Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
On Sat, 2023-03-18 at 08:54 +0100, Tobias Frost wrote: > On Fri, Mar 17, 2023 at 09:15:36PM +0100, Salvatore Bonaccorso wrote: > > Yes this is correct, you do not need to mention it. I just wanted > > to > > make double sure it's as well on the radar (and have not checked if > > you have uploaded with -v to incude the intermediate changelog > > entries > > as well). > > I think I've forgotten that part… > So please reject my upload and I'll fix that… > The changelog has them, but the .changes indeed doesn't Flagged for rejection, pending dak actually processing that (we're mid- dinstall currently). Regards, Adam
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
On Fri, Mar 17, 2023 at 09:15:36PM +0100, Salvatore Bonaccorso wrote: > Yes this is correct, you do not need to mention it. I just wanted to > make double sure it's as well on the radar (and have not checked if > you have uploaded with -v to incude the intermediate changelog entries > as well). I think I've forgotten that part… So please reject my upload and I'll fix that… -- tobi
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
Hi Tobias, On Fri, Mar 17, 2023 at 07:41:28PM +, Tobias Frost wrote: > Am 17. März 2023 19:18:50 UTC schrieb Salvatore Bonaccorso > : > > > >On Thu, Mar 16, 2023 at 04:06:29PM +0100, Tobias Frost wrote: > >> Package: release.debian.org > >> Severity: normal > >> Tags: bullseye > >> User: release.debian@packages.debian.org > >> Usertags: pu > >> X-Debbugs-Cc: intel-microc...@packages.debian.org, Salvatore Bonaccorso > >> > >> Control: affects -1 + src:intel-microcode > >> > >> (Please refer to #1032847#12 for security team's feedback > >> that this should go through SPU.) > >> > >> The upload updates intel microcodes to target (See #1031334) > >>- INTEL-SA-00700: CVE-2022-21216 > >>- INTEL-SA-00730: CVE-2022-33972 > >>- INTEL-SA-00738: CVE-2022-33196 > >>- INTEL-SA-00767: CVE-2022-38090 > >> > >> the CVEs are information disclosure via local access vulnerbilities and > >> potential privilege escalations. > > > >Note that speaking of fixed CVEs, for bullseye and older with the > >upload CVE-2022-21233 get fixed as well (this one was as well not > >warranting a DSA, it is as well SGX releated). > > yes, this CVE is fixed in 3.20220809.1, which is part of this update. > to make sure i don't miss it: i thought i do not need to repeat the > cve in d/changelog if it is mentioned in earlier d/changelog > entries, right? Yes this is correct, you do not need to mention it. I just wanted to make double sure it's as well on the radar (and have not checked if you have uploaded with -v to incude the intermediate changelog entries as well). Thank you! Regards, Salvatore
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
Am 17. März 2023 19:18:50 UTC schrieb Salvatore Bonaccorso : > >On Thu, Mar 16, 2023 at 04:06:29PM +0100, Tobias Frost wrote: >> Package: release.debian.org >> Severity: normal >> Tags: bullseye >> User: release.debian@packages.debian.org >> Usertags: pu >> X-Debbugs-Cc: intel-microc...@packages.debian.org, Salvatore Bonaccorso >> >> Control: affects -1 + src:intel-microcode >> >> (Please refer to #1032847#12 for security team's feedback >> that this should go through SPU.) >> >> The upload updates intel microcodes to target (See #1031334) >>- INTEL-SA-00700: CVE-2022-21216 >>- INTEL-SA-00730: CVE-2022-33972 >>- INTEL-SA-00738: CVE-2022-33196 >>- INTEL-SA-00767: CVE-2022-38090 >> >> the CVEs are information disclosure via local access vulnerbilities and >> potential privilege escalations. > >Note that speaking of fixed CVEs, for bullseye and older with the >upload CVE-2022-21233 get fixed as well (this one was as well not >warranting a DSA, it is as well SGX releated). yes, this CVE is fixed in 3.20220809.1, which is part of this update. to make sure i don't miss it: i thought i do not need to repeat the cve in d/changelog if it is mentioned in earlier d/changelog entries, right? >Regards, >Salvatore
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
On Thu, Mar 16, 2023 at 04:06:29PM +0100, Tobias Frost wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: intel-microc...@packages.debian.org, Salvatore Bonaccorso > > Control: affects -1 + src:intel-microcode > > (Please refer to #1032847#12 for security team's feedback > that this should go through SPU.) > > The upload updates intel microcodes to target (See #1031334) >- INTEL-SA-00700: CVE-2022-21216 >- INTEL-SA-00730: CVE-2022-33972 >- INTEL-SA-00738: CVE-2022-33196 >- INTEL-SA-00767: CVE-2022-38090 > > the CVEs are information disclosure via local access vulnerbilities and > potential privilege escalations. Note that speaking of fixed CVEs, for bullseye and older with the upload CVE-2022-21233 get fixed as well (this one was as well not warranting a DSA, it is as well SGX releated). Regards, Salvatore
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: intel-microc...@packages.debian.org, Salvatore Bonaccorso Control: affects -1 + src:intel-microcode (Please refer to #1032847#12 for security team's feedback that this should go through SPU.) The upload updates intel microcodes to target (See #1031334) - INTEL-SA-00700: CVE-2022-21216 - INTEL-SA-00730: CVE-2022-33972 - INTEL-SA-00738: CVE-2022-33196 - INTEL-SA-00767: CVE-2022-38090 the CVEs are information disclosure via local access vulnerbilities and potential privilege escalations. I've updated the package in sid already (unblock request #1032847) and the update of bookworm is the next step to get the CVEs fixed for LTS/ELTS. I'm working on LTS (buster) and ELTS (stretch an jessie) as part of the Freexian LTS/ELTS project) This package is identical to the unstable version, with the exception that unstable used the new firmware section and this package for bullseye is using non-free. To keep the fixes consistent, I'd like to let them flow from sid -> jessie… [ Tests ] I've tested that the package works on Intel hardware that I have access to. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing (I've already uploaded to bullseye-spu as I am confident that this upload will be accepted. To avoid further delays for LTS/ELTS, I'd appreciate feedback whether this will be accepted, so that I can proceed with uploading to buster, stretch and jessie without the need to have weird version numbers :) Thanks in advance, -- tobi diff -Nru intel-microcode-3.20220510.1~deb11u1/changelog intel-microcode-3.20230214.1~deb11u1/changelog --- intel-microcode-3.20220510.1~deb11u1/changelog 2022-07-04 20:10:32.0 +0200 +++ intel-microcode-3.20230214.1~deb11u1/changelog 2023-03-14 19:17:02.0 +0100 @@ -1,3 +1,84 @@ +2023-02-14: + * New Microcodes: +sig 0x000806f4, pf_mask 0x10, 2022-12-19, rev 0x2c000170, size 600064 +sig 0x000806f4, pf_mask 0x87, 2022-12-27, rev 0x2b000181, size 561152 +sig 0x000806f5, pf_mask 0x10, 2022-12-19, rev 0x2c000170, size 600064 +sig 0x000806f5, pf_mask 0x87, 2022-12-27, rev 0x2b000181, size 561152 +sig 0x000806f6, pf_mask 0x10, 2022-12-19, rev 0x2c000170, size 600064 +sig 0x000806f6, pf_mask 0x87, 2022-12-27, rev 0x2b000181, size 561152 +sig 0x000806f7, pf_mask 0x87, 2022-12-27, rev 0x2b000181, size 561152 +sig 0x000806f8, pf_mask 0x10, 2022-12-19, rev 0x2c000170, size 600064 +sig 0x000806f8, pf_mask 0x87, 2022-12-27, rev 0x2b000181, size 561152 +sig 0x000b06a2, pf_mask 0xc0, 2022-12-08, rev 0x410e, size 212992 +sig 0x000b06a3, pf_mask 0xc0, 2022-12-08, rev 0x410e, size 212992 + + * Updated Microcodes: +sig 0x00050653, pf_mask 0x97, 2022-08-30, rev 0x1000161, size 36864 +sig 0x00050656, pf_mask 0xbf, 2022-08-26, rev 0x4003303, size 37888 +sig 0x00050657, pf_mask 0xbf, 2022-08-26, rev 0x5003303, size 37888 +sig 0x0005065b, pf_mask 0xbf, 2022-08-26, rev 0x7002503, size 29696 +sig 0x000606a6, pf_mask 0x87, 2022-10-09, rev 0xd000389, size 296960 +sig 0x000606c1, pf_mask 0x10, 2022-09-23, rev 0x1000211, size 289792 +sig 0x000706a1, pf_mask 0x01, 2022-09-16, rev 0x003e, size 75776 +sig 0x000706a8, pf_mask 0x01, 2022-09-20, rev 0x0022, size 76800 +sig 0x000706e5, pf_mask 0x80, 2022-08-31, rev 0x00b8, size 113664 +sig 0x000806a1, pf_mask 0x10, 2022-09-07, rev 0x0032, size 34816 +sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 +sig 0x00090675, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 +sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112 +sig 0x000906a4, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112 +sig 0x000906c0, pf_mask 0x01, 2022-09-02, rev 0x2424, size 20480 +sig 0x000a0671, pf_mask 0x02, 2022-08-31, rev 0x0057, size 103424 +sig 0x000b0671, pf_mask 0x32, 2022-12-19, rev 0x0112, size 207872 +sig 0x000b06f2, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 +sig 0x000b06f5, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 + +2022-11-08: + * New Microcodes: +sig 0x000606c1, pf_mask 0x10, 2022-08-07, rev 0x1000201, size 286720 +sig 0x000b0671, pf_mask 0x32, 2022-09-07, rev 0x010e, size 204800 + + * Updated Microcodes: +sig 0x000706e5, pf_mask 0x80, 2022-08-02, rev 0x00b6, size 113664 +sig 0x000806c1, pf_mask 0x80, 2022-06-28, rev 0x00a6, size 110592 +sig 0x000806d1, pf_mask 0xc2, 2022-06-28, rev 0x0042, size 102400 +sig 0x000806ec, pf_mask 0x94, 2022-07-31, rev 0x00f4, size 105472 +sig 0x00090661, pf_mask 0x01, 2022-07-15, rev 0x0017, size 20480 +sig 0x00090672, pf_mask 0x07, 2022-09-19, rev 0x0026, size 218112 +sig 0x00090675, pf_mask 0x07, 2022-09-19, rev 0x0026 +sig 0x000b06f2,