On Thu, Jan 04, 2018 at 12:50:44PM -0500, sean darcy wrote: > >Mitigation for Meltdown is in place in the kernel updates we released > >yesterday. (Thanks to kernel team, release engineering, infrastructure > >/ security, and qa!) Updates for Spectre should be coming in soon. > Meltdown - CVE-2017-5754 - is not mentioned in the koji kernel builds. I believe this is because the work was done while the issue was still under embargo. But see https://bodhi.fedoraproject.org/updates/FEDORA-2018-22d5fa8a90 > But should we be worried about Meltdown even without kpti for: > An internet facing headless laptop acting as a router. No local > users. No X. No browsers. The only private info on the machine is > ssh keys, and the local root password. Any potential problem ? Red Hat security has rated these CVEs as having an impact of "Important", https://access.redhat.com/security/updates/classification/ "This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service." So.... > Can we sleep at night ? Up to you, I'm afraid. :) -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
