<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">One last heads up if you're following.. an important side note that applying these patches could cause significant system stability issues (spontaneous reboots).</p>
<p style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
<br>
</p>
<p style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
If you have a mission critical system that needs this.. you might want to wait until the dust settles before rolling out all the patches:</p>
<p style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
<a href="https://www.bizjournals.com/sanjose/news/2018/01/12/intel-meltdown-spectre-patches-reboot-flaw-amd.html" class="OWAAutoLink" id="LPlnk309742" previewremoved="true">https://www.bizjournals.com/sanjose/news/2018/01/12/intel-meltdown-spectre-patches-reboot-flaw-amd.html</a><br>
</p>
<p style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
<br>
</p>
<p style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
There's a reason it's called "the bleeding edge". </p>
<p style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
Wisdom sometimes leads you to letting others lead. ;)</p>
<p style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
<br>
</p>
<div id="Signature" style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
<div name="divtagdefaultwrapper" style="font-family: Calibri, Arial, Helvetica, sans-serif; margin: 0px;">
T.Weeks</div>
</div>
<br>
<p></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Weeks, Thomas<br>
<b>Sent:</b> Thursday, January 11, 2018 11:32:48 AM<br>
<b>To:</b> security-discuss@lists.rbtc.tech<br>
<b>Subject:</b> Re: [Security-Discuss] Patching RH Linux Boxes Against new CPU (Meltdown & Spectre)</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">After applying the new, patched kernels on Red Hat (check other distros for these kernel controls)..
<br>
here are the sysctl tunables to enable/disable the work arounds (could impose a performance hit.. so TEST TEST TEST!)<br>
<a href="http://theweeks.org/tmp/FILES/tmp/meltdown-spectre_mitigation_sysctl_switches.png">http://theweeks.org/tmp/FILES/tmp/meltdown-spectre_mitigation_sysctl_switches.png</a><br>
<br>
or:<br>
<br>
echo 1 > /sys/kernel/debug/x86/pti_enabled<br>
echo 1 > /sys/kernel/debug/x86/ibpb_enabled<br>
echo 1 > /sys/kernel/debug/x86/ibrs_enabled<br>
<br>
<br>
Thomas "Tweeks" Weeks<br>
Director, Technology Futures and Community Advocacy<br>
Division of Information Technology, Virginia Tech<br>
<br>
-----------------------------<br>
<br>
From: Weeks, Thomas<br>
Sent: Thursday, January 11, 2018 11:16 AM<br>
To: security-discuss@lists.rbtc.tech<br>
Subject: Re: [Security-Discuss] Patching RH Linux Boxes Against new CPU (Meltdown & Spectre)<br>
<br>
<br>
Here's the slide deck from the Red Hat webex on this (going on right now):<br>
<a href="http://theweeks.org/tmp/FILES/tmp/RHat_Meltdown_and_Spectre_patch_performance_impact_webinar_FINAL.pdf">http://theweeks.org/tmp/FILES/tmp/RHat_Meltdown_and_Spectre_patch_performance_impact_webinar_FINAL.pdf</a><br>
<br>
Thomas "Tweeks" Weeks<br>
Director, Technology Futures and Community Advocacy<br>
Division of Information Technology, Virginia Tech<br>
<br>
----------------------------<br>
<br>
From: Thomas Tweeks Weeks <tom@theweeks.org><br>
Sent: Wednesday, January 10, 2018 10:55 PM<br>
To: Shailesh Prajapati<br>
Cc: Weeks, Thomas; security-discuss@lists.rbtc.tech<br>
Subject: Re: [Security-Discuss] Patching RH Linux Boxes Against new CPU (Meltdown & Spectre)<br>
<br>
That's THE definitive place for more info on the vulnerabilities.. but here's another really great video by my buddies at Red Hat that really break it down:<br>
<a href="https://www.youtube.com/watch?v=syAdX44pokE">https://www.youtube.com/watch?v=syAdX44pokE</a><br>
<br>
Tweeks<br>
<br>
------------------------------<br>
<br>
On Wednesday, January 10, 2018 9:58am, "Shailesh Prajapati" <prajapatisk@gmail.com> said:<br>
<br>
<br>
<br>
Thomas,<br>
Thanks for this info. <br>
I would also recommend folks to check this website read this <a href="https://spectreattack.com/">
https://spectreattack.com/</a> <br>
<br>
<br>
On Thu, Jan 4, 2018 at 4:03 PM, Weeks, Thomas <t.weeks@vt.edu> wrote:<br>
I don't normally send out security announcements.. but this is so huge it demands some extra attention..<br>
<br>
Here's a really great security bulletin by a good X-Racker friend of mine (now a security lead at Red Hat) on the big processor/kernel Side-Channel attack vectors (by Meltdown/Spectre).<br>
<a href="https://access.redhat.com/security/vulnerabilities/speculativeexecution">https://access.redhat.com/security/vulnerabilities/speculativeexecution</a><br>
<br>
<br>
Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 ...<br>
access.redhat.com<br>
To help you use Red Hat products to their full potential, our engineers have developed a powerful set of tools to support your ongoing success. Engage with our Red ...<br>
<br>
<br>
If you run Red Hat base distros, stay tuned to the Advisory/Update column of the "Resolve" tab of this super critical security bulletin.<br>
<br>
<br>
TL;DR<br>
The packages you'll want to watch for updates on are kernel, libvirt and qemu-kvm (as well as kernel-rt and dracut on RHEL7):<br>
<br>
Post any of your findings, tips or suggestions here please.. we're all in this one for the long term!<br>
<br>
<br>
p.s. Invite security friends to both this list: <a href="http://lists.rbtc.tech/mailman/listinfo/security-discuss">
http://lists.rbtc.tech/mailman/listinfo/security-discuss</a><br>
and the main [Security-Announce] list: <a href="http://lists.rbtc.tech/mailman/listinfo/security-announce">
http://lists.rbtc.tech/mailman/listinfo/security-announce</a><br>
Both run the mailman email list server, and as such have archives that are google indexed, and thus VERY useful for recalling useful things you can't quite remember.. :)<br>
<br>
T.Weeks<br>
Thomas "Tweeks" Weeks<br>
Director, Technology Futures and Community Advocacy<br>
Division of Information Technology, Virginia Tech<br>
<br>
_______________________________________________<br>
Security-Discuss mailing list<br>
Security-Discuss@lists.rbtc.tech<br>
<a href="http://lists.rbtc.tech/mailman/listinfo/security-discuss">http://lists.rbtc.tech/mailman/listinfo/security-discuss</a>
</div>
</span></font></div>
</body>
</html>