7 thoughts on - CentOS 6 I386 – Meltdown And Spectre

• I have built all the source code releases from upstream for RHEL-6
  regarding meltdown /spectre and released those into packages into the CentOS Linux 6.9 updates repository.

  As to whether or not either Arch (x86_64 or i386) is or is not vulnerable, the CentOS team does not test for or make claims concerning security fitness. What we do build the source code that is released upstream.

  Users must test for (and validate) the security fitness of CentOS Linux for their own usage profiles. If you require fully tested solutions with software assurance and validated security, that is what RHEL is for, right?

  You can read more about those issues here:
  https://access.redhat.com/security/vulnerabilities/speculativeexecution

  Thanks, Johnny Hughes

• Hi Johnny,

  Thank you for your reply.

  It seems to me that my message may have came around as offensive but that was not my intend. I have basic understanding how things work and when I
  said CentOS I actually meant Red Hat and all its derivatives. I asked CentOS community because that’s the community I’m member of. Not to say that CentOS is not secure or anything like that.

  Anyway, I’m stuck with a few 32bit systems exposed to customers and I have to come up with an answer to their question about meltdown/spectre. At this point all I can say is that Red Hat hasn’t patched 32bit systems but that is hard to believe so I assumed that I’m wrong and decided to ask the community.

  Thank you,

  — Peter

• According to a Q&A page about Meltdown and Spectre:

  Question – Is the patch available for 32 bit RHEL 6.9?
  Answer – 32-bit patches are pending, being of lower priority than our RHEL 5 work at this time.

  Apparently, it is not getting a high priority.

  Akemi

• I note Red Hat released el5 kernel updates on Wednesday for Meltdown and Spectre for both i386 and x86_64 architectures [RHSA-2018:0464-01], so maybe 32-bit rhel6 is next on the list (seems strange to me that Red Hat would prioritize RHEL5 over RHEL6, but there you go).

  There is also a handy script to check the status on your systems here:

  https://github.com/speed47/spectre-meltdown-checker

  I do not have any el6 systems running so have not tried it on el6.

• Awesome. Thank you.

  Embarrassing but I can’t find the Q&A page with this question. Can you please post a link to it.

  Thanks,

  — Peter

• Here it is:

  https://access.redhat.com/articles/3327321

• Not at all Peter .. I just wanted to take the opportunity to explain to people what the CentOS Linux policy about security updates is and how we handle security issues in CentOS Linux.

  We strive to build updated source code as soon as it released by Red Hat for RHEL .. BUT, we do no official testing for security (whether there is an actual problem or not .. nor whether the updated source code fixes said security problem).

  We just build the source code as it comes out, when it is released, as fast we we can. We test that the resultant RPMs work and if we introduce any inconsistencies in CentOS that do not exist in RHEL, we try to fix and rebuild the packages.

  But we don’t make any claims that any security issues are fixed, or any claims that CentOS Linux is fit for any purpose whatsoever. CentOS
  Linux us what it is .. a rebuild of the RHEL source code, as it is released, modified to remove branding to comply with Red Hat’s trademark policy. Nothing more, nothing less.

  I am quite happy for people to discuss their testing of CentOS Linux for Security issues and updates on this list (or where ever else they want), with the understanding that there is no official testing performed or assurance given by the CentOS Project with respect to security.

  Again, I am not in any way offended or upset, not even in the slightest. I’m sorry if my email gave you that impression.

  Thanks, Johnny Hughes