Hi Johnny, Thank you for your reply. It seems to me that my message may have came around as offensive but that was not my intend. I have basic understanding how things work and when I said CentOS I actually meant Red Hat and all its derivatives. I asked CentOS community because that's the community I'm member of. Not to say that CentOS is not secure or anything like that. Anyway, I'm stuck with a few 32bit systems exposed to customers and I have to come up with an answer to their question about meltdown/spectre. At this point all I can say is that Red Hat hasn't patched 32bit systems but that is hard to believe so I assumed that I'm wrong and decided to ask the community. Thank you, -- Peter On Fri, Mar 9, 2018 at 7:52 AM, Johnny Hughes <johnny at centos.org> wrote:> I have built all the source code releases from upstream for RHEL-6 > regarding meltdown /spectre and released those into packages into the > CentOS Linux 6.9 updates repository. > > As to whether or not either Arch (x86_64 or i386) is or is not > vulnerable, the CentOS team does not test for or make claims concerning > security fitness. What we do build the source code that is released > upstream. > > Users must test for (and validate) the security fitness of CentOS Linux > for their own usage profiles. If you require fully tested solutions > with software assurance and validated security, that is what RHEL is > for, right? > > > You can read more about those issues here: > https://access.redhat.com/security/vulnerabilities/speculativeexecution > > Thanks, > Johnny Hughes > > > On 03/06/2018 04:35 PM, Peter Wood wrote: > > I have a clean install, fully updated CentOS 6 32-bit. > > > > When I run the Red Hat detection script: > > https://access.redhat.com/sites/default/files/spectre- > meltdown--a79614b.sh > > > > it finds that the system is vulnerable. > > > > Is this false positive or there is no patches for CentOS 6 32-bit > systems? > > > > Thank you, > > > > -- Peter > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > >
On Fri, Mar 9, 2018 at 10:46 AM, Peter Wood <peterwood.sd at gmail.com> wrote:> Anyway, I'm stuck with a few 32bit systems exposed to customers and I have > to come up with an answer to their question about meltdown/spectre. At this > point all I can say is that Red Hat hasn't patched 32bit systems but that > is hard to believe so I assumed that I'm wrong and decided to ask the > community.According to a Q&A page about Meltdown and Spectre: Question - Is the patch available for 32 bit RHEL 6.9? Answer - 32-bit patches are pending, being of lower priority than our RHEL 5 work at this time. Apparently, it is not getting a high priority. Akemi
On 09/03/18 19:16, Akemi Yagi wrote:> On Fri, Mar 9, 2018 at 10:46 AM, Peter Wood <peterwood.sd at gmail.com> wrote: > >> Anyway, I'm stuck with a few 32bit systems exposed to customers and I have >> to come up with an answer to their question about meltdown/spectre. At this >> point all I can say is that Red Hat hasn't patched 32bit systems but that >> is hard to believe so I assumed that I'm wrong and decided to ask the >> community. > > According to a Q&A page about Meltdown and Spectre: > > Question - Is the patch available for 32 bit RHEL 6.9? > Answer - 32-bit patches are pending, being of lower priority than our > RHEL 5 work at this time. > > Apparently, it is not getting a high priority. > > AkemiI note Red Hat released el5 kernel updates on Wednesday for Meltdown and Spectre for both i386 and x86_64 architectures [RHSA-2018:0464-01], so maybe 32-bit rhel6 is next on the list (seems strange to me that Red Hat would prioritize RHEL5 over RHEL6, but there you go). There is also a handy script to check the status on your systems here: https://github.com/speed47/spectre-meltdown-checker I do not have any el6 systems running so have not tried it on el6.
Awesome. Thank you. Embarrassing but I can't find the Q&A page with this question. Can you please post a link to it. Thanks, -- Peter On Fri, Mar 9, 2018 at 11:16 AM, Akemi Yagi <amyagi at gmail.com> wrote:> On Fri, Mar 9, 2018 at 10:46 AM, Peter Wood <peterwood.sd at gmail.com> > wrote: > > > Anyway, I'm stuck with a few 32bit systems exposed to customers and I > have > > to come up with an answer to their question about meltdown/spectre. At > this > > point all I can say is that Red Hat hasn't patched 32bit systems but that > > is hard to believe so I assumed that I'm wrong and decided to ask the > > community. > > According to a Q&A page about Meltdown and Spectre: > > Question - Is the patch available for 32 bit RHEL 6.9? > Answer - 32-bit patches are pending, being of lower priority than our > RHEL 5 work at this time. > > Apparently, it is not getting a high priority. > > Akemi > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On 03/09/2018 12:46 PM, Peter Wood wrote:> Hi Johnny, > > Thank you for your reply. > > It seems to me that my message may have came around as offensive but that > was not my intend. I have basic understanding how things work and when I > said CentOS I actually meant Red Hat and all its derivatives. I asked > CentOS community because that's the community I'm member of. Not to say > that CentOS is not secure or anything like that. > > Anyway, I'm stuck with a few 32bit systems exposed to customers and I have > to come up with an answer to their question about meltdown/spectre. At this > point all I can say is that Red Hat hasn't patched 32bit systems but that > is hard to believe so I assumed that I'm wrong and decided to ask the > community. > > Thank you, > > -- Peter >Not at all Peter .. I just wanted to take the opportunity to explain to people what the CentOS Linux policy about security updates is and how we handle security issues in CentOS Linux. We strive to build updated source code as soon as it released by Red Hat for RHEL .. BUT, we do no official testing for security (whether there is an actual problem or not .. nor whether the updated source code fixes said security problem). We just build the source code as it comes out, when it is released, as fast we we can. We test that the resultant RPMs work and if we introduce any inconsistencies in CentOS that do not exist in RHEL, we try to fix and rebuild the packages. But we don't make any claims that any security issues are fixed, or any claims that CentOS Linux is fit for any purpose whatsoever. CentOS Linux us what it is .. a rebuild of the RHEL source code, as it is released, modified to remove branding to comply with Red Hat's trademark policy. Nothing more, nothing less. I am quite happy for people to discuss their testing of CentOS Linux for Security issues and updates on this list (or where ever else they want), with the understanding that there is no official testing performed or assurance given by the CentOS Project with respect to security. Again, I am not in any way offended or upset, not even in the slightest. I'm sorry if my email gave you that impression. Thanks, Johnny Hughes> > On Fri, Mar 9, 2018 at 7:52 AM, Johnny Hughes <johnny at centos.org> wrote: > >> I have built all the source code releases from upstream for RHEL-6 >> regarding meltdown /spectre and released those into packages into the >> CentOS Linux 6.9 updates repository. >> >> As to whether or not either Arch (x86_64 or i386) is or is not >> vulnerable, the CentOS team does not test for or make claims concerning >> security fitness. What we do build the source code that is released >> upstream. >> >> Users must test for (and validate) the security fitness of CentOS Linux >> for their own usage profiles. If you require fully tested solutions >> with software assurance and validated security, that is what RHEL is >> for, right? >> >> >> You can read more about those issues here: >> https://access.redhat.com/security/vulnerabilities/speculativeexecution >> >> Thanks, >> Johnny Hughes >> >> >> On 03/06/2018 04:35 PM, Peter Wood wrote: >>> I have a clean install, fully updated CentOS 6 32-bit. >>> >>> When I run the Red Hat detection script: >>> https://access.redhat.com/sites/default/files/spectre- >> meltdown--a79614b.sh >>> >>> it finds that the system is vulnerable. >>> >>> Is this false positive or there is no patches for CentOS 6 32-bit >> systems? >>> >>> Thank you, >>> >>> -- Peter-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20180313/517bf37e/attachment-0001.sig>