XPost: linux.debian.devel.release
--3K6N1tT4iE3BwbHT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: release.debian.org
Severity: normal
Tags: bullseye
User:
release.debian.org@packages.debian.org
Usertags: pu
(duplicate submission, this one is signed. sorry about that!)
[ Reason ]
As requested by the security team, I would like to bring the microcode
update level for Intel processors in Bullseye and Bookworm to match what
we have in Sid and Trixie. This is the bug report for Bullseye, a
separate one will be filled for Bookmorm.
This fixes:
* Several CVEs in many Intel processors
- Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368)
- Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-38575)
- Mitigations for INTEL-SA-INTEL-SA-00898 (CVE-2023-28746), aka RFDS
- Mitigations for INTEL-SA-INTEL-SA-00960 (CVE-2023-22655), aka TECRA
- Mitigations for INTEL-SA-INTEL-SA-01045 (CVE-2023-43490)
* Other unspecified functional issues on many processors
There are no releavant issues reported on this microcode update,
considering the version of intel-microcode already available as security updates for bookworm and bullseye.
[ Impact ]
If this update is not approved, owners of most recent "client" Intel
processors and a few server processors will depend on UEFI updates to be protected against RFDS as well as the other issues listed above.
[ Tests ]
There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2024-03-13 (sid), 2024-03-18
(trixie).
[ Risks ]
Unknown, but not believed to be any different from other Intel microcode updates.
Linux kernel updates related to the RFDS microcode update fixes are
either already available in Bookworm and Bullseye, or have already been requested as spu's.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.
Diffstat:
b/changelog | 77 +++++++++++++++++++++++++++++++++++++++
b/debian/changelog | 89 +++++++++++++++++++++++++++++++++++++++++++++
b/intel-ucode/06-55-03 |binary
b/intel-ucode/06-55-06 |binary
b/intel-ucode/06-55-07 |binary
b/intel-ucode/06-55-0b |binary
b/intel-ucode/06-56-05 |binary
b/intel-ucode/06-5f-01 |binary
b/intel-ucode/06-6a-06 |binary
b/intel-ucode/06-6c-01 |binary
b/intel-ucode/06-7a-01 |binary
b/intel-ucode/06-7a-08 |binary
b/intel-ucode/06-7e-05 |binary
b/intel-ucode/06-8c-01 |binary
b/intel-ucode/06-8c-02 |binary
b/intel-ucode/06-8d-01 |binary
b/intel-ucode/06-8e-0c |binary
b/intel-ucode/06-8f-05 |binary
b/intel-ucode/06-8f-06 |binary
b/intel-ucode/06-8f-07 |binary
b/intel-ucode/06-8f-08 |binary
b/intel-ucode/06-96-01 |binary
b/intel-ucode/06-97-02 |binary
b/intel-ucode/06-97-05 |binary
b/intel-ucode/06-9a-03 |binary
b/intel-ucode/06-9a-04 |binary
b/intel-ucode/06-9c-00 |binary
b/intel-ucode/06-9e-09 |binary
b/intel-ucode/06-9e-0a |binary
b/intel-ucode/06-9e-0c |binary
b/intel-ucode/06-9e-0d |binary
b/intel-ucode/06-a5-02 |binary
b/intel-ucode/06-a5-03 |binary
b/intel-ucode/06-a5-05 |binary
b/intel-ucode/06-a6-00 |binary
b/intel-ucode/06-a6-01 |binary
b/intel-ucode/06-a7-01 |binary
b/intel-ucode/06-aa-04 |binary
b/intel-ucode/06-b7-01 |binary
b/intel-ucode/06-ba-02 |binary
b/intel-ucode/06-ba-03 |binary
b/intel-ucode/06-ba-08 |binary
b/intel-ucode/06-be-00 |binary
b/intel-ucode/06-bf-02 |binary
b/intel-ucode/06-bf-05 |binary
b/intel-ucode/06-cf-01 |binary
b/intel-ucode/06-cf-02 |binary
b/releasenote.md | 96 +++++++++++++++++++++++++++++++++++++++++++++++++
49 files changed, 262 insertions(+)
[ Other info ]
The package version with "~" is needed to guarantee smooth updates to
the next debian release.
--
Henrique Holschuh
--3K6N1tT4iE3BwbHT
Content-Type: text/x-diff; charset=utf-8
Content-Disposition: attachment; filename="3.2020312.1_deb11u1-diff.diff" Content-Transfer-Encoding: quoted-printable
diff --git a/changelog b/changelog
index cbf9f66..fe44e7e 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,80 @@
+2024-03-12:
+ * New upstream microcode datafile 20240312
+ - Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368):
+ Protection mechanism failure of bus lock regulator for some Intel
+ Processors may allow an unauthenticated user to potentially enable
+ denial of service via network access.
+ - Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-38575):
+ Non-transparent sharing of return predictor targets between contexts in + some Intel Processors may allow an authorized user to potentially
+ enable information disclosure via local access. Affects SGX as well.
+ - Mitigations for INTEL-SA-INTEL-SA-00898 (CVE-2023-28746), aka RFDS