Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggest tweaks to meltdown advisory #4220

Merged
merged 2 commits into from
Jan 8, 2018
Merged

Suggest tweaks to meltdown advisory #4220

merged 2 commits into from
Jan 8, 2018

Conversation

justinsb
Copy link
Member

@justinsb justinsb commented Jan 8, 2018

No description provided.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 8, 2018
chrislovecnm
chrislovecnm reviewed Jan 8, 2018
View reviewed changes
docs/advisories/meltdown-kernel-update.md Outdated
@@ -1,40 +1,35 @@
## Meltdown and Spectre Advisory
## Kernel Update required for "Meltdown" issue
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This addresses one of the Spectre issues as well.

docs/advisories/meltdown-kernel-update.md Outdated
@@ -43,7 +38,8 @@ dmesg -H | grep 'page tables isolation'

## Impacted Maintained Component(s)

- kops maintained AMI
* Patches were released for the linux kernel 2018-01-05. All images prior to this date likely need updates.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good information, but it does not match the heading.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what you mean

docs/advisories/meltdown-kernel-update.md Outdated

`kops get ig --name $CLUSTER`

#### Edit the kops instance groups
#### Replace the image for each instance group
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are not replacing. Maybe the wrong verb? They are modifying the cluster???

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit pick btw

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing to Update the image for each instance group

chrislovecnm
chrislovecnm reviewed Jan 8, 2018
View reviewed changes
docs/advisories/README.md Outdated
@@ -1,7 +1,8 @@
## kops Advisories

- [Meltdown and Spectre](meltdown-spectre.md)
- [Meltdown Kernel Update Required](meltdown-kernel-update.md)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am confused, as I am reading that one spectre cve and one meltdown cve was fixed.

From https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

So far, there are three known variants of the issue:

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

Before the issues described here were publicly disclosed, Daniel Gruss, Moritz Lipp, Yuval Yarom, Paul Kocher, Daniel Genkin, Michael Schwarz, Mike Hamburg, Stefan Mangard, Thomas Prescher and Werner Haas also reported them; their [writeups/blogposts/paper drafts] are at:

Spectre (variants 1 and 2)
Meltdown (variant 3)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grrr... I think you're right. I'll tweak - I'm just calling to call them spectre/meltdown. The separate CVEs are just muddying the waters IMO

@justinsb
Fixes per code review
17774c5 
Treat "spectre/meltdown" as one vuln, and stay away from parsing which
CVE is which.

The advisory is that the kernel must be updated, which CVEs are fixed
(or not) are not really the issue.
@chrislovecnm
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrislovecnm

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 8, 2018
@k8s-ci-robot k8s-ci-robot merged commit 2c8a4dd into kubernetes:master Jan 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrislovecnm chrislovecnm chrislovecnm approved these changes

Assignees

@chrislovecnm chrislovecnm

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@justinsb @chrislovecnm @k8s-ci-robot