As of Jan 22 2018, Ubuntu kernel updates addressing the Meltdown and Spectre vulnerabilities across amd64, ppc64el and s390x have been released.
Before performing kernel updates, it is recommended that you take a backup or snapshot of critical data before making changes to a production system. If you are using DigitalOcean, please see DigitalOcean Backups and Snapshots Explained.
Firstly, to check which kernel version you have, run:
uname -a
Linux server_name 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Above we are on version 4.4.0-116-generic
dated Feb 12
and patched for Meltdown and Spectre.
To check for and apply new kernel updates:
sudo apt-get update
sudo apt-get dist-upgrade
When performing an update, first review what apt is going to do, then confirm that you want to apply the updates.
Once updates are complete, you must reboot the server to apply kernel patches.
sudo reboot
If you would prefer to have updates applied automatically, make sure the unattended-upgrades
package is installed, then run sudo dpkg-reconfigure unattended-upgrades
. Please note that updates may restart services on your server, so this may not be appropriate for all environments.
Meltdown and Spectre
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
For more information:
Let me know if this helped. Follow me on Twitter, Facebook and YouTube, or 🍊 buy me a smoothie.
I always do:
sudo apt update
andsudo apt upgrade
.Does this way of updating also include the Spectre & Meltdown patches? Or do I need to specifically run: s
udo apt-get dist-upgrade
Thanks
Firstly, to be sure you have the latest patches, run
uname -a
to check the kernel version. If the kernel date is after Feb 12, you should be patched.You should use
apt-get dist-upgrade
orapt dist-upgrade
should also work.apt-get
is being slowly phased out in favour of justapt
, but both will work.If a new version of a package needs a new dependency,
apt-get dist-upgrade
will upgrade and install the dependency,apt-get upgrade
won’t.Kernel upgrades usually come as a new package, which is a new dependency of the new version of the kernel metapackage. If you want to install kernel upgrades by command line, you need
apt-get dist-upgrade
. This is to make it possible to keep an old kernel and keep the system bootable if there is a bug in the new kernel or installation failed.If a new version of a package conflicts with an already installed package,
apt-get dist-upgrade
may remove the conflicting package and upgrade the other,apt-get upgrade
won’t.When a new version of a package no longer depends on some dependency, both
apt-get upgrade
andapt-get dist-upgrade
will upgrade the package and leave the dependency in place (possibly upgrading that too; there is no need to remove the ex-dependency), but it may become autoremovable.