[SOLVED] Which kernel do I need to upgrade to to be safe from vulnerabilites?

[Member CyberGhost]

Based on my system info, can someone please tell me what kernel I need to upgrade to? When I go to PC information and select full info, it says that my kernel is vulnerable to meltdown. Not sure about if I’m vulnerable to spectre or the CVE-2019-8912, Zombieload, “SACK Panic”. It doesn’t say anything about those. Thanks

Which of these kernels?

5.10.52 (64bit and 32 bit pae and non-pae-486)
4.19.198 (64bit and 32 bit pae and non-pae-486)
4.9.0-276 (64 bit and 32 bit pae and non-pae-486)
4.4.0-276 (64 bit and 32 bit pae and non-pae-486)

My System Info:

Host: antixworkmachine Kernel: 4.9.235-antix.1-486-smp i686 bits: 32
compiler: gcc v: 8.3.0 Desktop: IceWM 2.6.0 dm: SLiM 1.3.6
Distro: antiX-19.3_386-full Manolis Glezos 15 October 2020
base: Debian GNU/Linux 10 (buster)
Machine:
Type: Laptop System: Hewlett-Packard
product: HP Pavilion dv1000 (PR425UA#ABA) v: Rev 1 serial: <filter>
Chassis: Quanta type: 10 serial: <filter>
Mobo: Quanta model: 09B8 v: 34.20 serial: <filter> BIOS: Hewlett-Packard
v: F.12 date: 11/08/2004
Battery:
ID-1: BAT0 charge: 49.3 Wh condition: 49.3/88.8 Wh (55%) volts: 12.6/14.8
model: Hewlett-Packard JM-12 type: Li-ion serial: <filter>
status: Charging
Memory:
RAM: total: 967.6 MiB used: 495.0 MiB (51.2%)
RAM Report:
permissions: Unable to run dmidecode. Root privileges required.
CPU:
Topology: Single Core model: Intel Pentium M bits: 32 type: MCP
arch: M Dothan rev: 6 L2 cache: 2048 KiB bogomips: 1994
Speed: 1000 MHz min/max: 600/1600 MHz Core speed (MHz): 1: 1000
Flags: acpi apic bts clflush cmov cx8 de dts est fpu fxsr mca mce mmx msr
mtrr pbe pge pse sep ss sse sse2 tm tm2 tsc vme
Graphics:
Device-1: Intel 82852/855GM Integrated Graphics vendor: Hewlett-Packard
driver: i915 v: kernel bus ID: 00:02.0 chip ID: 8086:3582
Display: x11 server: X.Org 1.20.4 driver: intel
unloaded: fbdev,modesetting,vesa resolution: 1280×768~60Hz
OpenGL: renderer: Mesa DRI Intel 852GM/855GM x86/MMX/SSE2
v: 1.3 Mesa 18.3.6 direct render: Yes
Audio:
Device-1: Intel 82801DB/DBL/DBM AC97 Audio vendor: Hewlett-Packard
driver: snd_intel8x0 v: kernel bus ID: 00:1f.5 chip ID: 8086:24c5
Sound Server: ALSA v: k4.9.235-antix.1-486-smp
Network:
Device-1: Realtek RTL-8100/8101L/8139 PCI Fast Ethernet Adapter
vendor: Hewlett-Packard driver: 8139too v: 0.9.28 port: 3000
bus ID: 02:00.0 chip ID: 10ec:8139
IF: eth0 state: up speed: 100 Mbps duplex: full mac: <filter>
IP v4: <filter> type: dynamic scope: global broadcast: <filter>
IP v6: <filter> type: dynamic mngtmpaddr scope: global
IP v6: <filter> scope: link
Device-2: Intel PRO/Wireless 2200BG [Calexico2] Network
vendor: Hewlett-Packard driver: ipw2200 v: 1.2.2kmprq port: 3000
bus ID: 02:06.0 chip ID: 8086:4220
IF: eth1 state: down mac: <filter>
WAN IP: <filter>
Drives:
Local Storage: total: 149.05 GiB used: 4.29 GiB (2.9%)
ID-1: /dev/sda vendor: Hitachi model: HTS541616J9AT00 size: 149.05 GiB
speed: <unknown> serial: <filter> rev: A70H scheme: MBR
Optical-1: /dev/sr0 vendor: PIONEER model: DVD-RW DVR-K14 rev: 1.14
dev-links: cdrom,cdrw,dvd,dvdrw
Features: speed: 24 multisession: yes audio: yes dvd: yes
rw: cd-r,cd-rw,dvd-r state: running
RAID:
Message: No RAID data was found.
Partition:
ID-1: / size: 143.71 GiB used: 4.29 GiB (3.0%) fs: ext4 dev: /dev/sda1
label: rootantiX19 uuid: bcb76786-db48-47e6-941e-d64e36d55b3b
ID-2: swap-1 size: 2.00 GiB used: 2.2 MiB (0.1%) fs: swap dev: /dev/sda2
label: swapantiX uuid: 514ea29d-134a-4b3b-89f5-c3810bb41dc5
Unmounted:
Message: No unmounted partitions found.
USB:
Hub: 1-0:1 info: Full speed (or root) Hub ports: 6 rev: 2.0
speed: 480 Mb/s chip ID: 1d6b:0002
Hub: 2-0:1 info: Full speed (or root) Hub ports: 2 rev: 1.1 speed: 12 Mb/s
chip ID: 1d6b:0001
Device-1: 2-2:6 info: Pixart Imaging Optical Mouse type: Mouse
driver: hid-generic,usbhid interfaces: 1 rev: 2.0 speed: 1.5 Mb/s
chip ID: 093a:2510
Hub: 3-0:1 info: Full speed (or root) Hub ports: 2 rev: 1.1 speed: 12 Mb/s
chip ID: 1d6b:0001
Hub: 4-0:1 info: Full speed (or root) Hub ports: 2 rev: 1.1 speed: 12 Mb/s
chip ID: 1d6b:0001
Sensors:
System Temperatures: cpu: 65.0 C mobo: N/A
Fan Speeds (RPM): N/A
Info:
Processes: 138 Uptime: 48m Init: SysVinit v: 2.93 runlevel: 5 default: 5
Compilers: gcc: 8.3.0 alt: 8 Shell: bash v: 5.0.3 running in: roxterm
inxi: 3.0.36

• This topic was modified 1 year, 9 months ago by CyberGhost.
• This topic was modified 1 year, 9 months ago by Brian Masinick.

[Moderator Brian Masinick]

Helpful

Up

2

::

Your report says that you are currently using the 4.9.235-antix.1-486-smp i686 kernel; therefore, if you replace it with the 4.9.0-276 486-smp i686 kernel, that one will replace the one that you are currently using.

You can TRY any of them, but since the 4.9 series is the one that worked, I’d replace that one and try it FIRST, and rely on that one.

--
Brian Masinick

[Member CyberGhost]

Helpful

Up

0

::

Ok thank you so much!

[Moderator Brian Masinick]

Helpful

Up

0

::

You’re welcome. Please write back and let us know how it goes. Should you run into any problems, please provide nice details, as you did in your previous report. Best wishes!

--
Brian Masinick

[Member CyberGhost]

Helpful

Up

0

::

Well I can’t find that kernel you mentioned in the package manager or synaptic package manager. Here’s what is listed in package manager. See the screenshot I have included. Thanks

Attachments:

1. 

   Patched-Kernels.jpg
   

[Moderator Brian Masinick]

Helpful

Up

1

::

I would recommend doing sudo apt-get update, followed by sudo apt-get dist-upgrade.
One, you MAY get lucky; depending on your system setup, it MAY offer to update and upgrade the system kernels you currently have installed.

If not, the following command will help:
sudo apt-cache search linux-image

It may show you more than you need, but it should show you the available kernels; you can also add the version, such as
sudo apt-cache search linux-image-4.9 and see if that helps.

Let me know; after running the sudo apt-get update, even if you don’t yet see the kernels in the tool, you should be able to install them via the command sudo apt install linux-image (adding the specific number and type of the kernel you need; for example: sudo apt install linux-image-5.10.0-8-amd64 (I’m getting that from a different system; that’s only an EXAMPLE).

--
Brian Masinick

[Member CyberGhost]

Helpful

Up

0

::

After running sudo apt-get update and sudo apt-get dist-upgrade, there were no changes or other options. I’m pretty sure I upgraded to 19.4 a while back but it still shows 19.3 which I have read on another thread that is to determine what support a user needs and/or what base they started from or something like that. I ran sudo apt-cache search linux-image and you’re right there are a ton of different kernel versions listed! I did find these kernel versions which look similar to what you suggested to use:

linux-image-4.9.0-276-antix.1-486-smp – Linux kernel, version 4.9.0-276-antix.1-486-smp
linux-image-4.9.0-276-antix.1-686-smp-pae – Linux kernel, version 4.9.0-276-antix.1-686-smp-pae

Which one should I use? I mean if those are the correct versions to use.

[Member Xecure]

Helpful

Up

1

::

I will explain the terminal way with cli-aptiX tool.
sudo cli-aptiX
After checking for updates (you can ignore this step and say no), go to “Search for antiX kernels”. View the leading results
The latest 4.9 kernel is named linux-image-4.9.0-276-antix. You will have to check in what position it is (in my system it is the tenth, but I am on a amd64 system).
You will probably also have to pay attention if it is linux-image-4.9.0-276-antix.1-486-smp (non-pae I think it is).
Write the number corresponding to the position and hit the Enter key. Select the option that says install package “linux-image-4.9.0-276-antix.1-486-smp” (or whatever name the package has) and install it.
On next reboot, in the Advanced options in Grub, select this new kernel. If it boots properly, you can remove/uninstall the previous kernel (4.9.235-antix.1-486-smp) to make this new one the default (on the next boot).

A note. Inxi says your CPU is vulnerable, but that doesn’t mean your kernel isn’t patched. Not all CPU are vulnerable to all the exploits, so I think this is just an informative message related to your CPU architecture. I think the 4.9.235 already brings the kernel patches. See:
https://antixlinux.com/spectre-and-meltdown-security-kernel-upgrades/
https://antixlinux.com/zombieload-security-patched-kernels/
These are older kernels with said vulnerabilities patched. So the 4.9.235 includes the patches.

I hope this information is useful.

antiX Live system enthusiast.
General Live Boot Parameters for antiX.

[Member CyberGhost]

Helpful

Up

0

::

Ok I installed the linux-image-4.9.0-276-antix.1-486-smp successfully. I figured out how to remove my previous kernel through synaptic package manger too. Thank you so much for all of your help!

Update: OK I thought synaptic package manager removed it but it didn’t so I removed it via terminal. Thanks again!

• This reply was modified 1 year, 9 months ago by CyberGhost.
• This reply was modified 1 year, 9 months ago by CyberGhost.

[Member Xecure]

Helpful

Up

0

::

EDIT: It seems you figured it out perfectly. Good job.

OLD:
You can do it from synaptic. You need to find and uninstall

linux-image-4.9.235-antix.1-486-smp
linux-headers-4.9.235-antix.1-486-smp

You can also uninstall in a one line in the terminal
sudo apt purge linux-image-4.9.235-antix.1-486-smp linux-headers-4.9.235-antix.1-486-smp

• This reply was modified 1 year, 9 months ago by Xecure.

antiX Live system enthusiast.
General Live Boot Parameters for antiX.

[Moderator Brian Masinick]

Helpful

Up

1

::

CyberGhost wrote:

linux-image-4.9.0-276-antix.1-486-smp – Linux kernel, version 4.9.0-276-antix.1-486-smp
linux-image-4.9.0-276-antix.1-686-smp-pae – Linux kernel, version 4.9.0-276-antix.1-686-smp-pae

Those are kernels that you can use, and as I see, you did, in fact, figure out how to do this. Congratulations on your success.

I’m sure it gave you some satisfaction to figure it out, and you can build on this as you work with the system and other packages.

Synaptic definitely makes it easier, but when you can use the various tools from the command line (apt and apt-get are two of them, the low level dpkg is the fundamental one) you’ll be able to manage nearly any task on your own, and you’ll probably be able to help others too. Nice work!

--
Brian Masinick

[Member h2]

Helpful

Up

1

::

Just as an aside, inxi -Ca shows the mitigation status:

inxi -Ca
CPU:
  Info: 6-Core model: AMD Ryzen 5 2600 bits: 64 type: MT MCP arch: Zen+ 
  family: 17 (23) model-id: 8 stepping: 2 microcode: 8008204 cache: L2: 3 MiB 
  flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm 
  bogomips: 81586 
  Speed: 3898 MHz min/max: 1550/3400 MHz boost: enabled Core speeds (MHz): 
  1: 3898 2: 3898 3: 3809 4: 3386 5: 3693 6: 3393 7: 2709 8: 1715 9: 2392 
  10: 1971 11: 1539 12: 1415 
  Vulnerabilities: Type: itlb_multihit status: Not affected 
  Type: l1tf status: Not affected 
  Type: mds status: Not affected 
  Type: meltdown status: Not affected 
  Type: spec_store_bypass 
  mitigation: Speculative Store Bypass disabled via prctl and seccomp 
  Type: spectre_v1 
  mitigation: usercopy/swapgs barriers and __user pointer sanitization 
  Type: spectre_v2 mitigation: Full AMD retpoline, IBPB: conditional, STIBP: 
  disabled, RSB filling 
  Type: srbds status: Not affected 
  Type: tsx_async_abort status: Not affected

But 4.9 is way too old, /sys may not show the mitigation data, can’t remember. If I remember right, /sys started showing that as soon as the kernels had the mitigations, but I can’t remember the details there. I know inxi has had that feature for a long time though. Oh, I looked it up in the changelog, it was actually AntiX forums that requested and helped test that feature, back in 2018-09 or so, first inxi version to have it was 3.0.23

From Debian’s spectre/meltdown page:
https://wiki.debian.org/DebianSecurity/SpectreMeltdown
Scroll down to: 32-bit PC (i386), can’t copy in tables.

Pentium M is not pae, so that suggests that spectre 1 and 2 will fixed with 4.19, and meltdown cannot be fixed.

You might give some thought to picking up an older Thinkpad T420, those are pretty inexpensive used, and are excellent machines, and have a 64 bit modern cpu, handle sata, etc. I’ve gotten those for 100 bucks each, once saw someone selling them for something like 2 for 100 back when corporate buyers were moving up to next version for their corporate fleets, those deals I don’t see anymore though. I got a T400 for 20 bucks at a fleamarket, just needed replacement battery, with SSD upgrade I think it cost about 100 total, give or take. With an old spinning hitachi travelstar, it’s not a question of if, but when, your hdd fails.

I tried running pentium m for years, a T42, and finally gave up.

Hmmm, why isn’t bbcode working? Post says bbcodes are enabled, but it doesn’t use them, needs html, maybe fix that text?

• This reply was modified 1 year, 9 months ago by h2.
• This reply was modified 1 year, 9 months ago by h2.
• This reply was modified 1 year, 9 months ago by h2.

inxi system information script (install info) :: inxi git

[Moderator Brian Masinick]

Helpful

Up

0

::

Hi h2! Great to hear from you. I have not used the inxi command arguments you shared above, so I appreciate knowing about them, though with a little bit of examination, I may have one day stumbled upon them; in any case, this is good information and another reason why I use your tools to this day.

I also am fond of the old T series laptops. I used a T42, T60, and possibly a few others – back in the days when we were regularly collaborating in fact. I happened to acquire an X201; those are solid, but they are also BIG with a double chassis (and lots of ports), and they share good construction and decent keyboards. Grabbing systems like these is an excellent option for budget shoppers. I was reading another thread elsewhere and a person mentioned that it’s very inexpensive to get more memory and various other peripheral equipment that works well with SATA-based devices at prices around $20 for certain components if you look around carefully and know what you are shopping for.

--
Brian Masinick

[Moderator Brian Masinick]

Helpful

Up

0

::

Even as time goes by, we continue to have a similar outlook. As far as “feature rich” software, as any software “gracefully ages”, it is the exception, not the rule, for the “mid section” to grow. Some people refactor and rewrite software. That only goes so far and then the same happens. You’re in good company with the vast majority of GNU utilities. Some of the finest GNU replacements for the original UNIX utilities are often 2-4 times larger than what they replaced, mostly because they have so many options and additional capabilities. It’s not all bad; there are many really good tools, but there are not very many “single purpose tools” available any more.

Great tools; Best wishes always!

--
Brian Masinick

[Member h2]

Helpful

Up

0

::

I had to repost the post brian was responding to, it comes after this one.

Your spam filters are too aggressive, the patterns are not well made, they keep eating my post.

• This reply was modified 1 year, 9 months ago by h2.

inxi system information script (install info) :: inxi git

[Author]

Posts