On Thu, 4 Jan 2018 12:03:11 -0600, Mike Schwab wrote:
>On Thu, Jan 4, 2018 at 11:41 AM, Raja Mohan wrote:
>> Redhat did confirm in their advisory that it impacts Linux on Z. we may have
>> to wait on IBM to confirm if it impacts z/OS, z/VM and z/VSE
>>
>IBM, if it finds it, will only issue a patch without details.
>
This raises an interesting challenge to IBM's and other suppliers'
practice of embargoing discussion of security flaws until patches
are available.
Reportedly, Meltdown/Spectre arises from a widespread design oversight
which long went unrecognized. Repairs may be slow to appear if they
require new microcode or new CPU designs.
There some mitigation may be possible and very desirable in software
changes, even to open-source software -- I've read that Javascript may
provide an avenue of attack.
So necessary details must be disseminated to open-source developers
to craft patches and to testers to reproduce exploits and verify mitigation.
This is a broad target of not ideally disciplined technicians.
""Three May Keep a Secret if Two are Dead"
-- Benjamin Franklin
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
