CVE-2017-5715 (variant 2), also known as Spectre, as most people know by now is a serious problem affecting a large number of computers across the world.
RedHat previously released patches to mitigate this issue, however, in a rather controversial move, has decided to roll back these changes after complaints about systems failing to boot with the new patches, and instead is now recommending that, "subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor."
Many people have taken to saying that Redhat has, “Washed their hands” of the problem, dumping it onto the responsibility of others to handle instead.
The full statement about the recommendation can be found here; it says
Red Hat Security is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor.
The latest microcode_ctl and linux-firmware packages from Red Hat do not include resolutions to the CVE-2017-5715 (variant 2) exploit. Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems not to boot.
The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released before the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor.
This means that virtually every person running Redhat, CentOS, or others such as Scientific Linux that are based on Redhat, now are left without a means to mitigate Spectre Variant 2, unless they contact their hardware manufacturers on a case-by-case basis, which could cause a massive shift of people/companies to potentially move their servers to a different OS in the future.
Granted, many may do as recommended as well, only time will tell, but the move has left a slightly sour taste among many users throughout the community.
According to the Redhat Linux homepage, they are the “The world’s leading enterprise Linux platform,” so knowing that they have the most significant market share out of the primary enterprise distributions, means that potentially millions of customers are now being left to handle the situation themselves.
Now you: What is your opinion on the move by Redhat to leave their paying subscribers to fend for themselves on this one? Are you a Redhat user, and if so, will you be staying and fixing it yourself, or will you take other measures? Let us know in the comments!
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.