On Thu, Jan 4, 2018 at 7:12 PM, Sarah Newman srn@prgmr.com wrote:
On 01/04/2018 10:49 AM, Akemi Yagi wrote:
On Thu, Jan 4, 2018 at 9:51 AM, rikske@deds.nl wrote:
Please patch the CentOS-virt Kernel to fix the Kernel Side-Channel Attacks vulnerabilities.
The latest CentOS-virt kernel was released in November, as seen below.
kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30
https://access.redhat.com/security/vulnerabilities/speculativeexecution http://mirror.centos.org/centos/7/virt/x86_64/xen/
As far as I can see, the patches for KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed) will appear in kernel 4.9.75. Looks like it will be released soon upstream (kernel.org).
To my best knowledge KAISER doesn't matter for Xen Dom0's given they run in PV mode, and KAISER isn't enabled for PV guests.
But it will be important if anyone is running the CentOS kernel in their HVM domUs (as guest kernels can be attacked using SP3 by guest user space without the KPTI patches).
I'm sure Johnny will get to it as soon as he has the opportunity.
-George