Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)

2018-01-29 Thread Michael Lange 
On Mon, 29 Jan 2018 08:18:35 -0500
rhkra...@gmail.com wrote:

> On Monday, January 29, 2018 03:35:58 AM Michael Fothergill wrote:
> > On 29 January 2018 at 07:52, Dextin Jerafmel 
> > wrote:
> > > I tried to search for available Kernel images but there isn't any
> > > newer Kernel than 4.9.0.5
> 
> > ​Your need to upgrade to unstable (Debian Sid).  Then you need to get
> > the latest kernel from the kernel.org website.
> 
> I just want to emphasize that you don't need to upgrade to unstable
> (Debian Sid).
> 
> See the response in this thread from Bastien Durel.
> 
> Also, iiuc, the fixes for Spectre and Meltdown have been
> "backported" (probably not the right word) to Wheezy (which is my
> "everyday" machine).  If I'm wrong about that, somebody can let me know.

I think this is only true for the Meltdown fix ("page tables isolation"),
for the Spectre fix ("retpoline") work is apparently in progress.

Regards

Michael


.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

[Doctors and Bartenders], We both get the same two kinds of customers
-- the living and the dying.
-- Dr. Boyce, "The Menagerie" ("The Cage"), stardate
unknown

Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)

2018-01-29 Thread David Wright 
On Mon 29 Jan 2018 at 13:43:20 (+), Joe wrote:
> On Mon, 29 Jan 2018 08:18:35 -0500
> rhkra...@gmail.com wrote:
> 
> 
> > 
> > I regularly download "security" upgrades for Wheezy.  I assume that
> > most of those don't take effect until I restart the application.  For
> > instance, a Firefox upgrade does not take effect until I shutdown
> > Firefox and restart it.
> > 
> > Correspondingly, I assume that a Linux kernel upgrade does not take
> > effect until I reboot the machine.
> 
> Yes, but it's a little more complicated. The modules used by the kernel
> (and the kernel file itself) *are* replaced during the process of
> upgrading the kernel, but the running code is not. There is a tiny
> chance of some kind of mismatch if new modules are loaded, so rebooting
> is recommended soon, and in the past I used to see a message to that
> effect, displayed during the upgrade.

For the benefit of the OP, who is unaware of the meaning of version
numbers, it's worth pointing out that during their upgrade, they got
a new set of modules along with the kernel because the new kernel was
in a new package with a new name.

However, it's not clear that, having searched for a new kernel and
found ("only") a 4.9.0-5 one, they have installed it. If they haven't,
they need to, or else they will not receive further upgrades.
Better still, install the most generic/least specific kernel metapackage
so that upgrades will be automatic (or more obvious, depending on
the tools used).

Cheers,
David.

Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)

2018-01-29 Thread Boyan Penkov 
Does checkrestart (apt-get install checkrestart) prompt for application
restarts on library updates, or only for daemons?

On Jan 29, 2018 08:43, "Joe"  wrote:

> On Mon, 29 Jan 2018 08:18:35 -0500
> rhkra...@gmail.com wrote:
>
>
> >
> > I regularly download "security" upgrades for Wheezy.  I assume that
> > most of those don't take effect until I restart the application.  For
> > instance, a Firefox upgrade does not take effect until I shutdown
> > Firefox and restart it.
> >
> > Correspondingly, I assume that a Linux kernel upgrade does not take
> > effect until I reboot the machine.
>
> Yes, but it's a little more complicated. The modules used by the kernel
> (and the kernel file itself) *are* replaced during the process of
> upgrading the kernel, but the running code is not. There is a tiny
> chance of some kind of mismatch if new modules are loaded, so rebooting
> is recommended soon, and in the past I used to see a message to that
> effect, displayed during the upgrade.
>
> Generally, user applications (e.g. Firefox) will not be restarted
> automatically, but most daemons will be e.g. mysql, exim4. Some
> important daemons may request your input as to whether to restart or
> not e.g. during a major upheaval such as a libc upgrade. Pretty much
> all software on a server is in the form of daemons, and generally
> rebooting a server is only necessary after a change of kernel.
>
> --
> Joe
>
>

Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)

2018-01-29 Thread Andy Smith 
Hi,

On Mon, Jan 29, 2018 at 08:18:35AM -0500, rhkra...@gmail.com wrote:
> iiuc, the fixes for Spectre and Meltdown have been "backported"
> (probably not the right word) to Wheezy (which is my "everyday"
> machine).  If I'm wrong about that, somebody can let me know.

The confusion here is that "Spectre and Meltdown" comprise multiple
different (but related) vulnerabilities.

The dangerous effects of Meltdown are avoided in Linux by use of the
KPTI feature which is now in Debian's supported kernels.

Fixing one of the Spectre vulnerabilities requires new CPU
microcode, possibly a new BIOS, new kernel features and kernel to be
compiled with an as-yet unreleased version of GCC. For this you
would currently need to get a few things from sid and build your own
kernel. The risk/reward calculation for these actions requires some
thought because a suitable kernel update is likely to appear soon.

As for the other known Spectre vulnerability: no one has much of an
idea how to avoid yet, but probably will in the near future.

There are likely to be further vulnerabilities in this class that
are as-yet unknown at least to the public. There are also likely to
be new mitigations developed that get around known problems in less
expensive ways. So expect a lot more kernel updates in our near
future.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)

2018-01-29 Thread Roberto C . Sánchez 
On Mon, Jan 29, 2018 at 08:18:35AM -0500, rhkra...@gmail.com wrote:
> 
> I regularly download "security" upgrades for Wheezy.  I assume that most of 
> those don't take effect until I restart the application.  For instance, a 
> Firefox upgrade does not take effect until I shutdown Firefox and restart it.
> 
That is correct.

> Correspondingly, I assume that a Linux kernel upgrade does not take effect 
> until I reboot the machine.
> 
Also correct.

You also need to be careful of library upgrades.  Fore xample, if there
is an update to libssl, then any application that uses it (i.e.,
dynamically links it or dlopens it) needs to be restarted.  If you run
Postfix and Apache (and have their SSL features configured and active)
you would need to restart them following a libssl upgade in order to
ensure that they are using the latest version.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)

2018-01-29 Thread Joe 
On Mon, 29 Jan 2018 08:18:35 -0500
rhkra...@gmail.com wrote:


> 
> I regularly download "security" upgrades for Wheezy.  I assume that
> most of those don't take effect until I restart the application.  For
> instance, a Firefox upgrade does not take effect until I shutdown
> Firefox and restart it.
> 
> Correspondingly, I assume that a Linux kernel upgrade does not take
> effect until I reboot the machine.

Yes, but it's a little more complicated. The modules used by the kernel
(and the kernel file itself) *are* replaced during the process of
upgrading the kernel, but the running code is not. There is a tiny
chance of some kind of mismatch if new modules are loaded, so rebooting
is recommended soon, and in the past I used to see a message to that
effect, displayed during the upgrade.

Generally, user applications (e.g. Firefox) will not be restarted
automatically, but most daemons will be e.g. mysql, exim4. Some
important daemons may request your input as to whether to restart or
not e.g. during a major upheaval such as a libc upgrade. Pretty much
all software on a server is in the form of daemons, and generally
rebooting a server is only necessary after a change of kernel.

-- 
Joe