How to patch Ubuntu 16.04 for Meltdown and Spectre

Last updated on | 2 replies

As of Jan 22 2018, Ubuntu kernel updates addressing the Meltdown and Spectre vulnerabilities across amd64, ppc64el and s390x have been released.

Before performing kernel updates, it is recommended that you take a backup or snapshot of critical data before making changes to a production system. If you are using DigitalOcean, please see DigitalOcean Backups and Snapshots Explained.

Firstly, to check which kernel version you have, run:

uname -a
Linux server_name 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Above we are on version 4.4.0-116-generic dated Feb 12 and patched for Meltdown and Spectre.

To check for and apply new kernel updates:

sudo apt-get update
sudo apt-get dist-upgrade

When performing an update, first review what apt is going to do, then confirm that you want to apply the updates.

Once updates are complete, you must reboot the server to apply kernel patches.

sudo reboot

If you would prefer to have updates applied automatically, make sure the unattended-upgrades package is installed, then run sudo dpkg-reconfigure unattended-upgrades. Please note that updates may restart services on your server, so this may not be appropriate for all environments.

Meltdown and Spectre

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.

For more information:

Let me know if this helped. Follow me on Twitter, Facebook and YouTube, or 🍊 buy me a smoothie.

2 replies

Leave a reply

Your email address will not be published. Required fields are marked *

  1. I always do: sudo apt update and sudo apt upgrade.
    Does this way of updating also include the Spectre & Meltdown patches? Or do I need to specifically run: sudo apt-get dist-upgrade

    Thanks

    1. Firstly, to be sure you have the latest patches, run uname -a to check the kernel version. If the kernel date is after Feb 12, you should be patched.

      You should use apt-get dist-upgrade or apt dist-upgrade should also work. apt-get is being slowly phased out in favour of just apt, but both will work.

      If a new version of a package needs a new dependency, apt-get dist-upgrade will upgrade and install the dependency, apt-get upgrade won’t.

      Kernel upgrades usually come as a new package, which is a new dependency of the new version of the kernel metapackage. If you want to install kernel upgrades by command line, you need apt-get dist-upgrade. This is to make it possible to keep an old kernel and keep the system bootable if there is a bug in the new kernel or installation failed.

      If a new version of a package conflicts with an already installed package, apt-get dist-upgrade may remove the conflicting package and upgrade the other, apt-get upgrade won’t.

      When a new version of a package no longer depends on some dependency, both apt-get upgrade and apt-get dist-upgrade will upgrade the package and leave the dependency in place (possibly upgrading that too; there is no need to remove the ex-dependency), but it may become autoremovable.