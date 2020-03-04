Security: Live Patching, New Patches, Intel Defects Again (This Time No 'Fix' or Dodgy Workaround Possible)
Linux Kernel Live Patching: What It Is and Who Needs It
Live patching is a way of updating a running system without stopping it. It is best known as a technique for keeping Linux servers updated to the latest security levels without affecting downtime. This article provides some background to the technique and explains the advantages of using it.
What is Live Patching?
Live patching lets you keep Linux server kernels up-to-date with the latest security updates without the need to reboot. Although the practice is a decade old – once seen as a convenience tool easing the lives of system administrators – it is now coming to the attention of security managers and CISOs in the wake of the recent flurry of Linux-related kernel vulnerabilities.
Until the advent of live security updates, server managers had to choose between running their systems with known vulnerabilities, or taking their servers down to install security updates. System administrators now see Linux kernel live security updates are becoming an essential component of an enterprise’s cybersecurity toolkit, not merely a convenience for system maintainers.
Security updates for Friday
Security updates have been issued by Arch Linux (chromium, opensc, opensmtpd, and weechat), Debian (jackson-databind and pdfresurrect), Fedora (sudo), openSUSE (openfortivpn and squid), Red Hat (virt:8.1 and virt-devel:8.1), Scientific Linux (http-parser and xerces-c), and SUSE (gd, kernel, postgresql10, and tomcat).
Intel chipsets have another security issue, this time it's 'unfixable'
Researchers have uncovered a fun new vulnerability in Intel processors, and this one has a claim attached that it's not possible to fix it.Sound familiar? Yeah, there's been a lot of problems over at Intel in the last couple years. We reported on some back in January and it seems it's not getting any better.
This issue, found and reported by Positive Technologies, mentions CVE-2019-0090 which as the numbered year suggests was already announced last year. However, the plot thickens. If you have an Intel chipset and/or SoC older than the 10th Generation (so anything in the last few years), you will be affected by this.
'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc.
