Hi,
On Mon, Jan 29, 2018 at 08:18:35AM -0500, rhkramer@gmail.com wrote:
iiuc, the fixes for Spectre and Meltdown have been "backported"
(probably not the right word) to Wheezy (which is my "everyday"
machine). If I'm wrong about that, somebody can let me know.
The confusion here is that "Spectre and Meltdown" comprise multiple
different (but related) vulnerabilities.
The dangerous effects of Meltdown are avoided in Linux by use of the
KPTI feature which is now in Debian's supported kernels.
Fixing one of the Spectre vulnerabilities requires new CPU
microcode, possibly a new BIOS, new kernel features and kernel to be
compiled with an as-yet unreleased version of GCC. For this you
would currently need to get a few things from sid and build your own
kernel. The risk/reward calculation for these actions requires some
thought because a suitable kernel update is likely to appear soon.
As for the other known Spectre vulnerability: no one has much of an
idea how to avoid yet, but probably will in the near future.
There are likely to be further vulnerabilities in this class that
are as-yet unknown at least to the public. There are also likely to
be new mitigations developed that get around known problems in less
expensive ways. So expect a lot more kernel updates in our near
future.
Cheers,
Andy