Meltdown Kimsufi (OVH)


Hello everyone,

I’m up to date with latest yunohost (2.7.9) and I experience the pop up warning for Meltdown. I don’t have any updates pending and have rebooted multiple times.

I don’t know if the pop up is a false positive or if I’m missing something.

I know that Kimsufi/OVH installs bind9 that will prevent the correct initialization of dnsmasq.

Is it possible that something similar is happening ?

I’m really not in my confort zone here, so anyone with a lead on this is welcome :slight_smile:

Below is all the useful infos I managed to gather.

Bonjour à tous,

Je suis à jour avec la dernière version de yunohost (2.7.9) et j’ai le message d’alerte concernant Meltdown. Je n’ai plus de mise à jour en attente et j’ai déjà redémarré plusieurs fois.

Je ne sais pas s’il s’agit d’un faux positif ou si je rate quelque chose.

Je sais que Kimsufi/OVH installe bind9 qui empêchera l’initialisation de dnsmasq.

Est-il possible que ce soit un problème similaire ?

Je ne suis vraiment pas dans ma zone de confort donc si quelqu’un a une piste, il est le bienvenu :slight_smile:

Ci dessous, toutes les informations utiles que j’ai réussi à rassembler.



ynh_versions = {
    "yunohost": {
        "repo": "stable",
        "version": "2.7.9"
    "yunohost-admin": {
        "repo": "stable",
        "version": "2.7.7"
    "moulinette": {
        "repo": "stable",
        "version": "2.7.7"
    "ssowat": {
        "repo": "stable",
        "version": "2.7.7"


$ sudo ./ 
Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 3.14.32-xxxx-grs-ipv6-64 #1 SMP Sat Feb 7 11:35:27 CET 2015 x86_64
CPU is Intel(R) Atom(TM) CPU N2800 @ 1.86GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 68 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer


$ cat /etc/debian_version


$ ls /boot/
bzImage-3.14.32-xxxx-grs-ipv6-64     grub/                        


deb jessie main
deb-src jessie main

deb jessie/updates main
deb-src jessie/updates main

# jessie-updates, previously known as 'volatile'
deb jessie-updates main
deb-src jessie-updates main

# jessie-backports, previously on
deb jessie-backports main
deb-src jessie-backports main



Yes some servers (baremetal or virtual) come with an old kernel marked as “hold”, so even if you try to upgrade your vps the kernel won’t be up to date.

You can get the current kernel with

uname -a

and get the list of kernel with

dpkg --list ‘linux-image*’ | grep ^ii

You can install recent kernel and remove old one’s with

apt-get install linux-image-flavour
apt-get remove linux-image-VERSION

Next reboot your server and see if it fix you meltdown vulnerability

1 Like

Hi @ljf,

I tried all the commands you suggested without success but thank you for your leads.

After laboriously deploying the fallback_ynh app (eventually it was not needed), I used the procedure defined in the ovh documentation (updating-kernel-dedicated-server):

$ uname -r
$ sudo wget
$ sudo update-grub
$ sudo reboot
$ uname -r

and the server is now protected from Meltdown \o/

Note that I experienced a Yunohost internal error when trying to run diagnosis, inviting me to report it: I cannot reproduce it.

Note2: I don’t know if it’s related but Yunohost versions listed in monitor are all “[object Object]”

1 Like

Yes, that’s a know bug (the fix is done but not yet released).

I’ve pushed a fix, thanks for reporting :slight_smile:

1 Like

Si j’ai bien compris, tous les noyaux peuvent faire tourner toutes les debian car ce sont deux couches distinctes ?

Parce que de 3.16 à 4.9, il y a du chemin !