Hello, > On 19 February 2018 at 13:13, Turritopsis Dohrnii Teo En Ming < > tdteoenm...@gmail.com> wrote: > > > What are the patches that I can download and install to be protected > > against the Meltdown and Spectre security vulnerabilities?
The linux-kernel-* packages in Debian stable already have the KPTI feature which protects you against Meltdown. For variant 2 of Spectre you need a kernel with the so-called retpoline feature that was also compiled with a compiler that supports that feature. At the moment I think that the only packaged kernel which has this (has feature and is compiled with new enough gcc) is the one in unstable: <https://packages.debian.org/sid/linux-image-4.14.0-3-amd64> Versions of gcc that have the retpoline feature backported into them have already hit stable and oldstable (and maybe others; haven't checked), so another alternative would be to compile your own upstream kernel package using that gcc. Since Debian stable uses the 4.9.x long term stable kernel releases, you could use the latest upstream of those. Anything past 4.9.77 has the retpoline feature. Or just wait a bit longer for a kernel package that is compiled with a newer gcc to arrive as a stable security update. This is probably the most reasonable approach for the average user of Debian. Patches for variant 1 of Spectre are still in development in the upstream kernel, and in other software. You will also need updated CPU microcode and possibly a new BIOS. It is likely that there will be further exploit techniques discovered in this general area, that will require different fixes. There are some other considerations if your machine is not running on bare metal. In that case you should check with your virtualisation provider about that. On Mon, Feb 19, 2018 at 01:23:25PM +0000, Michael Fothergill wrote: > Checkout the debian backports suite (kindly resourcefully suggested by > Andy Smith) Please note that I provided these details to Michael Fothergill as part of Michael's general query about how a user could obtain a newer kernel package, not as an answer to how to obtain a kernel that was secured against any particular thing. Backports is not the correct answer for security purposes. Security support in the backports suite is done by the package uploaders and not the security team. Although, updates for the kernel packages do tend to arrive pretty quickly so I personally would not feel too bad about short term use of a backports kernel. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting