This post will explain the meaning behind the output of the “ksplice kernel uname” (Ksplice Enhanced client) or “uptrack-uname” (Ksplice Uptrack client) command and how to interpret Ksplice’s effective kernel version string.
The effective kernel version that is reported by Ksplice when running the command “ksplice kernel uname -r” reflects the security position of the kernel that is running based on the patches that have been applied by Ksplice. This effective kernel version usually differs from the version of the kernel that was booted and is intended to reflect the current state of the kernel with regard to potential vulnerabilities or critical bugs.
In the case where a booted kernel is locked to a version that did not receive the initial patches for the Spectre/Meltdown vulnerabilities, these patches cannot be applied with Ksplice. Although Ksplice continues to update the kernel with patches for subsequent CVEs, the effective kernel version is not updated so as to accurately reflect that the currently loaded kernel is still vulnerable to the Spectre/Meltdown vulnerabilities, even if patched for other potential attack vectors.
You can check your booted kernel version by running “uname -r”. Compare it to the version reported by Ksplice. If these versions match, your kernel is likely to still be vulnerable to Spectre/Meltdown and you should consider upgrading kernel and rebooting for Ksplice to be fully effective.
You can check which specific CVE vulnerabilities and critical bug fixes have been applied to the running kernel by running “ksplice kernel show“.