2018-01-04 15:27 GMT-03:00 Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx>:
On Thu, Jan 04, 2018 at 12:50:44PM -0500, sean darcy wrote:
> >Mitigation for Meltdown is in place in the kernel updates we released
> >yesterday. (Thanks to kernel team, release engineering, infrastructure
> >/ security, and qa!) Updates for Spectre should be coming in soon.
> Meltdown - CVE-2017-5754 - is not mentioned in the koji kernel builds.
I believe this is because the work was done while the issue was still under
embargo. But see
https://bodhi.fedoraproject.org/updates/FEDORA-2018- 22d5fa8a90
> But should we be worried about Meltdown even without kpti for:
> An internet facing headless laptop acting as a router. No local
> users. No X. No browsers. The only private info on the machine is
> ssh keys, and the local root password. Any potential problem ?
Red Hat security has rated these CVEs as having an impact of
"Important", https://access.redhat.com/security/updates/ classification/
"This rating is given to flaws that can easily compromise the
confidentiality, integrity, or availability of resources. These are the
types of vulnerabilities that allow local users to gain privileges,
allow unauthenticated remote users to view resources that should
otherwise be protected by authentication, allow authenticated remote
users to execute arbitrary code, or allow remote users to cause a
denial of service."
But.... I'm wonder if an attacker can exploit this vulnerability remotely, that's not clear for me...
So....
> Can we sleep at night ?
Up to you, I'm afraid. :)
--
Matthew Miller
<mattdm@xxxxxxxxxxxxxxxxx>
Fedora Project Leader
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@lists.fedoraproject.org
--
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx