Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)
On Mon, 29 Jan 2018 08:18:35 -0500 rhkra...@gmail.com wrote: > On Monday, January 29, 2018 03:35:58 AM Michael Fothergill wrote: > > On 29 January 2018 at 07:52, Dextin Jerafmel > > wrote: > > > I tried to search for available Kernel images but there isn't any > > > newer Kernel than 4.9.0.5 > > > Your need to upgrade to unstable (Debian Sid). Then you need to get > > the latest kernel from the kernel.org website. > > I just want to emphasize that you don't need to upgrade to unstable > (Debian Sid). > > See the response in this thread from Bastien Durel. > > Also, iiuc, the fixes for Spectre and Meltdown have been > "backported" (probably not the right word) to Wheezy (which is my > "everyday" machine). If I'm wrong about that, somebody can let me know. I think this is only true for the Meltdown fix ("page tables isolation"), for the Spectre fix ("retpoline") work is apparently in progress. Regards Michael .-.. .. ...- . .-.. --- -. --. .- -. -.. .--. .-. --- ... .--. . .-. [Doctors and Bartenders], We both get the same two kinds of customers -- the living and the dying. -- Dr. Boyce, "The Menagerie" ("The Cage"), stardate unknown
Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)
On Mon 29 Jan 2018 at 13:43:20 (+), Joe wrote: > On Mon, 29 Jan 2018 08:18:35 -0500 > rhkra...@gmail.com wrote: > > > > > > I regularly download "security" upgrades for Wheezy. I assume that > > most of those don't take effect until I restart the application. For > > instance, a Firefox upgrade does not take effect until I shutdown > > Firefox and restart it. > > > > Correspondingly, I assume that a Linux kernel upgrade does not take > > effect until I reboot the machine. > > Yes, but it's a little more complicated. The modules used by the kernel > (and the kernel file itself) *are* replaced during the process of > upgrading the kernel, but the running code is not. There is a tiny > chance of some kind of mismatch if new modules are loaded, so rebooting > is recommended soon, and in the past I used to see a message to that > effect, displayed during the upgrade. For the benefit of the OP, who is unaware of the meaning of version numbers, it's worth pointing out that during their upgrade, they got a new set of modules along with the kernel because the new kernel was in a new package with a new name. However, it's not clear that, having searched for a new kernel and found ("only") a 4.9.0-5 one, they have installed it. If they haven't, they need to, or else they will not receive further upgrades. Better still, install the most generic/least specific kernel metapackage so that upgrades will be automatic (or more obvious, depending on the tools used). Cheers, David.
Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)
Does checkrestart (apt-get install checkrestart) prompt for application restarts on library updates, or only for daemons? On Jan 29, 2018 08:43, "Joe" wrote: > On Mon, 29 Jan 2018 08:18:35 -0500 > rhkra...@gmail.com wrote: > > > > > > I regularly download "security" upgrades for Wheezy. I assume that > > most of those don't take effect until I restart the application. For > > instance, a Firefox upgrade does not take effect until I shutdown > > Firefox and restart it. > > > > Correspondingly, I assume that a Linux kernel upgrade does not take > > effect until I reboot the machine. > > Yes, but it's a little more complicated. The modules used by the kernel > (and the kernel file itself) *are* replaced during the process of > upgrading the kernel, but the running code is not. There is a tiny > chance of some kind of mismatch if new modules are loaded, so rebooting > is recommended soon, and in the past I used to see a message to that > effect, displayed during the upgrade. > > Generally, user applications (e.g. Firefox) will not be restarted > automatically, but most daemons will be e.g. mysql, exim4. Some > important daemons may request your input as to whether to restart or > not e.g. during a major upheaval such as a libc upgrade. Pretty much > all software on a server is in the form of daemons, and generally > rebooting a server is only necessary after a change of kernel. > > -- > Joe > >
Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)
Hi, On Mon, Jan 29, 2018 at 08:18:35AM -0500, rhkra...@gmail.com wrote: > iiuc, the fixes for Spectre and Meltdown have been "backported" > (probably not the right word) to Wheezy (which is my "everyday" > machine). If I'm wrong about that, somebody can let me know. The confusion here is that "Spectre and Meltdown" comprise multiple different (but related) vulnerabilities. The dangerous effects of Meltdown are avoided in Linux by use of the KPTI feature which is now in Debian's supported kernels. Fixing one of the Spectre vulnerabilities requires new CPU microcode, possibly a new BIOS, new kernel features and kernel to be compiled with an as-yet unreleased version of GCC. For this you would currently need to get a few things from sid and build your own kernel. The risk/reward calculation for these actions requires some thought because a suitable kernel update is likely to appear soon. As for the other known Spectre vulnerability: no one has much of an idea how to avoid yet, but probably will in the near future. There are likely to be further vulnerabilities in this class that are as-yet unknown at least to the public. There are also likely to be new mitigations developed that get around known problems in less expensive ways. So expect a lot more kernel updates in our near future. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)
On Mon, Jan 29, 2018 at 08:18:35AM -0500, rhkra...@gmail.com wrote: > > I regularly download "security" upgrades for Wheezy. I assume that most of > those don't take effect until I restart the application. For instance, a > Firefox upgrade does not take effect until I shutdown Firefox and restart it. > That is correct. > Correspondingly, I assume that a Linux kernel upgrade does not take effect > until I reboot the machine. > Also correct. You also need to be careful of library upgrades. Fore xample, if there is an update to libssl, then any application that uses it (i.e., dynamically links it or dlopens it) needs to be restarted. If you run Postfix and Apache (and have their SSL features configured and active) you would need to restart them following a libssl upgade in order to ensure that they are using the latest version. Regards, -Roberto -- Roberto C. Sánchez
Re: comment and new question--when do upgrades take effect (was: Re: Kernel for Spectre and Meltdown)
On Mon, 29 Jan 2018 08:18:35 -0500 rhkra...@gmail.com wrote: > > I regularly download "security" upgrades for Wheezy. I assume that > most of those don't take effect until I restart the application. For > instance, a Firefox upgrade does not take effect until I shutdown > Firefox and restart it. > > Correspondingly, I assume that a Linux kernel upgrade does not take > effect until I reboot the machine. Yes, but it's a little more complicated. The modules used by the kernel (and the kernel file itself) *are* replaced during the process of upgrading the kernel, but the running code is not. There is a tiny chance of some kind of mismatch if new modules are loaded, so rebooting is recommended soon, and in the past I used to see a message to that effect, displayed during the upgrade. Generally, user applications (e.g. Firefox) will not be restarted automatically, but most daemons will be e.g. mysql, exim4. Some important daemons may request your input as to whether to restart or not e.g. during a major upheaval such as a libc upgrade. Pretty much all software on a server is in the form of daemons, and generally rebooting a server is only necessary after a change of kernel. -- Joe