Bug#1010947: intel-microcode: CVE-2022-21151 / INTEL-SA-00617
Hi Henrique, On Mon, May 16, 2022 at 11:12:18AM -0300, Henrique de Moraes Holschuh wrote: > On Fri, 13 May 2022, Salvatore Bonaccorso wrote: > > The following vulnerability was published for intel-microcode. > > > > CVE-2022-21151[0]: > > | Processor optimization removal or modification of security-critical > > | code for some Intel(R) Processors may allow an authenticated user to > > | potentially enable information disclosure via local access. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > Sure thing. I am already on it, sorry about the wait. > > There are regressions caused by microcode updates in Alder Lake, maybe > restricted to some motherboards, but the reports are multi-vendor > already. The regression is present in 3.20220207.1 and later, when > Intel added Alder Lake microcode updates to the public datafile. > > https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/58 > > I will upload 20220510 with the entire set of microcode updates to > unstable (which does include Alder Lake). > > If the security team would like to have 20220207+ in stable soonish, we > can issue a 20220510 security update that blacklists 0x90672 and all > other related signatures, until more details are known (or the issue > gets fixed upstream). Just drop me a note, and I can prepare that. Thanks for the update. IMHO this is nothing critically urgent that we cannot wait for first some exposure. And then we can decide if this should go out via a DSA or if it's sufficient voa the next point releases. Thanks for your work! Regards, Salvatore
Bug#1010947: intel-microcode: CVE-2022-21151 / INTEL-SA-00617
On Fri, 13 May 2022, Salvatore Bonaccorso wrote: > The following vulnerability was published for intel-microcode. > > CVE-2022-21151[0]: > | Processor optimization removal or modification of security-critical > | code for some Intel(R) Processors may allow an authenticated user to > | potentially enable information disclosure via local access. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Sure thing. I am already on it, sorry about the wait. There are regressions caused by microcode updates in Alder Lake, maybe restricted to some motherboards, but the reports are multi-vendor already. The regression is present in 3.20220207.1 and later, when Intel added Alder Lake microcode updates to the public datafile. https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/58 I will upload 20220510 with the entire set of microcode updates to unstable (which does include Alder Lake). If the security team would like to have 20220207+ in stable soonish, we can issue a 20220510 security update that blacklists 0x90672 and all other related signatures, until more details are known (or the issue gets fixed upstream). Just drop me a note, and I can prepare that. -- Henrique Holschuh
Bug#1010947: intel-microcode: CVE-2022-21151 / INTEL-SA-00617
Source: intel-microcode Version: 3.20220207.1 Severity: important Tags: security upstream fixed-upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 3.20220207.1~deb11u1 Control: found -1 3.20210608.2~deb10u1 Hi, The following vulnerability was published for intel-microcode. CVE-2022-21151[0]: | Processor optimization removal or modification of security-critical | code for some Intel(R) Processors may allow an authenticated user to | potentially enable information disclosure via local access. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-21151 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21151 [1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00617.html [2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220510 Regards, Salvatore
