Security
kernel
CPU
脆弱性

CentOS7とUbuntu16のkernel等バージョンアップ

piyologさんにまとまっていたのでCentOS7の更新をしました(利用頻度が低いサーバを実験台にしました)
http://d.hatena.ne.jp/Kango/20180104/1515094046

centos7のkernelアップデート

むかし書いたCentOS7のkernelアップデート手順
https://qiita.com/smallpalace/items/e2489e48e011aff20170

# yum update kernel microcode_ctl linux-firmware qemu-kvm libvirt

=========================================================================================================================================================================
 Package                                       Arch                           Version                                              Repository                       Size
=========================================================================================================================================================================
Installing:
 kernel                                        x86_64                         3.10.0-693.11.6.el7                                  updates                          43 M
Updating:
 kexec-tools                                   x86_64                         2.0.14-17.2.el7                                      updates                         333 k
 linux-firmware                                noarch                         20170606-57.gitc990aae.el7                           updates                          35 M
 microcode_ctl                                 x86_64                         2:2.1-22.2.el7                                       updates                         1.1 M
Updating for dependencies:
 dracut                                        x86_64                         033-502.el7_4.1                                      updates                         321 k
 dracut-config-generic                         x86_64                         033-502.el7_4.1                                      updates                          54 k
 dracut-config-rescue                          x86_64                         033-502.el7_4.1                                      updates                          56 k
 dracut-network                                x86_64                         033-502.el7_4.1                                      updates                          98 k

Transaction Summary
=========================================================================================================================================================================
Install  1 Package
Upgrade  3 Packages (+4 Dependent packages)

Total download size: 80 M
Is this ok [y/d/N]: y

Installed:
  kernel.x86_64 0:3.10.0-693.11.6.el7                                                                                                                                    
Updated:
  kexec-tools.x86_64 0:2.0.14-17.2.el7               linux-firmware.noarch 0:20170606-57.gitc990aae.el7               microcode_ctl.x86_64 2:2.1-22.2.el7              

Dependency Updated:
  dracut.x86_64 0:033-502.el7_4.1 dracut-config-generic.x86_64 0:033-502.el7_4.1 dracut-config-rescue.x86_64 0:033-502.el7_4.1 dracut-network.x86_64 0:033-502.el7_4.1

Complete!

※aws上のCentOS7でqemu-kvm libvirtは入ってなかった

・一応確認できたチェンジログ

# rpm -q --changelog microcode_ctl|head
* Fri Dec 15 2017 Petr Oros <poros@redhat.com> - 2.1-22.2
- Update Intel CPU microde for 06-3f-02, 06-4f-01, and 06-55-04
- Resolves: #1527358

# rpm -q --changelog linux-firmware|head
* Wed Dec 27 2017 Rafael Aquini <aquini@redhat.com> - 20170606-57.gitc990aae
- Add amd-ucode for fam17h

# uname -r
# awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg
# grub2-set-default 0
# grub2-mkconfig -o /boot/grub2/grub.cfg
# uname -r
# reboot

ssh 
$ sudo su -
# uname -r
3.10.0-693.11.6.el7.x86_64

とりあえず対策されてるらしいカーネルへのアップデートは完了
https://access.redhat.com/errata/RHSA-2018:0007

Ubuntu16のkernelアップデート

※Azureのノード。

$ uname -r
4.11.0-1016-azure

$ sudo apt install linux-generic
$ dpkg -l | grep linux-image | grep ^ii 
ii  linux-image-4.11.0-1016-azure       4.11.0-1016.16                             amd64        Linux kernel image for version 4.11.0 on 64 bit x86 SMP
ii  linux-image-4.13.0-1005-azure       4.13.0-1005.7                              amd64        Linux kernel image for version 4.13.0 on 64 bit x86 SMP
ii  linux-image-4.4.0-103-generic       4.4.0-103.126                              amd64        Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii  linux-image-4.4.0-109-generic       4.4.0-109.132                              amd64        Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii  linux-image-azure                   4.13.0.1005.6                              amd64        Linux kernel image for Azure systems.
ii  linux-image-extra-4.11.0-1016-azure 4.11.0-1016.16                             amd64        Linux kernel extra modules for version 4.11.0 on 64 bit x86 SMP
ii  linux-image-extra-4.4.0-103-generic 4.4.0-103.126                              amd64        Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii  linux-image-extra-4.4.0-109-generic 4.4.0-109.132                              amd64        Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii  linux-image-extra-virtual           4.4.0.109.114                              amd64        Transitional package.
ii  linux-image-generic                 4.4.0.109.114                              amd64        Generic Linux kernel image
$ sudo reboot
sshしなおす

$ uname -r
4.13.0-1005-azure

戻したいときは戻したい対象の旧いkernelパッケージ以外を消すとよい模様。
http://sicklylife.hatenablog.com/entry/2017/05/24/185955