Hi, On Mon, Jan 29, 2018 at 08:18:35AM -0500, rhkra...@gmail.com wrote: > iiuc, the fixes for Spectre and Meltdown have been "backported" > (probably not the right word) to Wheezy (which is my "everyday" > machine). If I'm wrong about that, somebody can let me know.
The confusion here is that "Spectre and Meltdown" comprise multiple different (but related) vulnerabilities. The dangerous effects of Meltdown are avoided in Linux by use of the KPTI feature which is now in Debian's supported kernels. Fixing one of the Spectre vulnerabilities requires new CPU microcode, possibly a new BIOS, new kernel features and kernel to be compiled with an as-yet unreleased version of GCC. For this you would currently need to get a few things from sid and build your own kernel. The risk/reward calculation for these actions requires some thought because a suitable kernel update is likely to appear soon. As for the other known Spectre vulnerability: no one has much of an idea how to avoid yet, but probably will in the near future. There are likely to be further vulnerabilities in this class that are as-yet unknown at least to the public. There are also likely to be new mitigations developed that get around known problems in less expensive ways. So expect a lot more kernel updates in our near future. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
