[CentOS] CentOS 6 i386 - meltdown and spectre

Tue Mar 13 11:56:47 UTC 2018
Johnny Hughes <johnny at centos.org>

On 03/09/2018 12:46 PM, Peter Wood wrote:
> Hi Johnny,
> Thank you for your reply.
> It seems to me that my message may have came around as offensive but that
> was not my intend. I have basic understanding how things work and when I
> said CentOS I actually meant Red Hat and all its derivatives. I asked
> CentOS community because that's the community I'm member of. Not to say
> that CentOS is not secure or anything like that.
> Anyway, I'm stuck with a few 32bit systems exposed to customers and I have
> to come up with an answer to their question about meltdown/spectre. At this
> point all I can say is that Red Hat hasn't patched 32bit systems but that
> is hard to believe so I assumed that I'm wrong and decided to ask the
> community.
> Thank you,
> -- Peter

Not at all Peter .. I just wanted to take the opportunity to explain to
people what the CentOS Linux policy about security updates is and how we
handle security issues in CentOS Linux.

We strive to build updated source code as soon as it released by Red Hat
for RHEL .. BUT, we do no official testing for security (whether there
is an actual problem or not .. nor whether the updated source code fixes
said security problem).

We just build the source code as it comes out, when it is released, as
fast we we can.  We test that the resultant RPMs work and if we
introduce any inconsistencies in CentOS that do not exist in RHEL, we
try to fix and rebuild the packages.

But we don't make any claims that any security issues are fixed, or any
claims that CentOS Linux is fit for any purpose whatsoever.  CentOS
Linux us what it is .. a rebuild of the RHEL source code, as it is
released, modified to remove branding to comply with Red Hat's trademark
policy.  Nothing more, nothing less.

I am quite happy for people to discuss their testing of CentOS Linux for
Security issues and updates on this list (or where ever else they want),
with the understanding that there is no official testing performed or
assurance given by the CentOS Project with respect to security.

Again, I am not in any way offended or upset, not even in the slightest.
 I'm sorry if my email gave you that impression.

Johnny Hughes

> On Fri, Mar 9, 2018 at 7:52 AM, Johnny Hughes <johnny at centos.org> wrote:
>> I have built all the source code releases from upstream for RHEL-6
>> regarding meltdown /spectre and released those into packages into the
>> CentOS Linux 6.9 updates repository.
>> As to whether or not either Arch (x86_64 or i386) is or is not
>> vulnerable, the CentOS team does not test for or make claims concerning
>> security fitness.  What we do build the source code that is released
>> upstream.
>> Users must test for (and validate) the security fitness of CentOS Linux
>> for their own usage profiles.  If you require fully tested solutions
>> with software assurance and validated security, that is what RHEL is
>> for, right?
>> You can read more about those issues here:
>> https://access.redhat.com/security/vulnerabilities/speculativeexecution
>> Thanks,
>> Johnny Hughes
>> On 03/06/2018 04:35 PM, Peter Wood wrote:
>>> I have a clean install, fully updated CentOS 6 32-bit.
>>> When I run the Red Hat detection script:
>>> https://access.redhat.com/sites/default/files/spectre-
>> meltdown--a79614b.sh
>>> it finds that the system is vulnerable.
>>> Is this false positive or there is no patches for CentOS 6 32-bit
>> systems?
>>> Thank you,
>>> -- Peter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20180313/517bf37e/attachment-0005.sig>