1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1068083: bullseye-pu: package intel-microcode/3.20240312.1~deb11u1

    From Henrique de Moraes Holschuh@21:1/5 to All on Sat Mar 30 12:00:01 2024
    XPost: linux.debian.devel.release

    Package: release.debian.org
    Severity: normal
    Tags: bullseye
    User: release.debian.org@packages.debian.org
    Usertags: pu

    [ Reason ]

    As requested by the security team, I would like to bring the microcode
    update level for Intel processors in Bullseye and Bookworm to match what
    we have in Sid and Trixie. This is the bug report for Bullseye, a
    separate one will be filled for Bookmorm.

    This fixes:
    * Several CVEs in many Intel processors
    - Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368)
    - Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-38575)
    - Mitigations for INTEL-SA-INTEL-SA-00898 (CVE-2023-28746), aka RFDS
    - Mitigations for INTEL-SA-INTEL-SA-00960 (CVE-2023-22655), aka TECRA
    - Mitigations for INTEL-SA-INTEL-SA-01045 (CVE-2023-43490)
    * Other unspecified functional issues on many processors

    There are no releavant issues reported on this microcode update,
    considering the version of intel-microcode already available as security updates for bookworm and bullseye.

    [ Impact ]

    If this update is not approved, owners of most recent "client" Intel
    processors and a few server processors will depend on UEFI updates to be protected against RFDS as well as the other issues listed above.

    [ Tests ]

    There were no bug reports from users of Debian sid or Trixie, these
    packages have been tested there since 2024-03-13 (sid), 2024-03-18
    (trixie).

    [ Risks ]

    Unknown, but not believed to be any different from other Intel microcode updates.

    Linux kernel updates related to the RFDS microcode update fixes are
    either already available in Bookworm and Bullseye, or have already been requested as spu's.

    [ Checklist ]
    [x] *all* changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in (old)stable
    [x] the issue is verified as fixed in unstable

    [ Changes ]

    As per the debdiff, only documentation changes, package documentation
    changes, and the binary blob change from upstream.

    Diffstat:
    b/changelog | 77 +++++++++++++++++++++++++++++++++++++++
    b/debian/changelog | 89 +++++++++++++++++++++++++++++++++++++++++++++
    b/intel-ucode/06-55-03 |binary
    b/intel-ucode/06-55-06 |binary
    b/intel-ucode/06-55-07 |binary
    b/intel-ucode/06-55-0b |binary
    b/intel-ucode/06-56-05 |binary
    b/intel-ucode/06-5f-01 |binary
    b/intel-ucode/06-6a-06 |binary
    b/intel-ucode/06-6c-01 |binary
    b/intel-ucode/06-7a-01 |binary
    b/intel-ucode/06-7a-08 |binary
    b/intel-ucode/06-7e-05 |binary
    b/intel-ucode/06-8c-01 |binary
    b/intel-ucode/06-8c-02 |binary
    b/intel-ucode/06-8d-01 |binary
    b/intel-ucode/06-8e-0c |binary
    b/intel-ucode/06-8f-05 |binary
    b/intel-ucode/06-8f-06 |binary
    b/intel-ucode/06-8f-07 |binary
    b/intel-ucode/06-8f-08 |binary
    b/intel-ucode/06-96-01 |binary
    b/intel-ucode/06-97-02 |binary
    b/intel-ucode/06-97-05 |binary
    b/intel-ucode/06-9a-03 |binary
    b/intel-ucode/06-9a-04 |binary
    b/intel-ucode/06-9c-00 |binary
    b/intel-ucode/06-9e-09 |binary
    b/intel-ucode/06-9e-0a |binary
    b/intel-ucode/06-9e-0c |binary
    b/intel-ucode/06-9e-0d |binary
    b/intel-ucode/06-a5-02 |binary
    b/intel-ucode/06-a5-03 |binary
    b/intel-ucode/06-a5-05 |binary
    b/intel-ucode/06-a6-00 |binary
    b/intel-ucode/06-a6-01 |binary
    b/intel-ucode/06-a7-01 |binary
    b/intel-ucode/06-aa-04 |binary
    b/intel-ucode/06-b7-01 |binary
    b/intel-ucode/06-ba-02 |binary
    b/intel-ucode/06-ba-03 |binary
    b/intel-ucode/06-ba-08 |binary
    b/intel-ucode/06-be-00 |binary
    b/intel-ucode/06-bf-02 |binary
    b/intel-ucode/06-bf-05 |binary
    b/intel-ucode/06-cf-01 |binary
    b/intel-ucode/06-cf-02 |binary
    b/releasenote.md | 96 +++++++++++++++++++++++++++++++++++++++++++++++++
    49 files changed, 262 insertions(+)

    [ Other info ]

    The package version with "~" is needed to guarantee smooth updates to
    the next debian release.

    --
    Henrique Holschuh

    diff --git a/changelog b/changelog
    index cbf9f66..fe44e7e 100644
    --- a/changelog
    +++ b/changelog
    @@ -1,3 +1,80 @@
    +2024-03-12:
    + * New upstream microcode datafile 20240312
    + - Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368):
    + Protection mechanism failure of bus lock regulator for some Intel
    + Processors may allow an unauthenticated user to potentially enable
    + denial of service via network access.
    + - Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-38575):
    + Non-transparent sharing of return predictor targets between contexts in + some Intel Processors may allow an authorized user to potentially
    + enable information disclosure via local access. Affects SGX as well.
    + - Mitigations for INTEL-SA-INTEL-SA-00898 (CVE-2023-28746), aka RFDS:
    + Information exposure through microarchitectural state after transient
    + execution from some register files for some Intel Atom Processors and
    + E-cores of Intel Core Processors may allow an authenticated user to
    + potentially enable information disclo