2018-05-24 13:38 GMT+02:00 Karanbir Singh <kbsingh@redhat.com>:
On 24/05/18 11:53, Karanbir Singh wrote:
> On 24/05/18 11:18, Sandro Bonazzola wrote:
>>
>>
>> 2018-05-24 3:18 GMT+02:00 Karanbir Singh <kbsingh@redhat.com
>> <mailto:kbsingh@redhat.com>>:
>>
>>     On 23/05/18 06:56, Sandro Bonazzola wrote:
>>     > CentOS Errata and Security Advisory 2018:1655 Important
>>     >
>>     > Upstream details at: https://access.redhat.com/errata/RHSA-2018:1655
>>     <https://access.redhat.com/errata/RHSA-2018:1655>
>>     >
>>     > This is the qemu-kvm-ev side of the CVE-2018-3639 mitigation.
>>     >
>>     > qemu-kvm-ev-2.10.0-21.el7_5.3.1
>>     > <http://cbs.centos.org/koji/buildinfo?buildID=22813
>>     <http://cbs.centos.org/koji/buildinfo?buildID=22813>> has been
>>     tagged for
>>     > release yesterday morning and should land on mirrors this morning.
>>     > Johnny, Brian, Karanbir, please cross check it's being published, I
>>     > would have expected it to be already on mirrors.
>>     >
>>     > Thanks,
>>     > --
>>     >
>>     > SANDRO BONAZZOLA
>>     >
>>     > ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R&D
>>     >
>>     > Red Hat EMEA <https://www.redhat.com/>
>>     >
>>     > sbonazzo@redhat.com <mailto:sbonazzo@redhat.com>
>>     <mailto:sbonazzo@redhat.com <mailto:sbonazzo@redhat.com>>   
>>     >
>>     > <https://red.ht/sig
>>     > <https://redhat.com/summit>
>>     >
>>
>>     With all the noise around this specific package, i went and looked and
>>     its in the queue for push, should be in the packages for Thu 24th
>>
>>
>> Looks like it's not yet published.
>> Also altarch is still broken https://bugs.centos.org/view.php?id=14835
>>
>>
>>
>>  
>>
>
> yeah, this is down to how the various arch bits were pushed out of sync;
> we got cut both ways, either if we do x86_64 on its own or we dont,
>
> i am working on sig content right now, so let me go look at this as well
>
>

the sign runs are now running cleanly for altarch as well, it looks like
the mirrors caught up in sync with those in the last day or so. its
going to run for a bit though, I'll keep an eye on things.

w.r.t the CVE note - just want to point out that I've been told that
lacking the vendor supplied microcode this fix's in this code do not
really help much. And there is no vendor microcode as yet. Is that an
accurate state of play ?

AFAIK Intel released a beta microcode to OEMs so individual hardware vendors should be providing it through their support pages after testing with their hardware.

 


--
Karanbir Singh <kbsingh@redhat.com> | London, UK
Project Lead, The CentOS Project
Consulting Engineer, https://openshift.io/




--

SANDRO BONAZZOLA

ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R&D

Red Hat EMEA

sbonazzo@redhat.com