pending and have rebooted multiple times.
I don’t know if the pop up is a false positive or if I’m missing something.
I know that Kimsufi/OVH installs bind9 that will prevent the correct initialization of dnsmasq.
Is it possible that something similar is happening ?
I’m really not in my confort zone here, so anyone with a lead on this is welcome
Below is all the useful infos I managed to gather.
[/EN]
[FR]
Bonjour à tous,
Je suis à jour avec la dernière version de yunohost (2.7.9) et j’ai le message d’alerte concernant Meltdown. Je n’ai plus de mise à jour en attente et j’ai déjà redémarré plusieurs fois.
Je ne sais pas s’il s’agit d’un faux positif ou si je rate quelque chose.
Je sais que Kimsufi/OVH installe bind9 qui empêchera l’initialisation de dnsmasq.
Est-il possible que ce soit un problème similaire ?
Je ne suis vraiment pas dans ma zone de confort donc si quelqu’un a une piste, il est le bienvenu
Ci dessous, toutes les informations utiles que j’ai réussi à rassembler.
[/FR]
[INFOS]
diagnosis: https://paste.yunohost.org/ukigeticug
ynh_versions
ynh_versions = {
"yunohost": {
"repo": "stable",
"version": "2.7.9"
},
"yunohost-admin": {
"repo": "stable",
"version": "2.7.7"
},
"moulinette": {
"repo": "stable",
"version": "2.7.7"
},
"ssowat": {
"repo": "stable",
"version": "2.7.7"
}
}
./spectre-meltdown-checker.sh
$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29
Checking for vulnerabilities against running kernel Linux 3.14.32-xxxx-grs-ipv6-64 #1 SMP Sat Feb 7 11:35:27 CET 2015 x86_64
CPU is Intel(R) Atom(TM) CPU N2800 @ 1.86GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 68 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
debian_version
$ cat /etc/debian_version
8.10
/boot/
$ ls /boot/
bzImage-3.14.32-xxxx-grs-ipv6-64 grub/ System.map-3.14.32-xxxx-grs-ipv6-64
/etc/apt/sources.list
deb http://debian.mirrors.ovh.net/debian/ jessie main
deb-src http://debian.mirrors.ovh.net/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main
# jessie-updates, previously known as 'volatile'
deb http://debian.mirrors.ovh.net/debian/ jessie-updates main
deb-src http://debian.mirrors.ovh.net/debian/ jessie-updates main
# jessie-backports, previously on backports.debian.org
deb http://debian.mirrors.ovh.net/debian/ jessie-backports main
deb-src http://debian.mirrors.ovh.net/debian/ jessie-backports main
- https://security-tracker.debian.org/tracker/CVE-2017-5754
- https://docs.ovh.com/fr/dedicated/meltdown-spectre-kernel-update-per-operating-system/
- https://docs.ovh.com/gb/en/dedicated/updating-kernel-dedicated-server/
- https://docs.ovh.com/fr/dedicated/mettre-a-jour-kernel-serveur-dedie/
[/INFOS]