Security updates are now available for Meltdown and Spectre.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
If you haven’t already done so, please read “Meltdown and Spectre“.
These vulnerabilities are critical. They expose all memory data present on the computer to any application running locally (including to scripts run by your web browser).
Note: Meltdown and Spectre also affect smart phones and tablets. Please seek information on how to protect your mobile devices.
Firefox 57.0.4
Firefox was patched. Please use the Update Manager to upgrade it to version to 57.0.4.
https://usn.ubuntu.com/usn/usn-3516-1/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
NVIDIA 384.111
If you are using the NVIDIA proprietary drivers, upgrade them to version 384.111.
In Linux Mint 17.x and 18.x, this update is available in the Update Manager.
In LMDE, it is available on the NVIDIA Website.
https://usn.ubuntu.com/usn/usn-3521-1/
Chrome Site Isolation
If you are using Google Chrome or Chromium, please follow the steps below:
- Type chrome://flags in the address bar and press Enter.
- Scroll down the page and find “Strict site isolation” and press the Enable button.
- Restart the Chrome browser.
https://www.chromium.org/Home/chromium-security/ssca
Opera
If you are using the Opera browser, visit opera://flags/?search=enable-site-per-process, click Enable and restart Opera.
Linux Kernel
Please use the Update Manager to upgrade your Linux kernel.
The following versions were patched:
- 3.13 series (Linux Mint 17 LTS): patched in 3.13.0-139
- 3.16 series (LMDE): patched in 3.16.51-3+deb8u1
- 4.4 series (Linux Mint 17 HWE and Linux Mint 18 LTS): patched in 4.4.0-108
- 4.13 series (Linux Mint 18 HWE): patched in 4.13.0-25
Note: The current HWE series in Linux Mint 18 moved from 4.10 to 4.13.
Some users reported issues with early kernel updates (4.4.0-108 issues in particular were fixed since in 4.4.0-109). We strongly recommend you use Timeshift to create a system snapshot before applying the updates. Timeshift is installed by default in Linux Mint 18.3 and available in the repositories for all Linux Mint 17.x and 18.x releases.
https://security-tracker.debian.org/tracker/CVE-2017-5754
https://usn.ubuntu.com/usn/usn-3524-1/
https://usn.ubuntu.com/usn/usn-3522-2/
https://usn.ubuntu.com/usn/usn-3522-1/
Intel Microcode
Please use the Update Manager to upgrade intel-microcode to version 3.20180108.0.
Note: If intel-microcode isn’t installed on your computer, run the Driver Manager to see if it’s needed.
https://usn.ubuntu.com/usn/usn-3531-1/
Other Updates
Other updates should become available in the near future, make sure to often apply all security updates.
General Advice
Locally, you should backup your personal data and set up daily system snapshots (timeshift is recommended for that).
Check for available security updates often, and apply them as they become available. In your Update Manager these are marked with a red exclamation mark.
Review any sensitive information stored online.
Stay away from 3rd party applications, proprietary in particular and do not visit websites you don’t trust on devices which haven’t been patched.
Consider securing access to your important data (your email account in particular) with 2 factor authentication.
Just a thought, in the blog you mention that the NVIDIA driver should be updated, myt Driver Manager only lists 340.102-0ubuntu0.16.04.2 for my GeForce 820M. NVIDIA states that the 384 series driver is compatible.
What to do? Will the 384 driver work with the Prime indicator as well?
Hi Raketti,
It’s worth a try. Before you do though, you should create a system snapshot http://linuxmint-installation-guide.readthedocs.io/en/latest/timeshift.html.
You wrote “Firefox was patched. Please use the Update Manager to upgrade it to version to 57.0.4.”
Unfortunately, the Update Manager is not not showing Firefox version 57.0.4. Even after pressing the Refresh button. Still on Firefox 57.0.3.
Any suggestions?
Thank you
Hi Ovari,
Is your mirror up to date? You can use the Software Sources tool to change mirror in case that’s the issue.
I had that problem. I changed the policy updates from 1st to 2nd and Firefox 57.0.4 showed.
@Linux Mint: Thank you. Unfortunately a few mirrors which we tried did not find the update. The solution which found the update was clicking on “Restore the default settings” in “Software Sources”. Is it worth adding this to your instructions above if the update is not found?
I used Upgrade Manager yesterday evening (US CST), which in my case uses the default mirror and the update to 57.0.4 worked fine.
I am on FIrefox 54.0 (Firefox for Linux Mint – 1.0) and can’t for the life of me get Update Manager to show any updates for Firefox, let alone 57.0.4. My update policy is the default (no 2-review sensitive updates) and as suggested in this thread, I have tried Restoring the Software Sources to the default setting (which had not been changed since the clean install of LM 18.3) but nothing shows up other then the 4.13 kernel (yes I know than 4.10 is not being patched) and mesa. Any help would be greatly appreciated (eg perhaps a mirror I can point? or maybe get it from mozilla somehow). I am relatively new to Linux with fairly basic command line skills. Thanks in advance, Chris. PS: Software Manager just shows Firefox 57.0+linuxmint1+sylvia.
Hi Chris,
Can you paste the output of “apt policy firefox”?
This is what it says:
apt policy firefox
firefox:
Installed: 57.0+linuxmint1+sylvia
Candidate: 57.0.4+linuxmint1+sylvia
Version table:
57.0.4+linuxmint1+sylvia 700
700 http://packages.linuxmint.com sylvia/upstream amd64 Packages
57.0.4+build1-0ubuntu0.16.04.1 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
*** 57.0+linuxmint1+sylvia 100
100 /var/lib/dpkg/status
45.0.2+build1-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
Thanks, Chris
I pasted the output of “apt policy firefox” in a previous post yesterday, as requested, but not sure if it got thru as it is still showing “awaiting moderation”.
Hi Chris,
Your policy looks good. Can you paste the output of “gsettings list-recursively com.linuxmint.updates”?
Thank you so much for following up. Here is the output you requested. Not sure why or how it happened but I see in the listing below that it is show that firefox is blacklisted, so will try an remove from the list and hopefully that will fix the problem.
gsettings list-recursively com.linuxmint.updates
com.linuxmint.updates show-type-column true
com.linuxmint.updates show-size-column false
com.linuxmint.updates level2-is-visible true
com.linuxmint.updates show-policy-configuration false
com.linuxmint.updates window-height 693
com.linuxmint.updates autorefresh-days 0
com.linuxmint.updates kernel-updates-are-visible true
com.linuxmint.updates show-new-version-column true
com.linuxmint.updates show-package-column true
com.linuxmint.updates hide-window-after-update false
com.linuxmint.updates dist-upgrade true
com.linuxmint.updates hide-kernel-update-warning false
com.linuxmint.updates level3-is-visible true
com.linuxmint.updates security-updates-are-visible true
com.linuxmint.updates autorefresh-minutes 0
com.linuxmint.updates default-repo-is-ok false
com.linuxmint.updates level1-is-safe true
com.linuxmint.updates security-updates-are-safe true
com.linuxmint.updates show-origin-column false
com.linuxmint.updates refresh-minutes 10
com.linuxmint.updates level2-is-safe true
com.linuxmint.updates level3-is-safe false
com.linuxmint.updates blacklisted-packages [‘firefox’]
com.linuxmint.updates level4-is-visible true
com.linuxmint.updates level5-is-safe false
com.linuxmint.updates autorefresh-hours 2
com.linuxmint.updates refresh-days 0
com.linuxmint.updates level4-is-safe false
com.linuxmint.updates window-width 790
com.linuxmint.updates window-pane-position 280
com.linuxmint.updates show-old-version-column false
com.linuxmint.updates kernel-updates-are-safe false
com.linuxmint.updates hide-systray false
com.linuxmint.updates level1-is-visible true
com.linuxmint.updates show-level-column true
com.linuxmint.updates level5-is-visible false
com.linuxmint.updates show-descriptions true
com.linuxmint.updates refresh-hours 0
Thanks again.
OK subsequent to my last post, I managed to find where the blacklist is kept (for those that don’t know – Update Manager Preferences ) and remove firefox from it and that has resolved the issue of it not showing up.
Sorry for taking up your valuable time but thank so much for your help. Cheers Chris.
As a casual but long-time Linux Mint user, I have always been wary of taking kernel updates (although I suppose I need to reevaluate that position). For this case, is the one I should choose whatever comes up for me under category 4 in the Update Manager or do I need to learn how to select the proper one from the longer list?
The kernel hasn’t been updated yet. Keep an eye on the link above for when an update is available. It will tell you the version(s) that have the patches.
You should stick to the kernel updates available in the main screen of the Update Manager. If you do, these will always show the latest kernel available for the series you’re on, and that series either is LTS (kernel 4.4 in Mint 18.x) or HWE (currently 4.10), both of which receive security updates.
The “long list of kernels” in the view->kernels windows is to troubleshoot, look for more information, bug reports, or switch series in case some of your hardware is too new and requires a more recent kernel than LTS or HWE. When you move away from LTS/HWE you take the risk not to get security updates, and you take the risk that some of the modules you’re using (for broadcom, nvidia etc..) might not work with that particular kernel series.
Switching kernels is easy, it’s better documented than before and if you read the help section of the Update Manager you have all the information you need to get back on your feet and go back to your previous kernel, in case of an issue. Not only that, but we can also now rely on timeshift, so anything you do to your system, any regression or misstep can be solved by going back in time to your previous system snapshot.
It’s worth taking time and experimenting with timeshift and recovery tools. That category 4 is there to tell you this can impact your system, and the security flag beside it tells you you need to apply it. The best thing to do is to read the doc, create a snapshot in timeshift and apply the security updates.
Mint 18.1 gives me 384, what are you running?
@raketti
No, it depends on your hardware. The driver manager can recommend 384, but also 340.. it really depends on your GPU.
Note also that the Driver Manager doesn’t show updates per se. It’s a driver selector/installer. Use the Update Manager to make sure your driver is actually up to date.
hi chemicalfan
Download LinuxMint 18.3 here:
https://blog.linuxmint.com/?p=3458
and install it! LinuxMint 18.1 is outdated!!
Not at all. Linux Mint 18.1 is supported until 2021. You can upgrade to 18.3, but you don’t have to, and you certainly don’t need to reinstall.
There is a simple rule to remember using Linux( I still have my RedHat)…If it’s working?
Why fix it or upgrade unless you are also upgrading hardware as well.
If you set it up properly, it will run like a Swiss clock\watch or remember the Timex commercials…Takes a Licking and Keeps ON ticking!
<3 LINUX
Are old processors out of reach for this vulnerability?
I’ve read that the speculative code execution feature has been present in most Intel processors since 1995. SO chances are your processor is affected unless you got your computer from a museum exhibit.
hi Hamza
referring to Chipsets, nearly all Manufacturers are affected according to heise and other sources! This thins is big and is is a big threat!! Please update and patch your system and you also should instal Microcode-Updates as soon as they become available! I will do this too! I am already on waiting on hot coal.
Most (if not all) CPUs of the last 10 years are affected. There are very few very special CPUs like those of the Raspberry Pie that are not vulnerable.
Rule of thumb: If you bought your computer / cellphone / router / graphics card more than 10 years ago, chances are that they are not vulnerable in that specific scenarios. But you should be aware that these very old designs have other security issues that can’t be fixed 🙂
@chemicalfan – I’m running 18.3.
I installed 384.111 and everything seems to be running fine so far. The only thing that’s odd is that now the Driver Manager shows I’m using noveau.
what about other software security?
https://www.mozilla.org/en-US/thunderbird/52.5.2/releasenotes/
Version 52.5.2, first offered to Release channel users on December 22, 2017
inclunding two critical bugs: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/
on Linux Mint 18.3 it’s still 52.5.0 in the repositories
I don’t know why but especially updates for thunderbird take ages in Linux Mint (via Ubuntu viaDebian)
on Spectre/Meltdown it’s worth reading some linux kernel maintainers view on things:
http://kroah.com/log/blog/2018/01/06/meltdown-status/
“This means that the latest 4.14 release (4.14.12 at this moment in time), is what you should be running. (…) If you rely on any other kernel tree other than 4.4, 4.9, or 4.14 right now, and you do not have a distribution supporting you, you are out of luck. (…) Also, go yell at the people who forced you to run an obsoleted and insecure kernel version, they are the ones that need to learn that doing so is a totally reckless act.”
Both Canonical and Debian are committed to providing security updates for the kernel series they maintain. We stick to the same series for this reason. Be aware also that the versions used by Canonical for kernel updates doesn’t necessarily match upstream kernel versions, some changes are backported and versions stay at at .0.
@ staubgold
absolutely correct.
@Linux Mint
is it correct to say that you copy the Ubuntu kernels to us when Ubuntu updates them? Or are the newer kernels created by Mint?
Just curious.
Thanks, Peter
(I assume Ubuntu gets the latest patched kernels from Debian, and then modifies them. perhaps I am totally wrong on that part)
Mint 18.1 Xfce, 4.4.0-108 kernel doesn’t even boot. Any suggestions?
Hi Vitor,
We’ve heard reports of issues with it. It seems to affect some people. This is being rushed upstream because of the severity of the vulnerabilities. 4.4.0-109 was released since, hopefully it should help.
hi Vitor I
Question: what graphics-card do you have?? If you have nvidia, then you first need to boot into “nomodset” and install the graphics-driver first and then reboot. This solves it.
Greetings
Running Cromium Version 63.0.3239.84 (Official Build) Built on Ubuntu , running on LinuxMint 18.3 (64-bit).
Attempting to apply:-
Type chrome://flags in the address bar and press Enter.
Scroll down the page and find “Strict site isolation” and press the Enable button.
Just does not work I tried “in Parenthesis” and without just in case –
No options appear to change???
Thank you for your “heads up” on all of these exploits
Mal
Works fine for me on both Xfce 18.3 64bit and Maté 17.3 32bit. Enter the command without parenthesis. Press the button and a checkmark will appear.
I had the exact same problem. Nothing came up in the search when I typed in “strict”. But “strict site isolation” came up when I typed in “site”. ???
Didn’t work for me either (Mint 17.3) but I followed the ‘structions at https://www.chromium.org/Home/chromium-security/ssca which worked fine.
Control + F people. Just use another tool.
Hi LM Team,
I am using LM 18.3 (Sylvia) with Kernel 4.8.0-53 it is safe with that kernel version or I should update kernel into 4.10? And which specific version of 4.10, because there are version 4.10.0-14 to 4.10.0-42.
Thanks for your help.
@ Sasya
You should be on either kernel 3.13.139(= for older hardware), 4.4.108 or 4.13.25(= for newer hardware like Kabylake processors), in order to receive the KPTI/Meltdown patch.
If on 4.13.25, you should later upgrade to kernel 4.15 LTS(= in May or June 2018 = LM 19.0) because 4.13 is not LTS. If kernel 4.15 proves unstable, revert to 4.13 or 4.4 LTS.
Please refer to … https://forums.linuxmint.com/viewtopic.php?f=58&t=260764&start=200
Hi Sasya,
The blog post above was updated today and kernel updates are now available. You should definitely update, towards 4.13.0-25.
Kernel 4.8.x is no longer supported. The patched kernels are branches 4.4 and 4.13, versions 108 and 25. The kernel 4.10.0-42 is prior to these vulnerabilities were known, so upgrading to that does not help.
You can perfectly use the kernel 4.4.0-108 with LM 18.3 Sylvia if the kernel 4.13.0-25 is not going well for you.
I’m going to install both and try. The 4.4.0-108 is working perfectly.
I team :
I did build AMDGPU-pro around 18.3 and kernel 4.10 and installed HWE also to have all the thing working .
So no updates for 4.10 . The problem is cannot seem to be able to install the AMDGPU-pro around other kernels – I am guessing but It should be all in the HWE. Any direction will be appreciated.
Thanks SB
Hi,
The jump to 4.13 on the HWE series is brand new and it was done in a rush to tackle this vulnerability. It’s possible some modules aren’t yet compatible with it. Keep an eye on 4.13 updates, Canonical is probably aware of it already.
After receiving the updates to the 4.13.0-26 , and also the new HWE modules and
reinstalling from scratch the *latest* AMDGPU-pro 17.50 driver everything went back to OK .
Great . Thanks
sb
Question 1: Are GPUs also vulnerable to this exploit.
Question 2: Are the Mint patches being tested first to ensure they don’t adversely slow down processors.
Although I had an amazingly fast Intel CORE i7 processor in my laptop BEFORE the patch, my Windows 10 has since slowed down so much that it is next to unusable… on account of that very Microsoft security patch. I’d hate to think what would happen if I ditched Windows and permanently switched to ANY Linux distro let alone Mint.
There has to be a better way to fix this problem.
Hi Roy,
Nobody in the industry is worried about the slow down just yet. It could become an issue and it could be tackled by a 2nd series of updates/fixes eventually, but right now these considerations are not as important as the vulnerabilities themselves.
hi Roy
in my LinuxMint 18.3, I cannot confirm this slow-down. But I can confirm this of you:
“Although I had an amazingly fast Intel CORE i7 processor in my laptop BEFORE the patch, my Windows 10 has since slowed down so much that it is next to unusable… on account of that very Microsoft security patch”
on my mothers machine with Windows10-1709! There we also see a perfomance-loss of nearly 30%! This is really also not nice.
But: LinuxMint currently does not make such problems. Here I cannot confirm slow-downs in LinuxMint. And this:
“I’d hate to think what would happen if I ditched Windows and permanently switched to ANY Linux distro let alone Mint.”
would be a good idea, but you should decide for LinuxMint! Mint is not slow, not at all!
Then to your question:
“Question 1: Are GPUs also vulnerable to this exploit.”
answer: YES! nearly all GPUs are affected (heise and other sources)
“Question 2: Are the Mint patches being tested first to ensure they don’t adversely slow down processors.”
dont’s know. But currently here I do not see any slow-down in my Toshiba-Laptop Satellite-C850-1LQ (Intel i3). So this slow-down seems something to be inside Windows. The best way to see this is within Windows-Update. This runs so slow, that it takes hours to download the updates. In LinuxMint – in opposite to this – this does not happen. That’s why I love my LinuMint and why I would really like to do tabula-Rasa on my mothers PC, wipe out Windows and install Mint! 😀
Greetings
does anyone know if a MCF5275 risc processor is vulnerable ?
Hi LM-Team,
currently I’m a happy user of Linux Mint 18.3 with Kernel 4.10.0. As per Ubuntu they will not provide an update for this Kernel version but recommend to update to Kernel 4.13. Will Linux Mint 18.3 get an updatet 4.10. Kernel or will there be an update to 4.13?
Hi Martin,
It will be 4.13.
I’m not sure if I understand the situation correctly. Will there be a kernel update for LM 18.2? My 18.2 installation runs on kernel 4.10 , but I’ve also read that 4.10 will not be patched because Ubuntu 17.04 already went end-of-life. Will there be an update visible in the Update Manager or do I need to take action?
Hi Sebastian,
This information wasn’t available yesterday. The post above was updated since and your Update Manager should now suggest an update towards 4.13.
Ah, I understand. The update went fine now. Thanks!
With the greatest of respect to everybody involved, but perhaps it is time for the Mint team to re-evaluate how they approach the kernel updates in Mint itself? Reading through varies articles related to this issue, the advice is pretty straightforward. Update your kernel. Update, update, update. The Linux kernel developers themselves have also written in detail about why we should update and always apply the latest kernel updates. This round of updates is only the start. There are more updates to come as more patches are applied. Reading through the comments here, there seems to be confusion amongst the Mint users? Some never apply kernel updates, others are confused about the number of kernels available to them, others cannot seem to grasp which kernel update they should apply? Perhaps the choice of available kernels does not help? Having to choose between 4-5 different ones can be confusing. Why not just do it like everyone else? You have one kernel and that one receives updates. Simple and straightforward without any confusion caused. If advanced users want to use a different kernel branch, the onus is on them. This is a very serious security issue and the correct kernel updates need to be applied. Just by reading these comments, one can tell that there are some Mint users who won’t be using the correct kernels and won’t be running the latest security patches. This is one instance where security MUST take preference over “stability.” Please understand that I am not being critical of anybody. I am more hoping that my comments will lead to a positive and adult discussion of how to cause less confusion for the Mint users. Thank you!
Hi Jacques,
There are two kernel series in each release receiving security updates: LTS and HWE. The Update Manager is designed to follow these. Although there is a window to pick and view all kernels available, the main window of the Update Manager does that job for you and only suggests the latest one in your series.
Now with that said, the comments made yesterday (including yours) were made at a time when kernel updates weren’t yet available and this blog didn’t mention which updates these would be (in particular it wasn’t clear whether HWE would move towards 4.13, and when/how).
exactly, this kernel that kernel, this update that update, hwe, lts, I know lts, but apparently I have 4:13 hwe? now on 18.3 There needs to be an over haul, only need one kernel as far as I am concerned
I’m sure there are plenty like me who have such out dated computers that upgrading has become problematic. My laptop ran Windows 7 before I loaded Linux Mint on it a few years ago. i looked forward to the updates until my laptop couldn’t handle the latest and greatest version of Mint anymore. It’s too slow or Mint has become too big for me. Unfortunately you can’t just replace Windows 10 with Linux any more. This laptop has reached the end of it’s useful life and I will have to order my next laptop on-line. That’s why people like me hesitate to update. We are delaying the inevitable. I do have an Android tablet ready but much prefer to use a laptop.
For Jaques and Clemens ( Linux Mint ) Jaques I am on your side!!! Clemens please understand that your technical and programming view to all of this stay in the way to normal users. 90 % of the Linux Mint users will not follow this blog and probably 50 % procent will do any updates. Please be there for the users who are not here on this blog. That is where your thought has to be. They are the mean users. So Jaques idea is the best solution in any case and situation.
To speak about my own situation:
I am a long time Mint user. I never had felt in such a confusion with Linux Mint as what happens right now. It ONE BIG confusion to me. And I can tell you that I will be not the only one. What kernel? What header? LTS o.k but what is HWE? Clemens you speak in words as if any one who visit this blog will know all of this. Please be aware of user and that the majority of users who do not know all of this!
Please try to find a way of communication, witch will explain it for not technical users. Or follow the great and secure solution of Jaques.
I did what you told Jacues, I followed the Update manager in my case there was a update to 4.13.0-26. After reboot, there was a black screen. I had to go back to 4.10.0-38
I am not native English speaking so I had to translate word by word – but I am angry and confused – and I think I have to get up and speak. And stand up for the users/people who are not visiting this blog or are not that technical at all to understand this!
Wait… this announcement is here to explain things in detail. Your update manager presents things in a very simple way, it shows you one kernel update and one set of security updates and you should install that.
Mint is just using Ubuntu kernel series and support dates. It looks a mess, but it’s actually reasonably simple once you know how it works.
Ubuntu: each new LTS, version x.04, has a new GA (General Availability) kernel series, which will be supported for the life of that LTS release. The first point release, x.04.1, has the same kernel series and support end date.
Non-LTS versions have kernel series with shorter support times, and the (also short-lived) LTS point releases from x.04.2 to x.04.4 use these HWE (Hardware Enablement) kernel series. The final LTS point release, x.04.5, has the same support end date as x.04 and x.04.1, but appears *after* the *next* LTS, and uses *that* GA kernel series as its HWE.
Mint: Major non-point releases obviously use the GA kernel series. So do x.1 releases. Kernel updates will be offered in that series.
Point releases x.2 and x.3 use HWE kernels in a new installation, but keep using a GA kernel series if installed as an upgrade. The definition of HWE keeps tracking Ubuntu, so somebody who initially installed 18.2 (or upgraded from 18 or 18.1 and also chose to upgrade the kernel series) would have started at that time with a 4.8 kernel, and since been offered 4.10 and now 4.13, and in a few months will be offered 4.15.
Once Mint 19 is released (with a 4.15 kernel), 18 will retain support for 4.4 and 4.15 until it reaches end of life.
“””Linux Mint >>> Wait… this announcement is here to explain things in detail. Your update manager presents things in a very simple way, it shows you one kernel update and one set of security updates and you should install that.”””
Wait a moment >>> That’s exactly what I have done – the update manager showed as I wrote before – a new kernel update as 4.13.0-26 and that what I installed. But after reboot there was a black screen. I had to go back to 4.10.0-38.
Please Clemens this is not a attack from my side to you, I try to explain how this all will work out for the most part of the users. This showcase shows probably directly where the real weak part is for Linux ( Mint ). Namely how can users be as quick as possible protected towards such thinks as Meltdown and Spectre or anything else in this kind of order.
If we will and like that more and more people use Linux Mint normal daily users without any knowledge of computers we have to make it perfectly and save working for them. So that they see and feel that the developers take them serious and be there for there security. I don’t will recommend Linux Mint to any one who has not enough interest or knowledge of computers. Because that will bring me in trouble and have to help them out of that.
So please be so kind and stay on that side – normal daily users – who are also not familiar how to configure there update manager.
And now the question what do I have do do, with the kernel 4.10.0-38. update to 4.13.0-26 gives a black screen?
@Crojav
Do you perhaps have Nvidia graphics card? Ubuntu HWE plays havoc with Nvidia. It has never worked for me. AskUbuntu is full of issues regarding this. It’s best to stick with the LTS kernel, in this case 4.4xxx. You should NOT use 4.10, it is a security risk and no longer receiving updates. I am running Mint 18.1 and chose not to upgrade to Mint 18.2 or 18.3. That’s when the confusion starts creeping in and all the other kernels start appearing on the list.
Ubuntu HWE and Mint “HWE” is not the same thing. Ubuntu does not offer the HWE stack to you, like Mint does. In Ubuntu you have to type in a command in the terminal to install HWE Stack. In Ubuntu HWE is more than just upgrading the kernel. Mint does it differently by only upgrading the kernel.
If you have Nvidia cards for instance, you have to uninstall it before upgrading the kernel. Then install again, that includes nvidia-prime, because nvidia-prime builds against a specific kernel. You cannot mix and match. Sadly it does not work like that.
If I was you, I would install Mint 18.1 and use kernel 4.4xxx that it ships with. That is the Ubuntu LTS kernel. It is your decision of course entirely.
I hope you get your problems sorted. Good luck! 🙂
It is amazing that this could have been used to access computer data since 1995. Although it has probably always been put there on purpose to allow access. Not that any company would purposely do this to allow access or a back door to data. That certain agencies are given access for a price. How silly that would be. LOL
Thank You All for the info. I am updating now. Will keep an eye out for a patched Kernel.
hello linux min a query with this flaw that is suffering spectrum must consider installing an antivirus or not necessary after installing the updates
Hi Freddy,
Having an antivirus is a good idea in general, but it won’t help with this particular issue.
hi freddy
yes, Clem is absolutely right in this point. Normally an antivirus-System helps to protect. But not so in this case, because this time these vulnerabilities directly affect the design of the CPU-Chips and GPU-Chips. This cannot be fixed with AntiVirus-Systems.
The problem is within the firmware of these chips (this Microcode).
And this can only be addressed with Microcode-Updates.
In the URL address bar, enter the following:
chrome://flags/#enable-site-per-process
chrome://flags
It’s wrong! Chrome will tell that there is no “strict site isolation”!
It’s right! Just scroll down for a while or press Ctrl+F (find) and look for “Strict”. Works fine on both Mint machines I run.
chrome://flags/#enable-site-per-process (THIS WORKS)
Thank you, I hope others who tried LM’s method at the top of this thread will find your post
Mal
I installed the Kernel updates and verified them with this code from the Ubuntu verify page. https://askubuntu.com/questions/992137/how-to-check-that-kpti-is-enabled-on-my-ubuntu/992186#992186
dmesg (thanks to Jason Creighton):
Just copy it and paste into terminal
dmesg | grep “Kernel/User page tables isolation: enabled” \
&& echo “patched :)” || echo “unpatched :(“
dmesg | grep “Kernel/User page tables isolation: enabled” \
&& echo “patched :)” || echo “unpatched :(“
Seems that when i pasted here something changed just use Ubuntu link and copy and paste code from there.
Previously I have installed kernel version 4.4.0-112-generic. I have rebooted the computer.
I have entered the command noted above in terminal.
dmesg | grep “Kernel/User page tables isolation: enabled” \
&& echo “patched :)” || echo “unpatched :(“
output = unpatched 🙁
is this due to an underlying issue with my CPU?
Thank You.
Thanks for this security notice. I am running LM18.3 on kernel series 4.10. I am awaiting kernel update for this series. But somehow in the Update Manager the update for series 4.13 just appeared which according to the change log addresses CVE-2017-5754. I do not have any 4.13 kernel installed. So is there a reason why it is appearing in Update Manager? Should I update it? Or should I ignore it and wait for the update for 4.10 series? Thanks.
https://askubuntu.com/questions/992232/what-is-ubuntus-status-on-the-meltdown-and-spectre-vulnerabilities
According to here only 4.10 will not be patched
Maybe that will change but I recommend that you do what LinuxMint suggests above and use Timeshift e.t.c and upgrade to 4.13 Kernel as suggested in the Update Manager. I may be wrong so probably better to wait for LinuxMint to answer you.
4.10 is no longer supported. The HWE series moved towards 4.13.
I am sorry, I did not notice that you have updated the blog posting with more information on the kernels including the move from 4.10 to 4.13. Ok, will update it then. Thanks.
Cinnamon crashes after installing kernel 4.13.0-26, nvidia drivers non loaded
The problem is in the 340 nvidia drivers non working with the new kernel, I switched back to the 4.10
Hi,
Is it DKMS failing between 340 and 4.13? Can you check with dkms status?
Also, from a security point of view, 4.10 isn’t an option. If you can’t use 4.13 just yet, you should go back to 4.4, not 4.10.
I have the same issue. dkms status shows:
bbswitch, 0.7, 3.13.0-37-generic, x86_64: installed
bbswitch, 0.7, 3.16.0-38-generic, x86_64: installed
bbswitch, 0.7, 3.19.0-32-generic, x86_64: installed
nvidia-340, 340.102, 3.16.0-38-generic, x86_64: installed
nvidia-340, 340.102, 3.19.0-32-generic, x86_64: installed
virtualbox-guest, 5.0.4, 3.16.0-38-generic, x86_64: installed
virtualbox-guest, 5.0.4, 3.19.0-32-generic, x86_64: installed (original_module exists)
@dlauder: This doesn’t show anything for 4.13, are you sure you installed the kernel update?
Yes, I’m sure I installed the update. I figured out how to manually get things working, which I posted in a separate thread below. The things I tripped over are that the new nvidia driver does not show up in Update Manager for my GeForce GTX 660 Ti, and that the kernel headers were not installed by Update Manager during the update.
Hi,
Thanks for bringing this up. This was a mistake on our side. It’s fixed in 4.4.0-lts1 and 3.13-lts1. The missing headers are now pulled as dependencies.
Tried kernel 4.13.0-25 and 26, my notebook does not boot to login UI anymore (2015 DELL E6440), have to go back using 4.10, hope a more stable version comes soon.
What was the issue exactly? Could you show us the output of “dkms status” with 4.13?
Also please note that 4.10 is vulnerable to Meltdown/Spectre. Only 4.13 and 4.4 are patched against it.
Had the similar issues. I am using LM 18.3 with kernel 4.8 and upgraded it into 4.13, after reboot, it stuck on Mint’s Logo. Didn’t know how to fix it, and I reinstalled it with fresh installation, and finally worked.
FYI, my laptop Dell Inspiron 3458 with Intel Core i3-5005 (Broadwell).
Is here anyone who installed 4.4.0-109 successfully on 17.3 already?
And how do I find out which linux-kernel version is there in repo if it reports “4.4.0”?
$> apt-cache policy linux-kernel-generic
linux-kernel-generic:
Installed: 3.19.0-32
Candidate: 4.4.0
Version table:
4.4.0 0
500 http://linuxmint-packages.ip-connect.vn.ua/ rosa/main amd64 Packages
*** 3.19.0-32 0
100 /var/lib/dpkg/status
Hi Yz,
You can get more information about it with “apt show linux-kernel-generic”, you’ll see it now links to “linux-image-generic-lts-xenial” which currently points to 4.4.0-109.
Im on 17.3 and kernel 4.4 but 4.4.108 dont show up. Version number .87 is the last one.
What should I do
I mean in the update manager
Hi Cyrill,
Do you still have “linux-kernel-generic” installed? If not, reinstall it with “apt install linux-kernel-generic”.
I am running LM 17.3 but still with a very old kernel (3.16.0-38). Kernel updates are not available since months to my system. What should I do?
apt show linux-kernel-generic
Package: linux-kernel-generic
State: installed
Automatically installed: no
Version: 3.16.0-38
Priority: optional
Problems in the new kernel 4.13:
The touchpad loses the “touch to click” feature, the keyboard loses the repetition of keys (when pressing a key is not repeated), and instability in general.
Lenovo Ideapad 700
Had the same issues. On my Dell Inspiron 3458, scrolling feature on touchpad did not work. And also, it looses touchpad sensitivity.
[2] Same issue here. (keyboard loses the repetition of keys)
HP Notebook.
I run Linux Mint 17.3 Xfce with kernel 3.19.0-32. Kernel 3.13.0-139 appears in the update manager. Should I install it?
Hi Paul,
Yes, though this probably isn’t the kernel itself. You should see an update for 4.4.0.
Thank you. I use Linux Mint 18.1 and everything went ok with kernel 4.4.109 ! No problems at all. Should I remove kernel 4.4.0-21 now ? I can see that this ‘old’ kernel is still installed …… But that does not harm anything ? I mean; kernel 4.4.0-21(installed but not active ) can cope with the new active kernel 4.4.109 ? Groet van Dejan !
If you want open up some space, you can uninstall it.
After updating my linux mint 17.3 cinnamon install (running as vm in vmware workstation 11) to kernel 4.4.109 I found that the mouse buttons (on logitech mouse – I tried two models and both had problems) would not work although the mouse pointer was still present and the desktop looked as normal. I have reverted to an earlier kernel version. Now I am wondering if I need to do some updates to the drivers as well as the kernel – but it is not clear which thing to update.
As side note it took me a little while to get grub to show up – finally found that right shift button would get grub menu to appear.
Dominic
I encounter the same issue on one of my two virtual 17.3 mint (vm under esxi), both updated at the same time.
One is having the issue, the other not, quite strange.
Xev is clearly not showing any click (left/right)
evtest detect the click
the mouse pointer was moving, only click wasn’t effective.
the “Windows” key allow to open the desktop menu and launch application/restart.
So i deleted the 4.4.0-109 kernel. I hope it will be more stable in later release for 17.3.
Kernel 4.13 boots me to a black screen, 4.10 works normally.
$ dkms status
ndiswrapper, 1.60, 4.10.0-42-generic, x86_64: installed
$ lspci | grep VGA
00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor Integrated Graphics Controller (rev 06)
Have you tried kernel 4.4.109? It’s also patched whereas 4.10 is not.
Yes, 4.4.109 works, so I’ll be using that while things settle down.
same for me ThinkPad T430, black screen
$ lspci | grep VGA
00:02.0 VGA compatible controller: Intel Corporation 3rd Gen Core processor Graphics Controller (rev 09)
for me this worked:
In the file /etc/default/grub comment out the line
#GRUB_TERMINAL=console
changing it to:
GRUB_TERMINAL=console
then issue:
sudo update-grub
then reboot
@Marko, Thank you very much.
Same problem and same solution on a Lenovo Thinkpad x230
I’ve been running Mint 17.3 (upgraded from earlier 17.n) with Cinnamon 2.8.8 and kernel 3.19.0.32 (if it ain’t broke don’t fix it). Following (I think) your advice I applied an update to kernel 4.4.0.109 (plus 2 other kernel-related updates as offered: linux-libc-dev 3.13.0-139.188 from 3.13.0-100.147, linux-firmware 1.127.24 from 1.127.22) in Update Manager. Rebooted but Cinnamon immediately fell into fall-back mode and will not restart into full Cinnamon mode. Reboots OK with previous kernel via Grub, so not urgent (and I can always upgrade to 18.3 if I have to).
Hi Jim,
It’s probably an issue with the NVIDIA drivers not compiling properly against kernel 4.13. “dkms status” should tell you which drivers are compiled against which kernels. “inxi -Gx” will also tell you which GPU drivers are being used and whether or not you’ve got acceleration (which is required by Cinnamon).
4.4.0.LTS1 update to 4.4.0.109-generic fixed it – excellent! – now for the nvidia driver . . .
Is there a difference between kernel 4.13.0-26 and 4.13.0-25 as far as security is concerned? If not, where is the difference?
Also: is it necessary to apply/follow these instructions on how to integrate the latest microcode-patch?
http://news.softpedia.com/news/intel-releases-processor-microcode-patch-for-linux-oses-here-s-how-to-update-519316.shtml
Thank you very much!
C
Hi,
An update for microcode is planned, Ubuntu is working on it. Regarding 4.13, the vulnerability is fixed from -25 onward, so -26 is fine. Generally speaking you should be on a supported series (HWE or LTS. 4.13 is the current HWE so that’s fine) and apply any security update that comes toward you. We made an announcement for -25 because this vulnerability is very concerning, but you should apply security updates anyway, whether the vulnerabilities are important or not.
Hi,
in my dmks -status output I have “nvidia-340, 340.104: added”, it should be “installed”. The driver manager lets me add the nvidia driver without any error, but when I reboot the nvidia drivers are not loaded and cinnamon crashes
Cinnamon was crashing for me after updating Mint 17.3 to 4.4.0-109 kernel. This was due to nvidia driver v340 needing to be updated to 384, but not appearing in Update Manager. I downloaded v384.111 from nvidia website and tried to installed but the 4.4.0-109 kernel headers were missing. I installed those via “apt-get install linux-headers-$(uname -r) ” and was able to install the newer nvidia driver. All is well now – Cinnamon no longer crashes on boot.
One trick: you need to close the window manager to install nvidia drivers. When I “sudo service mdm stop” I end up at black flashing cursor. So, I had to ssh via another machine to do the nvidia install while on the blank screen. Hope this helps someone.
New kernel upgrade makes dkms fail on build NDIS support and makes COMPLETE SYSTEM LOCKUP when starting and virtualbox (5.0.40-dfsg-0ubuntu1.16.04.2) guest sessions.
Needed to revert to older kernel branch to restore.
Hi Max,
Virtualbox looks fine here: virtualbox, 5.0.40, 4.13.0-26-generic, x86_64: installed
An update for ndiswrapper (1.60-3~ubuntu16.04.2) is on its way.
re-confirming: starting any (even a new one) VirtualBox guest on my mint 18.3 host while running 4.13.0-26-generic kernel causes system lockup. If started headless from CLI it generates kernel crash trace and system halts(freezes).
Processor: Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz (family: 0x6, model: 0x8e, stepping: 0x9)
Hi Max,
Personally recommend apt remove –purge 5.0.40…, then download 5.1.30 (or 5.2.4) .deb direct from virtualbox.org (one of the rare exceptions when installing software this way is recommended, but is superior to the Ubuntu modified version).
You probably already know this, but for the sake of others reading this reply. If using Mint 18x you’ll need the 16.04 Xenial version.
Been using 5.1.40 with a previous 4.13 kernel for sometime without issue.
– VirtualBox 5.1.40 link
https://www.virtualbox.org/wiki/Download_Old_Builds_5_1
Hmm appears blog reply combined the double dashes appearing before ‘purge’, added an extra space below for the sake of readability.
apt remove – -purge virtualbox.5.0.40
@Clem, at some future time, will there be a blog reply preview feature added? Many thanks.
Oops! Extra space between double dashes didn’t work either!
Also, noticed couple of typos, first reply should read…
Been using 5.1.30 with a previous 4.13 kernel for sometime without issue.
– VirtualBox 5.1.30 link
https://www.virtualbox.org/wiki/Download_Old_Builds_5_1
Thank you
I faced the exact same problem after updating to the 4.13 kernel: dkms error while installing and complete system lockup (cannot even drop to tty) on running virtualbox guest. The virtualbox problem I managed to overcome by downloading and installing 5.1.30 as per Dave B’s suggestion (thanks Dave). But the command to “apt remove –purge virtualbox.5.0.40” does not work. What I did is uninstall all the virtualbox packages via Synaptic. Now I guess all that is left is to wait for the ndiswrapper update.
It’s a known bug, Virtualbox 5.0.40 (on host) can make the system with kernel 4.13 freeze when you run any VM with any guest OS.
https://bugs.launchpad.net/bugs/1736116
Install 5.1.30 from the official virtualbox.org repos. 5.0.40 is 8 months old, 5.0 branch isn’t supported by Oracle since then, and it’s not known if it’ll be possible to fix 5.0.40 in Ubuntu repos. Get 5.1.30.
As for ndiswrapper, do you guys really need it?
“Description: Source for the ndiswrapper Linux kernel module (DKMS)
Some vendors do not release specifications of the hardware or provide a Linux driver for their wireless network cards. This project implements Windows kernel API and NDIS (Network Driver Interface Specification) API within Linux kernel. A Windows driver for wireless network card is then linked to this implementation so that the driver runs natively, as though it is in Windows, without binary emulation.”
Hi Talji,
Apologies, lack of sleep, correct command is ‘apt remove –purge virtualbox’ (two dashes before ‘purge’)
Pleased was able to help 🙂
Today I used the .deb from virtualbox website and switched back to the new kernel. everything working again.
In my case I had to remove the virtualbox-dkms package and had to ” sudo /sbin/vboxconfig ” afterwards to get it running again.
Thanks for advice and (for LM team) thanks for the excellent distro and all the hard work!
Hi Monsta, I did read the ndiswrapper description even before you mentioned it. And I was also wondering why I would need it. But I checked in Synaptics and I saw that ndiswrapper and ndiswrapper-dkms are already installed. So I supposed ndiswrapper is needed for some reason. According to Wikipedia: “Native drivers for some network adapters are not available on Linux as some manufacturers maintain proprietary interfaces and do not write cross-platform drivers. NDISwrapper allows the use of Windows drivers, which are available for virtually all modern PC network adapters.”
So far, however, even though there was an error pertaining to ndiswrapper during installation of kernel 4.13, I am still able to access netowork via wifi without any problem. The error messages are:
ERROR (dkms apport): kernel package linux-headers-4.13.0-26-generic is not supported
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/ndiswrapper/1.60/build/make.log for more information.
See, your network is fine without ndiswrapper module loaded (it’s not loaded as it failed to build). Looks safe to uninstall it.
For the sake of future reference, missed the asterisk in previous post. 🙂
Correct command is…
apt remove –purge virtualbox*
(two dashes before ‘purge’)
oh I am at the same issue.I’m not the only one!
I will try this solution and report the conclusion.
thanks.
HI Linux Mint.
After I have follow the update instruction. My pc was broken. I have a big resolution of 640 x480 of monitor. And my machine after few minutes made a boot ! The monitor will become dark. It’ s a tottaly disaster .
Last news: I made a downgrade with Linux Mint . I Choose the kernel version 3.13 24. Don’t made a system update never ! If everthing goes fine . Imho there is no Spectre and Meltdown bug . It’s a fanstastic story useful to buy a new device
Hi Maurizio,
Please take these vulnerabilities seriously. They’re extremely worrying.
We’ve been working really hard here and I know upstream devs in Debian and Canonical (and probably many people in the IT industry) have been working overtime to get this shipped to you ASAP. Things have been rushed, corners have been cut, mistakes are being made and some components are getting out earlier than they normally would. There are indeed a few bumps on the road. Don’t take this lightly though, this has to be patched.
We just released a second update to fix DKMS in Mint 17.x with 4.4.0-lts1 and 3.13.0-lts1. Canonical is releasing a fix for ndiswrapper. We’ve still a few issues with Virtualbox and NVIDIA 340. Everybody is working really hard to get everything solved.
I do apologize for my previous reply. But I was in total panic. Anyway I made the upgrade. I have a problem with gpu. I have a Geforce 9600s .There is a resolution of 640 x 480 and after few minutes the screen became dark and machine goes in stand -by mode. My driver version is 340.102..
Hi Maurizio,
Maybe switch to the open source nouveau driver for now, then try the NVIDIA proprietary driver again in a few days?
@DaveB.
The new situation is : Kernel version is 3.13.39 I lost Nvidia Proprietary driver configuration. I tried to install old 340.102 driver. It’s a total caos. Probably I make a new installation of Mint 17 Without Intel Patch possibly….
@Maurizio
Since considering a clean install, its a great opportunity to try Mint 18.3? 🙂
I know Meltdown is solved for now but as I saw there are no patches against Spectre yet on this kernel or 4.13.0-26 for that matter.
hi Fernando
Just install the new kernel 4.4.0-108 as Clem already said and remove this old kernel! I did it and everything went fine so far.
Dell Latitude E5530 refuses to fully boot after Kernel update, or it does and I can’t see it because the display remains blank/black. Having to do fresh install on that laptop to get back functionality, PITA. Lenovo T510 Thinkpad worked just fine after same update, no problems.
Hi,
You do NOT need to do a fresh install. From the boot menu, choose Advanced Options and from there you can boot from your previous kernel. If you made a system snapshot with timeshift you also have the possibility to restore it by running timeshift from the live DVD/USB-stick.
I was running 18.3 and installed using all defaults. By default I do not see the ‘boot menu’ at start-up. Who knew? I do now so will edit & update the grub file going forward. Holding shift at boot did not bring up boot menu either. re: Timeshift appears to require more space than the original entire drive it is imaging and so just another time sink to figure out. I just ‘back-up’ the usual suspects and reinstall. As it stands this latest Kernel tweak makes my Dell Laptop not a good choice for Linux Mint.As much as hate to, I’ll head back to Windoz on the Dell as MS upgrades on my Windoz desktop did not brick the Windoz 7 in the process. The Thinkpad with Linux Mint handled the new kernel no problem, I just prefer the Dell hardware. Oh well. It’s this type of hassle that keeps Linux adoption down.
@W7DAH “Holding shift at boot did not bring up boot menu either.” Doesn’t work on my Dell inspiron 1501 either. I use F2 as stated in the lower left corner of the boot screen.
I got the Dell back online after some less than linear contortions. In no particular order, got rid of VirtualBox, did the MicroCode update, and today the 4.13.0-31 and now ‘stuff’s’ workin’ again.
hi Clem,
Just doein Kernel-Update via Synaptic. I hope, everything will go well. But one question referring to browsers:
how are thing with Vivaldi-Browser?? How do I do these steps in Vivaldi-Browser??
“Chrome Site Isolation
If you are using Google Chrome or Chromium, please follow the steps below:
“Type chrome://flags in the address bar and press Enter.”
“Scroll down the page and find “Strict site isolation” and press the Enable button.”
“Restart the Chrome browser.”
https://www.chromium.org/Home/chromium-security/ssca
“Opera”
“If you are using the Opera browser, visit opera://flags/?search=enable-site-per-process, click Enable and restart Opera.”
And a further question: what about Intel-Microcode-Updates??
Because I have Intel-Chipsets and I read already, that also Intel is affected and has pushed out updates??
Greetings
hi Clem,
back after kernel-update. I am now on Kernel 4.4.0-108.
Everything fine so far. No loss in performance as so far. Old kernel 4.13 is removed via Synaptic.
Now lets go on with Brower-Security. How are the steps for Vivaldi-Browser??
And afterwards I would love, if microcode-Update for Intel would be pushed out as Intel already released updates according to this forum here.
Greetings
Andrea
Hi Andrea, Just type “flags” (not “about://flags”) in the address bar and follow the chrome instructions (Vivaldi is a chrome derivative).
Hi,
Sorry forgot to mention on some computers you have to enter “vivaldi://flags” in the address bar if “flags” doesn’t work.
Cheers
I already checked my drivers-updater for new version of intel-microcode. But there was none until up to now.
This should be worked on and realeased when ready.
Greetings
Referring to this here:
“Firefox 57.0.4
“Firefox was patched. Please use the Update Manager to upgrade it to version to 57.0.4.
“https://usn.ubuntu.com/usn/usn-3516-1/”
“https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/”
There is an easier way. Just install the official repositories of mozilla-security and mozilla-team via Launchpad!
Then go to your terminal and run:
sudo apt-get update
followed by
sudo apt-get dist-upgrade
Greetings
For the new version of Firefox, just add these repositories to the software-sources:
ppa:mozillateam/firefox-next
ppa:ubuntu-mozilla-security/ppa
Then do the steps in the Terminal as I already said.
Greetings
@ Clem
LinuxMint already has the new Firefox installed, so I just checked my Firefox for version and it is already version 57.04. So there is no more update necessary. Now I wait for Intel-Microcode and Vivaldi.
@ Clem
One question to this instruciont of you:
“Stay away from 3rd party applications, proprietary in particular”
But: graphics-drivers, intel-Microcode and so on are also 3rd-party applocations or not??
There we should not stay away is my opinion. Graphics-drivers and such Microcodes should be updated. And how are thing with apps in flatpack?? Are these apps patched??
There an information referring to this point would be welcomed. Because I hade done a new clean install of LinuxMint 18.3 the last days together with a complete new setup of my mothers PC with Windows 10. There the version-upgrade also caused big trouble and this was only to rule out with clean fresh install with a previous reset of her old system (she still refuses to Linux, what I dislike :-/ ).
Greetings
VMWare stopped working after updating to latest kernel 4.13.0-26-generic. VMWare Workstation 12. It says before you can run VMware, several modules must be complied and loaded into the running kernel. Any thoughts?
Hi Daniel,
This is untested but worth a try. Create a snapshot before trying it. https://plumz.me/archives/7028/.
Hi Daniel,
Kernel 4.13 series is too new for VMware Workstation Player 12, there’s a newer version VMware Workstation Player 14, but noticed a bug, created VM’s do not appear in the main window (VM can still be launched by double clicking their .vmx file in the corresponding folder)
– Latest version 9th Jan. 2018
VMware-Player-14.1.1-7528167.x86_64.bundle
Hi Daniel,
I was able to use WMWare Workstation 12 by going to the kernel 4.4.0-109.
That’s why I love Linux Mint: Update Manager -> Linux Kernels -> 4.13.0-26 and the magic happens … All right also with the update from Nvidia to version 384.111. Thank you!
#dkms status
bbswitch, 0.8, 4.13.0-26-generic, x86_64: installed
nvidia-384, 384,111, 4.13.0-26-generic, x86_64: installed
#uname -a
Linux Aspire-E5-573G 4.13.0-26-generic # 29 ~ 16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64 x86_64 x86_64 GNU / Linux
Acer Aspire-E5-573G-58B7
Jacques
Hi
Here`s a script to check if you are vulnerable
https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/
@ Clem
One more question referring to this of you:
“You should stick to the kernel updates available in the main screen of the Update Manager. If you do, these will always show the latest kernel available for the series you’re on, and that series either is LTS (kernel 4.4 in Mint 18.x) or HWE (currently 4.10), both of which receive security updates.”
There I would like to know, what’s the difference between LTS and HWE? What does HWE mean? LTS is clear to me: Longtearm-Support. But HWE??
This would interest me.
Greetings
https://wiki.ubuntu.com/Kernel/LTSEnablementStack
hi Maurizio Tosetti January 10, 2018 at 9:19 pm
Referring to your comment, one question:
“I do apologize for my previous reply. But I was in total panic. Anyway I made the upgrade. I have a problem with gpu. I have a Geforce 9600s .There is a resolution of 640 x 480 and after few minutes the screen became dark and machine goes in stand -by mode. My driver version is 340.102..”
Do you have your electricity on?? You should just plug in your electricity-cable. You seem to run on battery-power or?? For me this happens after a longer time, when I am on battery-power without electricity. 😀
@Andrea Yes It’s obviously It’ s a pc desktop. There is the electrity. After the monitor in 640 *480 resolution and standby mode. I made a disaster. I tried to backward with system kernel and I failed . I installed old driver version 340.102. Anyway I lost every Nvdia configuration setttings. Actual kernel 3.13.139.
Today the pc have a correct resolution and it’ s disapper the standby mode. But after few minutes of use the cpu temperature increase till 80 degrees after I have watched a Youtube. Before I was 45 50 degress
Didn’t seem to do the trick.
cc1: some warnings being treated as errors
scripts/Makefile.build:308: recipe for target ‘/tmp/modconfig-4f4RXG/vmnet-only/bridge.o’ failed
make[2]: *** [/tmp/modconfig-4f4RXG/vmnet-only/bridge.o] Error 1
make[2]: *** Waiting for unfinished jobs….
Makefile:1550: recipe for target ‘_module_/tmp/modconfig-4f4RXG/vmnet-only’ failed
make[1]: *** [_module_/tmp/modconfig-4f4RXG/vmnet-only] Error 2
make[1]: Leaving directory ‘/usr/src/linux-headers-4.13.0-26-generic’
Makefile:120: recipe for target ‘vmnet.ko’ failed
make: *** [vmnet.ko] Error 2
make: Leaving directory ‘/tmp/modconfig-4f4RXG/vmnet-only’
Unable to install all modules. See log for details.
Sorry, I should have put
Daniel
January 10, 2018 at 10:51 pm
VMWare stopped working after updating to latest kernel 4.13.0-26-generic. VMWare Workstation 12. It says before you can run VMware, several modules must be complied and loaded into the running kernel. Any thoughts?
Reply
Linux Mint
January 10, 2018 at 11:43 pm
Hi Daniel,
This is untested but worth a try. Create a snapshot before trying it. https://plumz.me/archives/7028/.
Hi Daniel,
Hope you saw my in-lined reply to your original VMware question.
Mint is actually faster after update. Only problem I have is I don’t get a logo anymore.
I get the working screens, which are normally hidden behind the logo.
This has been happening since upgrade to 18.3.
With the latest 4.13.0-26 Kernel+all available it appears to break the driver manager recommended Nvidia 340 driver. This is on a laptop and prime indicator also doesn’t work. not 100% sure if its the Kernel change or something else. The issue does see to fix it self if install Nvidia 384.111…except now then the driver manager indicates I’m using the software drivers… strange… BTW this was a clean install.
Yes your right but all I had to do was uninstall the Nvidia driver then after reboot reinstall the Nvidia driver and after reboot everything worked fine. It’s kind of weird but that is all it took with the 340 driver for me.
Need Help!!!! Getting the following errors when trying to update the kernal:
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/ndiswrapper/1.60/build/make.log for more information.
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/nvidia-367/367.57/build/make.log for more information.
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.13.0-26-generic /boot/vmlinuz-4.13.0-26-generic
update-initramfs: Generating /boot/initrd.img-4.13.0-26-generic
Warning: No support for locale: en_NZ.utf8
run-parts: executing /etc/kernel/postinst.d/pm-utils 4.13.0-26-generic /boot/vmlinuz-4.13.0-26-generic
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 4.13.0-26-generic /boot/vmlinuz-4.13.0-26-generic
Generating grub configuration file …
Found linux image: /boot/vmlinuz-4.13.0-26-generic
Found initrd image: /boot/initrd.img-4.13.0-26-generic
Found linux image: /boot/vmlinuz-4.10.0-14-generic
Found initrd image: /boot/initrd.img-4.10.0-14-generic
Found linux image: /boot/vmlinuz-4.4.0-53-generic
Found initrd image: /boot/initrd.img-4.4.0-53-generic
Found Windows Boot Manager on /dev/sda1@/EFI/Microsoft/Boot/bootmgfw.efi
Adding boot menu entry for EFI firmware configuration
done
Setting up linux-image-extra-4.13.0-26-generic (4.13.0-26.29~16.04.2) …
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.13.0-26-generic /boot/vmlinuz-4.13.0-26-generic
run-parts: executing /etc/kernel/postinst.d/dkms 4.13.0-26-generic /boot/vmlinuz-4.13.0-26-generic
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/ndiswrapper/1.60/build/make.log for more information.
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/nvidia-367/367.57/build/make.log for more information.
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.13.0-26-generic /boot/vmlinuz-4.13.0-26-generic
update-initramfs: Generating /boot/initrd.img-4.13.0-26-generic
Warning: No support for locale: en_NZ.utf8
hi bananabob
It seems, that this kernel 4.13.0-26 doesn’t seem to work for you. Then you better install the kernel 4.4.0-108 or even 4.4.0-109. This works like a charm for me. And then remove this old kernel.
Greetings
Could this be because of this bug in ndiswrapper? https://bugs.launchpad.net/ubuntu/+source/ndiswrapper/+bug/1706430
Can you check your ndiswrapper-version? According to the above tread, the Fix was in Version 1.60-4ubuntu1.
The funny thing is 4.13 boots and evreything is working fine so far.
Good morning from Germany.
Thanks a lot for all your work.
Well lets say; I am since many years a hobby user of linux.
Yesterday i did all the updates in the update manager.
Luckily linux is working still, but not the higher monitor resolution of the nvidia driver.
This morning i find Kernel 4.4.0-LTS 1 in the update manager.
It did not work to update, insteed It said I should run something on command line, which i cant remember properly and i dont want to try again.
Better to use the pc with this low resolution than a full crash.
I tried to install timeshift, it said: another application is useing at present APT: dpkg
Of course as a hobby user i prefer easy and clear gui-graphical user interfaces.
I can use the root terminal, but of course i loose controll and dont know more or less what i am doing. There need of a profi. is a basic.
Linux Mint Rosa 17.3 – 64 bit
Kernel : 4.4.0-109
Nvidia-340 it says recommended
Firefox: 57.0.4 – 64 bit
Anyhow thanks in advance
Helmut
Hi Helmut,
Timeshift is a graphical tool. If you’re launching it from the terminal type “sudo timeshift-gtk”.
This morning i find Kernel 4.4.0-LTS 1 in the update manager.
I got the information now again:
E: the dpkg-Prozess was interrupted; you must do manuelly »sudo dpkg –configure -a« ,(um das Problem zu beheben) to solve the problem.
E: _cache->open() failed, please report.
Will it solve my above mentioned monitor resolution problem?
By the way it is an AMD cpu.
thanks
I had some problems which may be of interest. I had problems when I installed the Nvidia driver 384.111 first, then the 4.4.0-109 kernel. Installing the kernel first, then the Nvidia driver works on my system. More info in this forum thread, particularly the 11th post:
https://forums.linuxmint.com/viewtopic.php?f=208&t=261394#p1412465
I wanted to throw that out here, just in case there really is some sort of installation order dependence.
But it may be something else that caused the problem. I have a vague memory that the first time I installed the 109 kernel (after installing the Nvidia driver) when the update manager gave me a message about items being installed with that package, there were only 3 (I think) items, but when I later installed the 109 kernel (before installing the Nvidia driver, and still using Nouveau) there were more (about 6) items in the list. So I don’t know if it’s really order dependent, but if you’re having a problem, maybe worth trying to install the kernel before the Nvidia driver.
The order shouldn’t really matter. The absence of the headers could have been an issue though, this was fixed with the 4.4.0-lts1 update.
Hi there, will there be an update for Firefox 52 as well eventually?
Successfully moved from 4.8.0-53 to 4.13.0-26. I removed nvidia drivers, restarted the system, reinstalled the drivers and everything is up and working.
Thumbs up for Linux Mint Team!!!
Firefox ESR 52 is not vulnerable by spectre. I think only New quantum Firefox was vulnerable.
Thanks, I didn’t realize that.
52 was *less* vulnerable than 57, because it doesn’t support one of the two precision timing sources which have now been dealt with in 57.0.4. The current 52.5 will not have the other timing source fixed – that will happen with 52.6 in a couple of weeks.
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
Here’s how to check for Meltdown and Spectre vulnerabilities on Linux:
https://github.com/speed47/spectre-meltdown-checker
sudo sh spectre-meltdown-checker.sh in Terminal where you downloaded spectre-meltdown-checker.sh 🙂
Ok, this is my personal take on this. Let me get that straight, right now the world is on panic mode like a deadly human virus has been found and we are all going to die. Developers are scrambling to patch things here and there without testing everything and breaking thousands of perfectly working systems because MAY BE you could catch a virus that could exploit that faille even though no such attempt have been identified in the world.
There are a lots of system vulnerabilities in software identified every day since the computer creation and eventually get fixed. But this particular one which has exist for years is supposedly the biggest threat to humanity. I will not be rushing to patch anything until this panic mode recede and cooler heads prevail to get the proper system corrections. I rather have a fully functioning machine then a broken and cripple one just in case I could ,may be, somehow catch a virus which I never did any in my life.
I would love to read a few comments or some answers to this insightful opinion!
I think the same, don’t stress too much about it, if nobody used that vulnerability in 10/15 years, maybe it’s not the easiest vulnerability to use.
Linux Mint 17.3 Cinnamon on AMD Phenom x3 with NVIDIA C77 [GeForce 8200] now running latest NVIDIA driver 304-135-0ubuntu0.14.04.1 with kernel 4.4.0-109-generic – your recommended driver 384-111 appears in neither Driver Manager nor Update Manager – do I need to get it elsewhere or will it become available shortly?
hi Clem
Wanted to come back to say, that – also after the updates – everthing is working fine here. Just waiting for the mocrocode-Updates of Intel and these others. When will they arrive??
Greetings
They already arrived, i have seen the microcode intel update in the update manager today, and installed it, update your update manager to see it in the list of updates available.
My currect linux kernel says 4.8.0.53
the update manager offers 4.13.0.26.29 as level 4 update. normally i only stick to level 1 and 2.
should i choose this one? or else where to get 4.13.0.25?
All 4.13 kernels starting with 4.13.0.25 include the fix. 4.13.0.26 offered by the Update Manager is already the next version. You can use it. I updated from 4.10 to 4.13 and I’m experiencing problems with the new kernel on 2 different machines. On one of them I went back to a kernel 4.4 (they are also patched) because it wouldn’t boot with 4.13. On the other one I switched from the NVIDIA driver to the open source graphics driver. Kernel 4.13 is running fine on another 2 machines at work so it may work for you, too.
I have clean install of 32 bit Linux Mint 18.3 xfce on an old Dell laptop. I have updated the kernel to 4.13 and applied all the other updates. I ran the Spectre and Meltdown mitigation tool mentioned in this thread and I get the output below. This shows the ‘Spectre Variant 1’ vulnerability is mitigated, but the ‘Spectre Variant 2’ and ‘Meltdown’ vulnerabilities are not mitigated.
Is this the expected output?
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 21:38:24 UTC 2018 i686
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Checking count of LFENCE opcodes in kernel: YES
> STATUS: NOT VULNERABLE (805 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see –disclaimer
We’re probably going to see updates related to Meltdown and Spectre all year and new types of exploits based on these could be discovered. Keep applying security updates as they become available.
On most computers, the biggest issue with security is the user. Applying only the security updates you see listed here as opposed to what’s available in the update manager would be a mistake. That blog post will never be exhaustive, and neither will that script. Running a script from a website you don’t know (luckily this one looks legit) is something you should never do. We’re advising you the best we can but in the end of the day there’s only one sysadmin on your computer, and it isn’t us, it’s you.
http://forums.debian.net/viewtopic.php?f=3&t=135775&sid=333beb75703ac577388e4955a1946bf3&start=60#p663711
According to this post on the debian forums the KPTI patch for meltdown has only been applied to 64 bit kernels. The 32 bit kernels are still vulnerable. They are planning to work on it, but there is no time line.
As a non technical computer user of the Linux O/S I rely very much on the Update Manager to keep things up to date and functioning correctly. That said, I was also taught that installing L4 & L5 updates is not advisable because it can lead to system instability.
I would therefore appreciate guidance regarding the last update that included several L4 and L5 notifications which were not highlighted to be updated even though these non-selected updates refer to:
xorg-server
linux
linux-firmware
linux-kernel
In view of the recent press comments about two potential security problems, would it be best to install these level 4 & 5 upgrades contrary to the note at the bottom of the window that informs me my system is up to date? I suppose I’m really asking if I should treat the kernel update as an L1 update?
My system info:
Operating System: Mint 17.1 Cinnamon 64-bit
Cinnamon Version: 2.4.8
Linux Kernel: 3.13.0-37-generic
Processor: Intel Core i5-4460 CPU @ 3.2GHz x 4
Graphics Card: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor Integrated Graphics Controller
Same doubt here.
But I’m on Mint 17.3 and kernel 3.19.0-32
The update level isn’t an indication as to whether or not you should or should not install updates. You should ALWAYS install security updates. It’s an indication of how sensitive the package is on your system. If anything it’s an indication of how careful you should be when installing it. In other words, if you see a level 4/5 security update, you need to install it, but it’s a good idea to make a system snapshot beforehand.
After kernel updates, multiple computers work faster and better than before. (Smoother video play back, quicker startup/shutdown, snappier response, etc.) Can anyone explain why?
I’ve seen in the update manager the kernel 4.13 today, i have kernel 4.10, it’s not risky to change to 4.13 ?
Updating from 4.10 to 4.13 has caused problems on 2 of my machines while 2 others are working fine. If 4.13 is causing trouble on your computer you can try 4.4 which is also patched. If your computer does not boot fully after the update to 4.13 restart it and select a different kernel in the advanced boot options of the grub boot menu.
Will the NEW Downloads of LM 18.3 from the linked mirrors have this kernel update already?
No. The LM 18.3 iso packed with kernel 4.10. You should update the kernel into 4.13.0-26 or install kernel 4.4.0-109, right after installation.
I’ve updated to Kernel 4.13 and now wifi is gone, i can not connect with Linux Mint 18.2, any idea what the problem can be ?
.I have made the updated in my Linux Mint from kernel 4.10 to 4.13 as it appears in the update manager, and now wifi is gone, i can not connect to my wifi. What could be the problem, any idea ? How to fix it ?
@DaveB I have and old pc . It’s 10 years ago. Is it compatibile Linux Mint 18.3 It’ s Core 2 processor
@ Maurizio
Having installed Mint 18x on several old computers (one was a C2D CPU), I’d say give it a try. if Mint live session fails to boot, try booting with nomodeset.
Without knowing which version you will be installing/trying, check the release notes for further tips
https://linuxmint.com/rel_sylvia_cinnamon.php
I’m using kernel 4.4. Updates proposed me to install kernel 4.13.0-26. After the installation, impossible to start a Virtualbox VM. Th eVM AND Linux Mint freeze. I uninstallad kernel 4.13.0-26 and placed it in the backlist.
We discussed this problem above. This is a known bug running Virtualbox 5.0.40 in kernel 4.13. The solution is to uninstall 5.0.40 and install 5.1.30 directly from virtualbox.org. Please refer to the steps above.
I came back to kernel 4.10.0-42 in my linux mint 18.2 and wifi came back, so there is a problem with kernel 4.13.0-26 that makes me impossible to connect to wifi.
If you need change kernel, come back to previous kernel, during the boot, press shift or escape key and choose the kernel to boot with, then delete the new kernel which is wrong in the update manager (in my case i deleted kernel 4.13.0-26). Now if you reboot, you’ll use the last kernel intalled (in my case 4.10.0-42).
My laptop wouldn’t boot with the 4.13 kernel so now I’m using the patched 4.4 kernel, not any unpatched 4.10.
If kernel 4.13 doesn’t work for you, just go to kernel 4.4.0-109, as kernel 4.10 are vulnerable against Meltdown and Spectre.
Thanks, for the hardworking Community. Micro-code is up and running.
🙂
LMDE 2 user, I can work with terminal but I’m not at all an expert
Kernel update went totally fine.
At least on my LMDE2,, Timeshift is NOT preinstalled / available in App Menu btw, and you can not install the actual git version 17.11, however 17.2 works (https://github.com/teejee2008/timeshift/releases/download/v17.2/timeshift-v17.2-amd64.deb). Unfortunately Timeshift requires 150GB free EXT4 memory here for an image, which I can not provide at the moment, so archived the system with another tool for updating NVIDIA drivers.
Downloaded NVIDIA driver .run FIle
Installer tells me to stop X session, which is of course not a problem
Next try, after “decent” warnings installer aborts again and tells me to remove thee debian-packages first before using .run file. But which packages does it mean exactly?
I have to admit I hate nothing more than installing nv-drisers manually, everytime I did that ended with minor display issues in the best case or failing x-sessions and reinstalling Linux in the worst case.
How critical in security would it be to remain on the legacy 340 branch and/or is it already sure that there will never be a backport?
Do I necessarily have to install microcode too, or is it enough to update the kernel?
Hi Gian,
Run the Driver Manager to see if it suggests it. If it does we recommend you do install it.
Yes, install microcode too, this one works fine, it’s not like kernel 4.13.0-26 (many users have problems with that kernel version).
Thank you and good work.
After installing kernel 4.13.0-26 I encountered the problem of ^@ being constantly generated making it impossible to login in a tty.
This is reported at https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/
Bug 1722298
The workaround solution for me was to remove and blacklist peaq_wmi
When it is planned to add 340.104 Nvidia driver in the repository “Ubuntu updates” to work with the kernel of 4.13?
After Kernel update in Linux Mint 17.3 to upstream 4.4 the system does not boot anymore. Alfter loading kernel it reboots … so switching back to the old kernel .
Please fix it !!
I was running 17.1 and upgraded to 18.3 and am currently running 4.13.0-26 and am still vulnerable to Spectre am I missing someting?
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see –disclaimer
These kernel updates fix Variant 3 (Meltdown). Ubuntu are still working on fixes for Variants 1 & 2 (Spectre).
I have a year-old-laptop, so I’ve been using Mint 18.1 Cinnamon and the 4.8 kernel. I switched over to 4.13.0-26 per the security recommendation. This created a problem. I am using Samba to access a file server and had several directories shared from that server, auto-mounted from the laptop via fstab. I am still able to connect to the shared directories, but only in read-only mode — the directories that are set to read-write can not be written to when I use the 4.13 kernel. I used Timeshift to revert to 4.8 and read-write is working again. Has anyone run into this or know of a solution? Thanks!
Same problem here, cifs also not working. Switching to kernel 4.4.0-109 solved the problem for me. Regards…
OK, I was able to fix this.
Under kernel 4.8, you could use just the generic ro and rw mount options in fstab to set shared directories as read-only or read-write, respectively.
Under kernel 4.13, you need to use the cifs-specific uid=1000 option to set the directory as read-write (it makes you the owner of the files/directories so you can modify them.)
(Thanks to https://wiki.ubuntu.com/MountWindowsSharesPermanently)
Do we still need to try to update the processor ( some microcode BIOS update) ? I don’t remember where but I read intel had some patch that us, linux users we can drop that file somewhere and at boot time, it would do some update to the processor… Have I dreamed ? ( so no need to do so BIOS upgrade)
All I’ve seen about such things is that they tell you to contact your manufacturer.
The main problem there is that I have been trying to learn Linux Mint with a MPC ClientPro 385 and MPC Computers went out of business around 2006! I find the Intel vPro multicore in it is DANDY but it irks me to no end for Intel to cop out so badly. In the meantime I hold the whole story to be implausible, FAKE and made up by Google. I went to the Meltdown and Spectre website and was appaled that it really didn’t impart any new information to my and that the site owner seemed to be more concerned about you DOWNLOADED THE LOGO THEY MADE! Kindergarten!
Core2 6300 1.86 GHz is my Linux machine, 6144 MB RAM and I apologize3, only one drive is showing in BIOS, 80 GB. Back to the books but I’ve never had such headaches setting up most Windows machines. I’m well past 50 now and not prone to learning non-Romance languages, so to speak.
The microcode update should come via the update manager, i.e. through your Linux Mint installation.
Will you PLEASE, PLEASE, PLEASE stop blindly recommending Nvidia driver 384.111 to all Mint users? Here is what the NVIDIA driver states when an install is attempted on an inappropriate video card:
WARNING: The NVIDIA GeForce 9500 GT GPU installed in this system is supported through the NVIDIA 340.xx legacy Linux
graphics drivers. Please visit http://www.nvidia.com/object/unix.html for more information. The 384.111 NVIDIA
Linux graphics driver will ignore this GPU.
@Leo I agree with you. I lost my Gpu Nvidia settings. and Cpu temperature goes high level. I am thinking a clean installation. I need urgent support at @clem and all Linux Mint Team please.
I have a Gpu Geforce 9600s
Host with kernel 4.13 freezes when starting a VM with repo VirtualBox 5.0.40
see https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1736116
Freezes means even Magic SysRQ doesn’t help anymore, you have to hard turn off.
There seams to be no problem with VirtualBox 5.2.4. Would you change the repos to a compatible VirtualBox version or wait for a kernel fix?
Greetings
I have problems with VirtualBox 5.2.4 install. So using 5.1.30. VirtualBox 5.1.30 runs on 4.13 with no issues on kernel 4.13 Mint 18.3 KDE and Mint Cinnamon 18.3, on kernel 4.4 KDENeon, and Fedora 27 KDE (kernel 4.14).
Hi VEGalin,
VirtualBox 5.2.4 can only be installed after un-installing any older versions, otherwise the installer fails with an error. That aside, because of a current 5.2.4 theming issue (possibly due to version of Qt shipped with Mint), I’d stick with 5.1.30 for now.
Thank you, Dave B, I’m going to stick to 5.1.30 in nearby future. Till official upgrades to 5.2 maybe.
Newest intel-microcode update 3.20180108.0~ubuntu16.04.2 broke WiFi in my laptop with Intel network card (Wireless 7265) and Linux Mint 18.3 64bit. Downgrading to 3.20170707.1 got it working again. Hope this will be fixed so I can install the intel-micrcode update.
https://launchpad.net/ubuntu/xenial/amd64/intel-microcode/3.20170707.1~ubuntu16.04.0
First of all, I’ve never really figured out HOW TO CLEAR OLD KERNALS AND SUCH to get my installation to the point where I won’t get the dreaded Boot Full message when I’ve got 2×80 GB drives.
Therefore I find myself reinstalling and have done this 3 TIMES since I put it on one of my computers.
To be honest, I have this computer that I run IE 11 and Firefox 57.0.4 under Windows 7. I was so fed up with all of this ‘nonsense’ which is attributable to ‘PRE-FETCHING’ IIRC and that’s 2/3rds of my lifetime of using computers PERIOD, that I removed nearly all Windows hotfixes prior to December 1. We’ll see.
On top of that, FF 57.0.4 for Windows has become a hoggy piece of junk again on a Pentium G320 2.60 with 4 GB RAM!
So I have low confidence in bothering to ‘fix’ my Linux machine. And as I said, a larger part is about all the piled up kernals and not knowing about how to even maintain that, I’m relatively new to Linux but I’ve used Windows for 32 years. While I like Mint a lot, this is a killer.
Use the Update Manager. Go to the View menu, then Linux kernels. All the available kernels are listed. The one in use will be shown as Active, while others installed but not in use will be shown as Installed. You can uninstall those ones if you want.
After doing this update, Virtual Box 5.0.40_Ubuntu r115130 crashes when starting Windows 10 guest. Has anyone found a workaround?
No sorry, Virtual Box not only crashes but freezes my entire machine.
Hi,
Here’s the bug report for this: https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1736116.
Hi happyman,
This has previously been discussed, simply remove VirtualBox5.0.40 using the following…
apt remove –purge virtualbox
(two dashes before ‘purge’)
Then download VirtualBox 5.1.30 .deb file direct from the following link. You’ll need the 16.04 (Xenial) version (double click downloaded file to install).
https://www.virtualbox.org/wiki/Download_Old_Builds_5_1
@Clem, For the future, for this particular software instance, is it possible to update Software Manager to use virtualbox.org .deb files, rather than relying on Ubuntu (modified) repo versions? Many thanks. 🙂
I guess that discussion is too old to read before posting a new comment
realtek 8168 user
you need r8168-dkms (8.044.02-2) if you run 4.13 kernel
https://packages.ubuntu.com/artful/r8168-dkms
I can’t even install updates until I do, which is why this box has bee sitting for so long but for a few times surfing and checking mail while I fix the Windows machine. If they really wanted to make this helpful for novices it would weed these out for you and suggest changes or at least tell you what to expect. I’ll try this again but it was off-putting and highly confusing the last time I found it.
Yes, a broader kernel removal tool would really help. One at a time will take forever.
I uninstalled two of the six or so that were only marked installed and then was able to run all of my updates and the Intel patch. I was surprised that my old computer didn’t shout I’m melting!
But it’s 3 in the morning, my cat will wake up soon and nag me to get a nap.
Hi Asynchronousman,
Since you ask. Update Manager is the easiest, and safest method. Once you become more familiar with Mint, if you encounter this issue again, a more advanced method is to use Synaptic Package Manager.
For example…
In ‘Quick filter’ box enter linux-image
On the (lower) left pane click Status, then (above) click ‘Installed’ to show a list of installed kernels. ***Be careful here, only remove unused kernels, if in doubt do nothing!***
Best method is to not get into this situation in the first place, as soon as a newer kernel is installed, and you’re sure it works without issue, remove the older kernels (maybe except for one) with Update Manager.
You can uninstall old kernels by typing “sudo apt autoremove” in a terminal (Ctr+Alt+T). It will remove all but the newest two kernels. First it will give you a list of items to be removed and then ask you if you want to continue, so it will be safe to do this.
Thank Clem for tremendous work and excellent support!
I’ve installed 4.4.0-109 and 4.13.0-26 (both, of course), and uninstalled all the other kernels, with Update Manager. So I have ASUS UV50vt, quite an old laptop, with only 3GB(!) RAM and Optimus(!) double GPUs but perfectly running (MBR mode, 64-bit all):
1. Linux Mint 18.3 KDE (4.13.0-26) with upgraded Nvidia 384.111 (no bumblebee and primus), intel microcode 3.20180108.0;
2. KDE-5.11.5 -Neon-dev-stable (4.4.0-109) with upgraded Nvidia 384.111 (with bumblebee and primus);
3. Windows 10 Home with wonderful newest Firefox, Auto – most famous – 2018 CAD, and Photo – most famous and recent – Shop – all run perfectly(!); and
4. Fedora 26 KDE (with bumblebee and primus), sorry, Clem 🙂
And ASUS Z87Pro, not quite an old desktop, with 16GB of RAM, i7-4770 (no PCI videocard added, only HD4600 in use) perfectly running (UEFI mode, 64-bit all):
1. Linux Mint 18.3 Cinnamon (4.13.0-26) (BTW, btrfs install, instant snapshots with Timeshift utility, and backed up to another disk btrfs partition with btrbk utility – automatically and on the running system, wow, thanks a lot!!!);
2. Linux Mint 18.3 KDE (4.13.0-26);
3. KDE-5.11.5-Neon(user) (4.4.0-109);
and other non-ubuntu OS-es as well…
Please hold on, and thanks again!
I have upgraded from 4.10.0-42 to 4.13.0-26 as proposed by Updates Manager but after reboot the loging screen was to low resolution. After the login the screen was “black” for a few minutes then I had the desktop to low resolution. So I reverted to 4.10.0-42. I have an NVidia card (GForce 6150SE) which uses 304.135 diver. So, following a post in this discussion, I have (with 4.10.0 installed) removed the 304.135 diver in favor of the open source (xserver-org-video-noveau-1.0.12, in Driver Manager); after reboot I installed 4.13.0-26 and reboot. The 4.13.0-26 works with the open source driver.. Then I reinstalled the proprietary driver (304.135 from Driver Manager) and the reboot: screen to low resolution! It seem the 4.13.0-26 works only with the open source driver! At the moment I reverted all to 4.10.0 and 304.135.
Ciao,
Angelo.
About VirtualBox problems, I’d recommend VirtualBox 5.1.30. It works OK on my Mints KDE and Cinnamon 4.13.0-26, and on KDE-Neon 4.4.0-109 as well.
I remember that the Installation instruction for Ubuntu, and so for Mint as its derivative, may be somewhere deeper in a Downloads sub-tree at the official VirtualBox web site.
And after install, do not make a “New” virtual machine but try to “Machine/Add” the current one. And it’d better to compress the current VM (“VirtualBox VMs” folder and *.vdi files) for backup to some outer location before 🙂
On my laptop (Acer Aspire S3 MS2346) the 4.13-0-26 kernel breaks hibernation, switching back to 4.4.0-109 fixes this issue.
All good installing and running new kernel 4.4.0-lts1 (4.4.0-109) on Mint 17.3.
I removed old VirtualBox (apt-get remove —purge virtualbox*) and install 5.1.30 from vbox site. And it works find.
But there’s still vboxguest in “dkms status” output:
vboxguest, 4.3.18, 3.13.0-37-generic, x86_64: installed
How do I remove/upgrade this module?
s/works find/works fine/
Find the source and uninstalled VBoxGuestAdditions-4.3.18
Crap. s/Find/Found/ =)
Hello Yz.I am an absolute beginner.I am very confused.The information is contradictory.I write to you because I have Rosa 17.3 and I do not know exactly how to make the PC safe. How did you upgrade the kernel? The 3.19.0-32 kernel is currently loaded on my pc. Among those available for update there is no 4.4.0-109 kernel (the last one iso 4.4.0-098).
But there is a level 5 update to 4.4.0lts1. What should I do?
@Giorgio
Just do the update to 4.4.0lts1 – that is what I did (Mint 17.3 KDE). I also did the update to nvidia 384.111 at the same time. Perhaps not the best idea because it didn’t go so well. After reboot I got a low resolution (1024×768 or 800×600 I think) and no option to change it. I tried going to nouveau (software driver via Driver Manager in Settings), but that was worse (640×480?) and I know from the past, nouveau never really worked for me. I then tried switching back to nvidia-384, and then all was good again.
Updating nvidia drivers always makes me nervous (from past experiences from older versions of Mint KDE/Kubuntu going back to Mint 10 Kubuntu 10.10 – Kubuntu was always a pain so no I avoid it, Mint KDE mostly just works). I always hesitate upgrading as what I have works fine, but this time due to the security issues I upgraded. This is one computer of several with Mint 17.3, but the only one with an Intel CPU.
After it seemed to be working (after a couple of reboots), I went back into Update Manager, View, Linux kernels, and selected the 3.19.0 kernel that was installed and Removed it (it was the only previous kernel I had installed as I usually don’t mess with upgrading the kernel – again, if it works, I don’t touch it).
After installing the 4.13.0-26 kernel in Mint 18.3 Mate, I also experienced the freeze when starting a guest in VirtualBox. After reading the comments here, my personal fix was to install the 4.4.0-109 kernel. That works for me, as I do not require a newer kernel. My usage of VirtualBox is minimal and intermittent, so I can wait for an official fix, whether it will be an update of 5.0.40 or an upgrade to 5.1.30 or 5.2.x.
They will have to fix VirtualBox, won’t they?
I know not everyone is running latest Linux Mint 18 but it says here that if you are, then need the 4.13.0-25 kernel to address the vulnerabilities. I did follow what someone suggested here is to upgrade the version of VirtualBox to 5.2 and things are working again.
Here is what I did:
1. sudo apt remove –purge virtualbox*
2. sudo sh -c ‘echo “deb http://download.virtualbox.org/virtualbox/debian xenial contrib” >> /etc/apt/sources.list’
3. Went into Synaptic Package manager and “Reload”. Then Search for “virtualbox*” and select virtualbox-5.2 and apply. (I am sure there is a command for this).
For each version of Mint there are eventually two currently supported kernel series – the LTS series, which for Mint 18 is (and will remain) 4.4, and HWE, which for Mint 18 has just moved from 4.10 (and previously 4.8) to 4.13. HWE for Mint 18 will in a few months move to and then remain 4.15, which will also be LTS for Mint 19.
Patches are being rolled out for both 4.4 and 4.13, so in that regard 4.4.0-109 is equivalent to 4.13.0-26.
The new Nvidia Driver is driving me crazy.
Even with nothing open the Graph of the CPU has mini freezes.
Playing Games is not really possible.
yes I have the problem with Cpu temperature
It not clear to me which I should use as I’m on Linux Mint 18.3 – do I use 4.4 or 4.13 (how do I know whether I’m HWE or not)? Both work for me, just not sure of the difference. No issues with NVIDIA or Microcode at all which was good to see.
4.4 series (Linux Mint 17 HWE and Linux Mint 18 LTS): patched in 4.4.0-108
4.13 series (Linux Mint 18 HWE): patched in 4.13.0-25
I installed the new kernel and microcode and the result was unexpected. CPU frequency was all over the place and my laptop (MSI GP70 2QF) became unusuble. It was slow and Netflix was stuttering.
Reverted back to the old kernel and everything is back to normal.
@those who suggest a Linux only environment, that is simply not happening, no matter how good Mint or other versions are. In the real world I have to deal with really old software and machines that as yet do not play well with Mint…YES, it happens.
The entire point is that you need to be versed in many things to handle problems. It is not a partisan world, this fails to solve any problems.
Having worked up from TRS-80s through Apple II series/clones and an HP 3000 in college before ever touching a PC or Windows I would hope I have a perspective on this. I am also over 50 now, obviously and tire of solving the ‘world’s problems’ some days…some thoughts for those the LM team promised a more Windows like environment to would certainly help. Your paradigm works differently but make no mistake, it’s the same stuff, new box. As I grow older though I find I like older things more EXCEPT Windows 10. Windows 7 was the best and most agreeable as well as solid refreshing of XP I’ve ever found and I do like it. Firefox ‘Quantum’ is a crapshoot on Windows though, an AFTERTHOUGHT. That reminds me of why I wet to IE 5.5 when Netscape 6 was introduced. And I’m not married to computers…I like to fix old bikes, make tape recordings and CDs and enjoy my cats in between housework, and this takes too much time and screaming now and then.
Having to deal with old computers would be a point in avour of Linux rather than a point against ist, though. Windows just doesn’t work well with older machines. In the Linux world there is always one distribution that is the solution to your particular problem!
And by the way, this ‘problem’ has existed for the entire life of the public internet, it’s not Defcon 5 and sensationalism (formerly yellow journalism and rebranded as fake news by the shallow and weak sighted) has not helped anything. Pre-fetching is not a cardinal sin. We’ve seen these efforts to patch so-called ‘memory leaks’ for several years now. The division errors in the early Pentiums, THAT was a problem, bigtime.
There is a world of difference between the results I got on this machine and the WIntels. As such I have set mine back to the ‘pre-hysteria’ stage and watch the updates closely. It’s not the first nor the last time I’ll do it.
And quite frankly I don’t buy my toilet paper online but I’ve always been sure somebody know your preference.
Adopt a more mature view about it, no problems are truly theirs or ours *unless they are.
1. I have Linux Mines 18.3, the kernel 4.10
2. I upgraded the kernel to 4.13
3. Virtualbox 5.04 does not work.
4. Kazam does not work.
Question: Who needs this update?
you can try going to 4.4.0-109 it offers the same fixes.
I am an absolute beginner.I am very confused.The information is contradictory.I write to you because I have Rosa 17.3 and I do not know exactly how to make the PC safe. How did you upgrade the kernel? The 3.19.0-32 kernel is currently loaded on my pc. Among those available for update there is no 4.4.0-109 kernel (the last one iso 4.4.0-098).
But there is a level 5 update to 4.4.0lts1. What should I do?
Ciao Giorgio. Dal nome, immagino tu sia italiano come me. Io uso mint 18.3 cinnamon, ma la procedura dovrebbe essere la stessa. Dovresti impostare il gestore degli aggiornamenti in modo che mostri sempre gli aggiornamenti del kernel. Lo puoi fare in…. Modifica > Impostazioni > Mostra sempre gli aggiornamenti del kernel. Una volta selezionata l’opzione, Applica. Fagli fare una nuova ricerca degli aggiornamenti, quindi installa la nuova versione del kernel che ti viene proposta.
(In general speaking) I’d like to suggest “Ukuu” (Ubuntu Kernel Update Utility). It’s so simple to install or remove kernels with just 2 clicks and also to see / follow the new kernels available. sudo apt-get install ukuu
Or from Synaptic..
Meanwhile, I’ve been running with the latest kernels so far without any problems (and 4.14.13 at the moment).. But only with 4.13 I had problems and the screen got frozen in green color… Yes, you’ll say it’s already known that it’s risky to use the newest kernels and wireless or printers may not work..
But the strange thing is that other distros I’d tried (just to have a see) which had the kernel 4.13.x “originally”
(Lubuntu, Kubuntu, Xubuntu -17.10- and even MX Linux 17 -which is not Ubuntu derivative-) did the same thing, frozen.. So that it affected the Bios.. – Bios settings were changed – …
( HP 32 bit laptop – most cards are Intel )
I was wondering if I were the only one to have problems with that kernel.. I’m praying for L. Mint 19 to be based on higher than 4.13 🙂
Hi Giorgio, I have 17.3 also – the correct kernel update is 4.4.0.lts1 as recommended by Update Manager – this installs as 4.4.0.109 which is the correct patched version . The rule is to follow the recommendations of Update Manager (unless it breaks your system!).
Grazie Gianpiero !
Sì, hai azzeccato ! Sono di Milano. Provo subito il tuo consiglio.
Grazie !
Ho fatto, ma nell’elenco dei kernel disponibili continua a fermarsi al 4.4.0-98. E il primo disponibile è il 3.13.0-100.
Nel gestore aggiornamenti c’è, come dicevo, una nuova versione disponibile (di livello 5): 4.4.0-lts1, ma è solo 1kb. Hai idea di che significhi? Non ci capisco più nulla. Grazie per avermi risposto.
Io risiedo in un paesino della bassa Bergamasca. Non ho proprio idea, a questo punto, di come aiutarti a risolvere il problema. Ho lasciato mint 17.3 quando è uscita la versione 18 e, da lì, ho seguito man mano i nuovi aggiornamenti. Forse ti conviene fare altrettanto. Oppure, attendi i consigli di MINT o di qualche altro utente più esperto di me. Ciao
I made a clone (with USB Parted Magic stick – Clonezilla utility) of the system partition as Clem recommended and successfully updated Linux Mint KDE 17.3 to 4.4.0-lts1 (automatically downloaded 4.4.0-109) after it.
Asus z87pro i7-4770, uefi, 64-bit.
Ciao, sai che il 4.4.0-109 compare nella lista PRIMA del 4.4.0-98, vero? Precisamente, prima del 4.4.0-21. Se comunque non lo vedi, installa 4.4.0-lts1. Credo sia una sorta di metapacchetto. Dopo averlo installato, nella lista dei kernel dovresti vedere il 4.4.0-109.
How to instal updated version of intel microcode for LMDE 2?
If successfully upgraded the kernel to 4.13.0.26 LM 18.3. Everything seems to be working still for me.
However the update manager still shows 4.10.38 as an “update”. What to do with that? just ignore it?
Of course!
I usually install the older kernel if showed in Update Manage, and uninstall it immediately. So the previous version of kernel is not seen in Updates anymore. Exception is 4.4.0-109. It’d better to uninstall all except the recent officially recommended versions – 4.4.0-109 and 4.13.0-26, I think. If a problem with one of these versions then booting into another can help.
Note that, when you upgrade the kernel and reboot the system, the older one remains installed, but the active kernel is the new one. You can uninstall the older one later, but this is not necessary.
Thank you Clem for such clear and concise instructions on how to protect ourselves.
I followed them to the letter on our three computers here at home, and warned all my relatives.
+1, and thanks for taking this issue seriously. BTW, who is responsible for this?
I have Linux Mint 17 KDE, 3.13.0-139-generic
But, what about microcode?
“dmesg | grep microcode” snow no update, ever!
Do I need microcode update?
If yes, how to update microcode?
Hello Mint team,
I’m running cinnamon 18.3 and I’ve changed the kernel from 4.10.0-38.42 to 4.4.0-108 (updated later to 4.4.0-109). Also from drive manager I’ve installed intel-microcode version 3.20180108.0 (and firefox was already updated)…
Am I OK with these steps?
Thank you for responding to GreenHorn’s query by providing advice regarding the importance of installing security updates. That said, please excuse my ignorance but, as a non technical computer user of the Linux O/S, how do I work out if the L4 / L5 files xorg-server, linux, linux-firmware & linux-kernel have security implications?
They DO NOT have security implications. They MAY have them with non zero probability.
As if driving car, the drivers may not always come to their destinations, but in most cases, they get to them as planned…
Time shift takes up too many resources. They can only be put to out to a Linux file system, like ext4. It won’t go to a “fat” drive. I don’t have very much room left on my Linux partition. It’s easier to just back up home files, and do a total rebuild, if it crashes.
And even though timeshift is on default 18.3 it can’t run the preferred type of snapshot because it’s the wrong file system even on the Linux partition. So it can’t run.
I have Linux mint mate18.3 32 bit on my 32 bit Dell Optiplex computer, and 18.1 64 bit on my 64 bit Dell Inspiron. I didn’t see about the virus in the blog till Jan. 13th, then after that I upgraded kernel and other level 4 security updates, level 5 on 18.1. They upped the level numbers at 18.2. So 18.1 5 level is the same as 18.2 4 level. After the Kernel and all security updates, no problems. Mate is the best. I tried 17.0 cinnamon, and 17.1 xfce. Software is not updated, and it doesn’t work well. And 18.2 xfce. The smplayer used to crash a lot on 18.1 mate. But lately, it’s been working well after recent updates. So any mint mate 18 level works good. The update manager keeps it up. But if a rebuild has to be done use 18.3, the latest. After all the security updates they ought to put out an 18.4. Using 64 bit is the best if you can.
I use Firefox 57 now. I was holding on to 56 till I heard about the meltdown and specture. Then updated that and totally rebuilt Firefox. 57 works well with the Ublock addon. And maybe NoScript. But Ublock seems to work better in 57 than 56, and might not need NoScript. Couldn’t find any other addons to work well on 57. They want you to install other software. So how is that better to use web extensions than legacy? I got Waterfox now, if I want to use legacy addons.
Hi folks: I am attempting to escape the tyranny of Microsoft. I am not a programmer nor do I wish to be. I am happy to leave that to talented, bright minds such as you. I was attracted to Mint because of the GUI interface which is somewhat similar to Windows XP which I enjoyed so much. As a writer, I have little spare time for learning programming languages in order to install updates. I know most of you are volunteers and I admire that very much. Is there a simple way you can compile these needed changes into a series of actions that a “layman” like me can solve by adding a password and simply pushing a button to achieve said changes?
Thanks for all you do. I’ve spent the last three days attempting to get a Brother Laser Printer to work with Mint so I can get on with my work. I mistrust large tech giants such as Microsoft, Apple and Google… or whatever they have decided to call themselves today. I don’t do Facebook, Text or Twitter. Years ago, I did CP/M and DOS. I am tired of perpetual change. I want something I can depend upon. Life is short and I am old. I am also a songwriter with more than 1000 published songs. (None are on the charts… LOL! but there is always hope.) My E-mail address below was recently “hacked” and I am in the process of deciding on a more secure provider… so if you attempt to contact me at AOL, you will join a long line of twenty years worth of valuable contacts and friends I now am unable to communicate with. AOL has been acquired and the new owners obviously do not give a rip about long-term users of their service. (Now Verizon… and they also acquired Yahoo)
Cheerio and best regards,
Dave Rice
Normally, all the required updates should be displayed in the (graphical) Update Manager automatically. All you have to do is check if they are selected (kernel updates may be deselected by default), hit “Install Updates” and enter your password.
@Linux Mint Team “Note: If intel-microcode isn’t installed on your computer, run the Driver Manager to see if it’s needed.”
Can you elaborate on this? v 3.20180108.0 does not appear in Update Manager, but does appear in Driver Manager. Top line with radio button (not highlighted) shows the correct intel-microcode version & description. Bottom line is with radio button (highlighted) showing “Do not update the CPU microcode”. Upon choosing the top button, the Apply option becomes highlighted. Does this indicate the microcode is not installed and needs to be?
After clicking Apply, it completed with an option to reboot, which was accepted. But how to verify if it installed properly?
$ dmesg | grep microcode
[ 1.455256] microcode: sig=0x1067a, pf=0x1, revision=0xa0c
[ 1.455285] microcode: Microcode Update Driver: v2.2.
$ grep ‘microcode’ /proc/cpuinfo
microcode : 0xa0c
microcode : 0xa0c
Kernel upgrades went perfectly on two desktop PC’s, both 18.3 with 4.13.0-26. This is a great service the Linux Mint Team is providing and your dedication is appreciated. Thank-you
Edit: New threads available on the Hardware Forum:
https://forums.linuxmint.com/viewtopic.php?f=49&t=261590
https://forums.linuxmint.com/viewtopic.php?f=49&t=261748
Correction 261590:
https://forums.linuxmint.com/viewtopic.php?f=49&t=261713
I had a problem with nvidia 340 drivers non working with the new kernel, the nvidia 304 driver worked but with the panel non responsive to mouse clicks. I solved it by manually removing all 340 related packages (dpkg -l | grep nvidia*), installing 340 openCL (sudo apt-get install nvidia-opencl-icd-340) and then selecting the nvidia 340 driver from driver manager. Now I have a perfectly working 4.13 kernel with nvidia 340. I had no problem with virtualbox, I have the 5.1.30 release but guest-dkms, guest-utils and guest-X11 are still at 5.0.40
Hello, i’ve changed the kernel from 4.10.0-38.42 to 4.4.0-108 and installed intel-microcode version 3.20180108.0 on LM Cinnamon 18.3, but i’ve made all these yesterday (Jan 14).
Do i have to make a clear installation (because many days passed before changes) or i’m ok?
Alright so having kernel 4.4.0-108 installed on linux mint 18, with NVIDIA driver 340.102 (I have the old 9600 GT card) should be fine then? Because this is confusing.
Hi @JohnNada I have same trouble but I have Mint 17 I resolved with a clean install with default Quiana. I have disabled all system updated and I have no INTEL debug PATCH. We have old Gpu graphic. Please @clem @linuxmintteam resolve with stable nouveau driver I am tired of this situation! Or Canonical and Mint Team ask to Nvidia to release universal drivrer for old Gpus Now I can’t make anything new system Update . If I made it my Pc will be broken…
This security fix should be level 2 or 3. Because, all users of Linux Mint with updates level 1 to 3, without security update shown (or not updates level 5) will not have this update. This is unacceptable.
Levels do not indicate the nature of the updates and certainly not whether they should be applied or not. Security updates are shown for all releases by default (no matter what level they are).
Installing the Intel microcode won’t help with Spectre if your CPU is over five years old: all that will happen is that microcode used by older CPUs get updated to the latest version of the code, same as in the last BIOS update for your system. It won’t do any harm, probably, but won’t mitigate Spectre problems.
Just sayin’.
@Hubert Sanchez Google invented the whole thing in the first place, and now everybody is freaking out about their ‘old’ machines and somebody has supposedly found a way to shut off the Intel Management Engine etc….
It’s all about TAILFINS. The Chinese already know what you buy from Amazon, don’t care if your TP is two-ply and are too broke to recycle your plastic junk into new plastic junk. If you are doomed you were doomed most of your life. Naught, it matters, and if it did, what then?
I have a Dell Latitude E6510 Business Laptop, currently using LM 17.3 and NVIDIA-340. The Nvidia card is a GT218M (NVS 3100M).
So NVIDIA patched their drivers for Meltdown/Spectre and quietly dropped support for my video card (and others) in the same upgrade (to 384.111)? Quoting Linus Torvalds: »Fuck NVIDIA!«
Why do you advice to upgrade Kernel version 3.13.139 ? is it better to use Kernel version 3.16 ? @clem @linuxmintteam I have no support of Nvidia Driver for old gpu Nouveau driver doesn’t work with 3.13.139 version It’s better to use 3.16 so I can use Open source. Please @linuxMint takes considering my suggestion. Thanks.
After installing the 4.4.0-109-generic kernel on Mint 17.3 my desktop and a few applications started flickering (rapidly displaying approx. 2 cm horizontal white and black lines). The cause looked to be the graphics driver and fortunately there was a helpful message in /run/motd.dynamic (which was not displayed after logging in in a terminal window but was displayed in a virtual terminal using Ctrl+Alt+F1):
WARNING: Security updates for your current Hardware Enablement Stack
ended on 2016-08-04:
* http://wiki.ubuntu.com/1404_HWE_EOL
To upgrade to a supported (or longer-supported) configuration:
* Upgrade from Ubuntu 14.04 LTS to Ubuntu 16.04 LTS by running:
sudo do-release-upgrade
OR
* Switch to the current security-supported stack by running:
sudo apt-get install libgl1-mesa-glx-lts-xenial:i386 xserver-xorg-lts-xenial libgl1-mesa-glx-lts-xenial libwayland-egl1-mesa-lts-xenial
Note the above 4 packages are applicable to the Intel integrated graphics in my system (using the mesa driver as per output of ‘inxi -G’), but after installing these packages and rebooting the flickering disappeared. So for solving any issues a quick look at /run/motd.dynamic might help.
Correction 261590:
https://forums.linuxmint.com/viewtopic.php?f=49&t=261713
I am just wondering why should I upgrade or patch a PC that will never go online (I use it for simulation/design RF and microwave circuits) I am more concerned on speed than someone stealing from this PC. I hope that said patch will always remain optional on new linux/Mint (and also Windows) releases.
does everybody agree?
Thanks.
Alessio.
If you don’t go online with your PC and you control who uses it (i.e. no other user can install malicious software) then you probably don’t have to worry too much about this security issue. Note though, that new versions of Linux Mint will probably include all the fixes by default.
I agree too, Alessio. If the wires are cut off (or disconnected) then no any attacks are possible. It’s like a physically isolated local system in military or alike. No any patches are needed.
But an easier way looks like to use a sand box for the design system, or virtual machine. So you can use, for example, the recent and fully patched Mint as a main host OS connected to the world, but the virtual machine inside of host Mint may have no Internet connection, and no usb and optical drives support as well. So the virtual machine guest system can be from the rarest and relict Windows or other OS to the most modern one, with the newest design applications, no more vulnerable because of viruses or the internet surveillance from those who made them… 🙂
If you are the only account that logs on to your pc then you can even go online without patching. A hacker has to have physical access to your machine before he/she can use this exploit. The real problem is in the cloud or when logging into a virtual machine in a multi-tenant environment.
Good evening, I patched my mint like this:
Firefox 57.0.4
NVIDIA 384.111
kernel 4.13.0-26
But since, on firefox I think it’s very very slow. On some apps too when I have an open web window.
I did not apply intel microcode patch (it was always disabled).
I think not put it because already it is slow since the passage in firefox 57.04 and kernel 4.13.0-26.
Other people have also noticed this slow phenomenon on the internet?
Is there something to do?
I am on an asus Rog G750 i7
Hi,LM team.
After I upgraded kernel 4.13,my machine crashes when booting VMs on VirtualBox.
Reproducibility is 100%.
these vms are windows 10 ltsb and debian stretch(both 64bit and uefi).
Reinstalling linux mint slyvia from iso without kernel 4.13 works fine.
my machine consists of:
Asrock deskmini110
Pentium G4560 (Kabylake)
Silicon Power SP008GBSFU240B02 (https://www.amazon.co.jp/gp/product/B06XP8XCMC/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1)
BIOS is up to date.
Installed Virtualbox version is LM’s repository version(so I don’t know what version I’m using) I installed it from apt- get.
I’m scared of Meltdown vulnerability,but not working vms mean nothing to me.
Are there any report about virtualbox on kernel 4.13?
Any suggestions?
This has been reported by several people in the comments. Apparently, the virtualbox version in the Linux Mint repositories is incompatible with kernel 4.13. People suggested to download a newer version from the virtualbox website. Or use a different kernel (4.4. is also patched).
Hi DIGINON.
OK,I see.
I don’t want to use the newest linux kernel and virtualbox at the same time because it is tend to unstable(and not well tested).
It seems that 4.4 LTS is more compatible with around applications.
so I decided to use 4.4 LTS kernel.
I will google it how to use patched 4.4 LTS with linux mint 18.3.
thank you.
Hi Clem and LM Team,
A couple of linux distribution packed their new release with kernel 4.14 that already fixes the Meltdown attack and partially mitigates the Spectre vulnerability through updated CPU microcode and on the application level, but LM still with 4.13. When will LM update it to 4.14? Or is it 4.14 is better than 4.13 in terms of Meltdown and Spectre mitigation?
Best,
dep
I do not understand anything!
what is this panic ?!
I want to ask: what is the firewall for Gufw ???
I like Mint. The good operating system for beginners. However, it has a very large update path: Debian, Ubuntu, Mint. Windows, RedHat and SUSE were updated a long time ago. It a problem, the real problem for us. Mint has not been updated yet! Maybe it’s worth trying to do something based on OpenSUSE instead of Debian?
P.S. The SWF (Sucuri Website Firewall) is badly for any Onion user. Even Cloudflare is not as surly as this.
: ‘(
Please can someone give me some clarification… I have the old 9600 GT and the only drivers that show up are the 340.102 proprietary driver… And of course the nouveau driver… I am on mint 18. Did all the updates chrome/firefox etc, etc… What am i supposed to do now? The 384.111 drivers are nowhere to be found…. What´s the next step?
“Please can someone give me some clarification”
Where can I find list of CPUs who can have microcode upgrade, or those CPUs not for upgrade!
That is very simple and will be more clear for all, and less questions here.
Thanks.
@miz
I get emailed support alerts from HP for a couple of my machines: https://www.dropbox.com/s/b12gtt9pgbnmltm/HP%20support%20alert.png?dl=0
I forget how I signed up.
I am guessing that Intel has a web resource also.
Peter E
> I am guessing that Intel has a web resource also.
I can not find that report at intel.com?
Anyone else have this list about CPU microcode upgrade?
@John Nada, I had a similar situation on some of my OS. Start Synaptic utility (the password is needed to enter). Click the find icon (magnifier) and type nvidia to get the list of lines with nvidia. There should be several occasional lines containing nvidia 340.102 among the others. They are marked as installed. But somewhat bellow each of them, the corresponding line of nvidia 381.111 goes. As I remember, I simply marked for istallation (right click each – Mark for Installation) each 381.11 line corresponding to the upper 340 line. It’s about only three of them there or so. Press Apply. Synaptic should ask a confirmation: those 340.102 – to uninstall, these 381.111 – to install. Press OK. Synaptic tells about successful install. Ok. Close Synaptic. Reboot. If a disaster, restore the clone of the system made with Timeshift before upgrading, as Clem tells (but I use Clonezilla for it.) Good luck!
Thanks a lot for helping me out… I am going to try this later on.
Kernel 4.13 doesn’t work with my Asus Aspire R3. I hope that 4.10 gets patched too.
4.4 work
4.10 will not patch. So go to 4.4.0-109 (LTS version)
I got the Asus Aspire 3 working with 4.13.0-26 -> https://blog.linuxmint.com/?p=3494#comment-140036
Are you guys going to put Google’s retpoline fix in the repositories?
Cinnamon keeps crashing into fallback mode as soon as OS boots.
Switching to non-proprietary display driver seems to have stopped the crashing (xserver-xorg-video-nouveau 1:1.0.13-3).
Are the non-proprietary display drivers currently secure as well?
LM 18.3 / 4.13.0-26-generic
dkms status = bbswitch, 0.8, 4.13.0-26-generic, x86_64: installed
Linux Processor Microcode Data File
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File
I can see my CPU here!
How can I install this?
Do NOT have this in Update Manager or Driver Manager.
I have something in Synaptic, some microcode is there.
I had issues with video when docking and undocking my Lenovo T440s to a docking station using the 4.13 kernel (display issues, freezing) and I went back to 4.10
This is on Control Panel Device Drivers or something like that. Sorry I’m re-tanslating from my own Language. Look for Drivers it’s on top of Control Panel. You just have to select it if it is not already.
Hi Linux Mint Team, I have trouble after update kernel 4.13. no prime choice at nvidia-settings.
$ nvidia-settings:
** Message: PRIME: No offloading required. Abort
** Message: PRIME: is it supported? no
ERROR: nvidia-settings could not find the registry key file. This file should
have been installed along with this driver at
/usr/share/nvidia/nvidia-application-profiles-key-documentation. The
application profiles will continue to work, but values cannot be
prepopulated or validated, and will not be listed in the help text.
Please see the README for possible values and descriptions.
$ dmks status
bbswitch, 0.8, 4.13.0-26-generic, x86_64: installed
ndiswrapper, 1.60, 4.10.0-38-generic, x86_64: installed
nvidia-340, 340.102: added
$ lspci | egrep ‘VGA|3D’
00:02.0 VGA compatible controller: Intel Corporation Haswell-ULT Integrated Graphics Controller (rev 09)
04:00.0 3D controller: NVIDIA Corporation GF117M [GeForce 610M/710M/810M/820M / GT 620M/625M/630M/720M] (rev a1)
$ sudo dpkg-reconfigure nvidia-340
Stopping nvidia-persistenced
nvidia-persistenced: no process found
Done.
Removing all DKMS Modules
Done.
INFO:Enable nvidia-340
DEBUG:Parsing /usr/share/ubuntu-drivers-common/quirks/put_your_quirks_here
DEBUG:Parsing /usr/share/ubuntu-drivers-common/quirks/lenovo_thinkpad
DEBUG:Parsing /usr/share/ubuntu-drivers-common/quirks/dell_latitude
Loading new nvidia-340-340.102 DKMS files…
Building only for 4.13.0-26-generic
Building for architecture x86_64
Building initial module for 4.13.0-26-generic
ERROR (dkms apport): kernel package linux-headers-4.13.0-26-generic is not supported
Error! Bad return status for module build on kernel: 4.13.0-26-generic (x86_64)
Consult /var/lib/dkms/nvidia-340/340.102/build/make.log for more information.
I have still problems with nvidia driver in my optimus laptop with 4.4 and 4.13 kernel. Maybe driver 340.106 helps. Coming soon to Mint as update?
https://www.phoronix.com/scan.php?page=news_item&px=NVIDIA-340.106-Legacy-Released
It will surely come when Ubuntu maintainers package it
Dear Linux mint team…. 384.111 does not work for the 9600GT… Are the millions of 9600GT owners expected to toss their cards in the bin? The card is still hugely popular as shown by Steam stats…. What are we supposed to do now? Sure i am planning an upgrade in a couple months, but to leave the 9600GT in the cold totally sucks and should not even happen.
https://www.phoronix.com/scan.php?page=news_item&px=NVIDIA-340.106-Legacy-Released
https://www.phoronix.com/scan.php?page=news_item&px=NVIDIA-340.106-Legacy-Released
https://devtalk.nvidia.com/default/topic/1028805/b/t/post/5233119/#5233119
After the nightmares with the nvidia 304 driver (cinnamon crashes 100% of the time) I added exclusions in Update Manager for these drivers. I am running with nouveau now. Everything is fine. Kernel 4.4.0-lts1, nVidia [GeForce GT 740M]
AWESOME thank you so much @jjjufy @PrinceFredericVanKlappstuhl
@Andrea
such bot
much wow
I’ve installed the microcode patches on two dual boot laptops (Windows and Mint). Everything works. I assume the patches installed from Driver Manager are processor specific and will work for any operating system. Can someone confirm this.
Check your processor exact model as the Intel Microcode package only addresses some processors. My I5, for example, is nort patched by this release.
Dear Linux mint team…. 384.111 does not work for the Nvidia 8800 GTX card. It reverts to fallback mode. I’m running Mint Cinnamon 18.3 on Intel Core Q6800 Extreme. I was able to successfully update to kernel 4.4.0-109 after 4.13.0-26.29 crashed Linux repeatedly. I was able to update Intel micro-code to 3.20180108 successfully. Hope this helps someone with ancient hardware.
Well. I am running Mint 18.1(xfce if it matters) live booting off of an install DVD, I ran sudo apt-get dist-upgrade and the checked the Kernal and it had not changed version number. I am betting that you have to reboot to update the Kernal. Is there a way around this (there were a number of errors then I did the update and there were all related to the CDROM).
You cannot change the kernel while the system is running. You have to reboot. Since you are running a live system, of course your system will revert to its original state. You would need to change the installation image on the DVD to make this permanent. I don’t think that Linux Mint already has an installation image that includes a patched kernel so just downloading and creating a new install DVD wouldn’t help.
Running nvidia-detect tool from the terminal should help with knowing which driver series (304/340/384 or later) actually supports your card.
Oops. Looks like it’s only in Debian repos, so it’s for LMDE. In Ubuntu-based Mint editions you’ll have to rely on the included driver manager.
No More Ubuntu! Debian is the New Choice For Google’s In-house Linux Distribution
https://itsfoss.com/goobuntu-glinux-google/
Is Linux Mint dropping the distributions based on Ubuntu and just focusing on Linux Mint Debian Edition (LMDE) too?
As usual you guys rock! Thank your sharing these wonderful resources to the world.
Would you please advise when Thunderbird will be updated from 52.5.0 to 52.5.2?
https://www.mozilla.org/en-US/thunderbird/52.5.2/releasenotes/
Thank you
Mozilla Thunderbird 52.6.0 has been released and this is not showing either. Is this available at the default source? Perhaps the mirror we are using is not up-to-date? Thank you
https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/
Have the Live Disks been updated yet? I mainly use Live Disks.
I posted this previously. After reading a number of other boards I want to get some “expert” advice that is Mint specific. I am running Mint 18.1(xfce if it matters) live booting off of an install DVD and I reboot no more than every 2 days. After reboot I update the packages databases and install the newest available Firefox. I also install run the script (I am assuming that it just calls a script) in multimedia (“Install Multi Media Codecs”). All of my internet activity occurs through Firefox (and of course whatever addons are installed) and the media codecs running in Firefox. I do use LibreOffice but for opening old word and excel documents (mostly Office 97-2003 compatible docs) and I open PDF files with the default viewer. I am running an older AMD processor (64 bit dual core 2.8gh or so). So the question is, as far as everyone understands the current threat, what is my exposure?
PS I was getting ready to upgrade a number of my computers to later Xeon machines….. glad I didn’t do that.
Thinking your exposure at this time is minimal. There have been no reported malware attacks on any of these processor vulnerabilities. I’m not minimizing the threat but seeing major enterprises not reacting to the call as patches can be more problematic then the potential threat. If there were a serious high-risk security issue, they would be locking these down STAT. They are being cautious instead.
For the NVIDIA drivers I’m using xserver-xorg version 1:1.0.12-1build2, is this version patched?
For the intel microcode is my device manager says Unknown This device is not working, should I change the option to intel-microcode, this computer is old
When is Tara being released? This is one OS I would take for spin and use full time.
Linux Mint 19 is estimated to be released around May/June 2018.
https://blog.linuxmint.com/?p=3494
Tara will be there in the summer. You can read that information in this blog.
today the microcode was “updated” (downgraded) to the previous version: intel-microcode (3.20180108.0~ubuntu16.04.2) to 3.20180108.0+really20170707ubuntu16.04.1
and a new kernel-image just came along: linux-image-4.13.0-31-generic (4.13.0-31.34~16.04.1)
would be nice to keep the blog-post updated even if it’s somehow confusing to follow the news…
in other words: in the blogpost it says “Please use the Update Manager to upgrade intel-microcode to version 3.20180108.0.” which should be corrected, shouldn’t it?
I agree, it’s getting hard to tell what’s what with the daily updates and confusion (with all OSs and CPUs) in this Spectre/Meltdown chaos on ANY site. A nice, clean ‘here’s what’s going on today’ would be beneficial.
@staubgold
2018 Jan 22: Previous updates to the intel-microcode package were reverted at Intel’s request, see USN-3531-2
see here: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
I see the same confusing things as Staubgold does.
And I also can see a new 4.4.0-112 Kernel recommended for security. What to do ? Keep with kernel 4.4.0-109 or what ?
Groeten van Dejan
Curious about the micro-code update terms with the + . The 4.13. 31 kernal fixed a small glitch in Solaar on the task bar. Rebooted into 4.13.31 ok. Running on a Dell core 2 7400. Also have Cinnamon and a Mint on two other machines (Dell refurbish core 3 i 7 model 3770 and a old HP Pentium 2.8 (2006) plus LM XFCE all at 64 bit, not updated yet. So far no problems with any kernall updates. (4.40.109 as backup). Thanks for great OS’s.
All OS’s updated: 64bit to 4.13.31 and 32 bit to 4.4.0-112 (also as backup on 64bit). On a non-Mint Ubuntu based OS, received both 4.13.31 and 4.4.0.113 in one security update/download. Still no glitches observed (only retired old fart here).
Spectre and Meltdown mitigation detection tool v0.32
Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
CPU is AMD E2-3200 APU with Radeon(tm) HD Graphics
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: NO
* Checking if we’re running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see –disclaimer
mustapa04@mustapa04 ~/tools/spectre-meltdown-checker $
When I update the tool to the latest version, now it shows spectre variant 2 also vulnerable on my Linux Mint .
Does anyone know if there is a beta or alpha of the 18.4 xfce release ready to go with a kernel version higher than or equal to 4.0.25?
Is there an alpha test list?
Sorry that was supposed to be 4.13.0-25.
I wish to report, than on my desktop pc I have dual boot LM 18.3 Mate and LM 18.3 Cinnamon. All installed software are the same. On both linux I installed 4.13.0-31-generic #34. I check with these instructions ( https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/ ) for Meltdown and Spectre. On Mate all 3 are with status NOT VULNERABLE, but on Cinnamon second (CVE-2017-5715) is with status VULNERABLE? Very strange, because everything is the same (Intel microcode, system updates, kernel…).
I see exactly the same thing. Here is the specific message:
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
I think I should report that the microcode update that was reverted (as reported by staubgold above) did make my system lock up every few hours due to kernel page faults. I have a laptop with a Kaby Lake 7820HK – a very new machine.
I disabled intel microcodes in the driver manager and all is well again. After this experience I think I will wait out more than one intel ‘update’, especially since L. Torvald has called the recent intel update “complete garbage”. I tend to trust his judgement.
Novice, so to speak; please excuse my lack on complete knowledge.
Currently running Mint 18.1 Serena–64 bit. Current Kernel is 4.4.0-71 generic x86_64. Processor is AMD Turion x2 Dual Core RM_74x2.
The last Kernel listed through update manager is 4.4.0 – 112 “Recommended for Security”
1. Should I change to 4.4.0-112? Is this patched for Meltdown and Spectre?
2. Should I use another Kernel?
————–Which One?
————–How do I get it?
Thanks!
Firefox 58?
dd—-I am using Firefox 57.0.4—-I understand that this is the latest version and is secure from Meltdown.
Hi!
I am a full novice. I use an old laptop with mint 18 sarah 32 bit installed. My kernel is 4.4.0-21 generic i686 and the update manager show me as new kernel 4.4.0-112.135 Do i have to install this or there is another kernel to patch the meltdown and spectre? Why kernel update are level 5 when user guide says to avoid updates level 4 and 5? Do i have to install new linux firmware and xorg server too? Sorry for the stupidity of my questins but i am a total noob and i will not do an update without a clear answer from mint team because i do not know how to downgrade the kernel.
One site read that preventing malicious software is possible by installing the latest versions of programs. Today in the update manager Firefox 58.0 appeared. Is it appropriate to update when the recommended version 57.0.4 or 58.0 will be more safe?
We only had to ask the correct questions in the browser search.
https://ibcomputing.com/firefox-58-release-spectre-meltdown-security-fix/
Thank you all!
Are these patches the final stable releases? I have updated FF and my browsers, but don’t plan on updating kernels and CPU microcode until I know it’s stable and not going to cause other issues. (been reading this lately)
The 4.4.0-112.135 kernel should be patched. Linux firmware and xorg server updates are not related to the meltdown and spectre vulnerabilities as far as I know.
If your computer does not work correctly after the kernel update, you can select to boot with the previous kernel and remove the 4.4.0-112.135 kernel. To boot using a previous kernel, select Advanced boot options from the boot menu. If you don’t see a boot menu at all hit the shift button while you boot up your computer. Then it should be displayed.
Besides linux kernel 4.4.0-112.135 that is 63 MB there is another update called linux, a security update, 805KB, and the description says linux kernel headers for development, and it’s still 4.4.0-112.135. Do i have to install this too or not?
I was running the 4.10 kernel before the whole Meltdown/Spectre thing. My laptop (Dell Latitude) doesn’t boot with the 4.13 kernel which replaced 4.10. I assumed that it was because NDISWRAPPER was incompatible with kernel 4.13. However, there is now an update for NDISWRAPPER offered through the Update Manager which supposedly fixes the issues with kernel 4.13. I installed the update and tried kernel 4.13 again. Unfortunately, my system still cannot boot kernel 4.13. The system just stops right when the login screen should show up. Any ideas?
https://blog.linuxmint.com/?p=3496#comment-139952 🙂
After reading this i realized that I have not been updating at all. I ran all the updates that were available but I screwed up by adding the 4 and 5 score updates. I assumed these numbers meant priority, not that they were un-trusted. Save the lecture, i know how stupid this was. How can i recover from this blunder? Do i need to just reformat and rebuild or is there a way to fix this otherwise?
Thanks!!!
If you installed a kernel by accident that you don’t want to use, you can boot to a previous kernel (Advanced boot options in the boot menu) and then use the Update Manager -> View -> Linux kernels to remove the kernel again.
My personal advise, as I mention before is to stop panicking on this non-sense frenzy. Leave your machine alone, regular updates aside, then wait a few weeks. Intel (executive VP Neil Shenoy) has release an update for OEM and big customers (January) to stop deploying its first patches. They are causing more problems then they fix, mostly computers rebooting by themselves. Microsoft has serious issues with its AMD patches too. I don’t know what the Linux status is but those patches are also brought into the kernel and fw I presume. A lot of software incompatibilities have now appeared.
I wish Clem could issue a statement to calm down its users since all this is wreaking havok their computers for a very old security issue without any attacks ever found.
Hi marlenejo, I can not agree. Until a couple of months ago, few people knew these bugs. Everyone knows it now. And someone will certainly try to exploit them. So it’s better not to be too calm.
I agree with Gian Piero, but I’m gonna write using my own words.
You seem to be oddly relaxed about something that amounts to be one of the worst computer security nightmares mankind has faced so far.
So, I invite you to have a read on what Linus Torvalds has to say on this matter.
https://lkml.org/lkml/2018/1/21/192
Related news:
http://www.businessinsider.com/intel-ceo-krzanich-sold-shares-after-company-was-informed-of-chip-flaw-2018-1?op=1
https://www.bloomberg.com/news/articles/2018-01-08/intel-ceo-krzanich-s-stock-sales-seen-warranting-sec-examination
http://www.businessinsider.com/intel-chip-bug-cert-says-replacement-is-the-only-way-2018-1?op=1
Feel free to put the pieces together and come to your own conclusions.
Besides, you’re claiming that no attacks were found, on a topic which is based around proof-of-concept attacks, executed successfully by security researchers that initially found these exploits and reported them to the involved parties, last year. What gives?
And the only real “fix” for this ain’t no patches.It’s the replacement of the CPU for one that has a better architecture, which can not be attacked in ways like meltdown/spectre.
Noted Piero. The chance of getting a virus in Linux is very low and the chance of getting a specific virus which exploit that vulnerability (non found yet) is abyssal. However the chance of breaking your machines with all those rush patches (like the rapid firing of 4.13 versions) is excellent.
bytheway: there are brand new vulnerabilities in thunderbird, most of them high, two critical
https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/
new version is 52.6
get yourself some secure software @ https://www.mozilla.org/en-US/thunderbird/all/
and on linux mint it’s still: 52.5.0 …
It’s 52.6.0 in LMDE. The update for Linux Mint is maintained by Ubuntu and it should arrive shortly.
auf deutsch bitte!
Die Kurzfassung auf Deutsch ist: Es sollten alle Sicherheitsupdates installiert werden, die im Update Manager angeboten werden. Auch der Kernel sollte aktualisiert werden. Falls Chrome oder Opera als Browser benutzt werden, sollte in den erweiterten Einstellungen eine Einstellung namens “Strict site isolation” aktiviert werden. Dazu opera://flags (für Opera) oder chrome://flags (für Chrome, Chromium usw.) in die Adresszeile eingeben und dann am besten nach der Einstellung suchen.
Hi, all, maybe I am worng, but reading todays ct# (01-20-2018) I got the following hint to upgrade to 4.14.11. Currently I am running with Mint 18.3 but I can not see anything newer than 4.13 – kernel series, so what to do?
my active kernel is 4.13.0-32.
Should I do like
https://www.askmetutorials.com/2018/01/how-to-install-linux-kernel-41415-on.html
to update to 4.15? I cannot sea word in this thread abut 4.14 .????
Maybe I am stupid ..?
I’m writing these running on 4.14.15 at the moment. I’ve been running my 32bit 12 y.o. HP laptop with the latest kernels without any problems (except for 4.13) .. Thanks to Ukuu .
Of course you can do that way, the classic way.. But thanks to Ukuu you can very easily see, follow all the kernels and install/remove with a couple of clicks..
http://www.omgubuntu.co.uk/2017/02/ukuu-easy-way-to-install-mainline-kernel-ubuntu
Also, if you face any problems with any kernel, you have the option to start the pc with the older one (advanced options during Grub menu) and then remove the problematic one when it is not in use…
You can install Ukuu either by using Synaptic, or using the Terminal simply (copying & pasting then entering the 2 lines below, one by one):
sudo add-apt-repository ppa:teejee2008/ppa
sudo apt-get update && sudo apt-get install ukuu
When installed, it’s better to open Settings and check “don’t show the RC – Release Candidate- kernels”..
( Writing these assuming you don’t know, I hope you like and it works 🙂 )
… And 4.15.0 just now… with only 2 clicks 😀
Intel says not to download update for Intel Microcode. Will they provide an update or will mint 19 have the fix?
i am running Mint 18.3 Sylvia (KDE) on an HP laptop with Intel(R) Core(TM)2 Duo . i installed the 3.20180108.0~ubuntu16.04.2 microcode update, but it is reported in update mgr and apt-show-versions as
intel-microcode:amd64/xenial-security 3.20180108.0~ubuntu16.04.2 . i have not yet installed the
3.20180108.0+really20170707ubuntu16.04.1 update. sseveral other packages report similar results, eg
gcc-5:amd64/xenial-updates 5.4.0-6ubuntu1~16.04.6
is it normal to indicate amd64 on an intel machine?
Yes, amd did the specification for 64 bit arch, not intel.
Hi All,
I’m using Mint 17.3 MATE with KERNEL 4.4.0
TODAY, 6 February 2018, The Update Kernel manager, show as LATEST version the 4.4.0-98 !!!
and not the 4.4.0-108.
Who can tell me why and how ca I update to kernel that fix spectre/meltdown??
Bob, I don’t know why it doesn’t appear, but on my update manager (and also according to the Synaptic Package Manager), the latest one of 4.4.0-… series is 4.4.0-112 for the time being.
(Assuming you don’t know) :
Open the Menu and type Synaptic and start that program (it will ask your password, type and enter..)..
(Like the one in this picture: https://delightlylinux.files.wordpress.com/2014/12/kern3.png ) Just in the middle above you’ll see a quick filter box: You can simply type something like: Kernel 4.4.0- or Kernel 4.4.0-112 and then choose the below ones among the several results, or directly copy from here and paste in the filter box one by one to get them directly and exactly; what you need is these 4 files :
linux-headers-4.4.0-112
linux-headers-4.4.0-112-generic
linux-image-4.4.0-112-generic
linux-image-extra-4.4.0-112-generic
(When you find them, right-click on each and “Mark for Installation” .. After marking all 4, click the button above “Apply” ..
(It must update the Grub after installation, but nothing to loose; open a Terminal and type (or copy-paste from here and then hit Enter : sudo update-grub ) .. That’s it..
P.S. You can also install the very latest kernel so easily using a software called Ukuu, and see if there’s any problems with the sound, wireless, printers, screen etc, ( Nothing to afraid.. Because kernels are not installed on each other, but installed separately and your working kernel 4.4.0-98 will be staying there unless you uninstall it yourself.. and you’ll have the option to start the pc with the old and trusted kernel, in case of a problem)
(Just have a read my comment above: https://blog.linuxmint.com/?p=3496#comment-140201 )
I hope it works 🙂
@Cyberbob, you maybe try this, and install kernel newer than 4.4.0-109:
sudo add-apt-repository ppa:canonical-kernel-team/ppa
sudo apt-get update
I have lost my pass word, so what can i find it ?
I’m running 17.2 Cinnamon LTS and currently running kernel 3.16.0.-38-generic. FF, Chrome and Nvidia are all updated and configured.
Do I downgrade the kernel to 3.13.0-139 to complete the fix?