From Tue Aug 28 22:05:19 UTC 2018 Stable ChangeLog for x86_64
"To see the status of CPU vulnerability mitigations on your system, look at the files in: /sys/devices/system/cpu/vulnerabilities"
I did and found these files:
l1tf, meltdown, spec_store_bypass, spectre_v1, spectre_v2
spec_store_bypass says "Vulnerable"
magicm in this
post ran spectre-meltdown-checker.sh, so I did and found
Checking for vulnerabilities on current system
Kernel is Linux 4.4.153 #1 SMP Tue Aug 28 16:08:22 CDT 2018 x86_64
CPU is Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz
CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports speculation store bypass: YES (found in /proc/self/status)
> STATUS: VULNERABLE (Your CPU doesn't support SSBD)
I did
SBo intel-microcode SlackBuild as magicm did but CVE-2018-3640 says same thing.
I see /lib/firmware/intel-ucode/, "intel-microcode (20180807)" SBo didn't address my cpu?
EDIT: SBo says "INITRD /boot/intel-ucode.cpio,/boot/initrd-generic.gz" is that when doing mkinitrd?
Looks like some CVE are handled by distribution as did slackware for l1tf and some CVE by end-user.
I don't know much about handling CVE, I'm trying to learn and understand now.