Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Please update the intel-microcode package in stable (stretch) to version
3.20180807a.2~deb9u1. This is a limited security update that affects
Intel Westmere EP processors, only.
It has been tested for several months in unstable, testing, and
backports. Also, other distros have been shipping it for months and I
could not find any issue reported.
The source debdiff is attached, and the binary debdiff is also attached.
The changes are very minimal, they just enable shipping the microcode
update for Westmere EP.
Reasoning for this update is included in the Debian changelog,
reproduced below:
* Release managers:
This update is being distributed by Debian in unstable, testing and
jessie- and stretch-backports since 2018-10-30 without issues, and by
most distros since 2018-08/2018-09, with no known reports of
regressions on Westmere EP processors (Spectre mitigations are very
expensive on Nehalem and Westmere, though).
* SECURITY FIX: this update adds the accumulated fixes for Westmere EP
(signature 0x206c2) from nearly a decade, including but likely not
limited to:
+ Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation)
Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
+ Implements SSBD support (Spectre v4 mitigation),
Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix)
Intel SA-00115, CVE-2018-3639, CVE-2018-3640
+ Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation.
Intel SA-0088, CVE-2017-5753, CVE-2017-5754
+ Very likely implements LAPIC sinkhole fix
+ Fixes AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging
may cause system crash
* This Westmere EP microcode update has been explicitly approved by
Intel for general distribution by operating systems, refer to the
changelog entry for 3.20180807a.2 below
Thank you!
--
Henrique Holschuh
diff -Nru intel-microcode-3.20180807a.1~deb9u1/debian/changelog
intel-microcode-3.20180807a.2~deb9u1/debian/changelog
--- intel-microcode-3.20180807a.1~deb9u1/debian/changelog 2018-09-15
00:53:22.0 -0300
+++ intel-microcode-3.20180807a.2~deb9u1/debian/changelog 2019-01-27
13:07:47.0 -0200
@@ -1,3 +1,40 @@
+intel-microcode (3.20180807a.2~deb9u1) unstable; urgency=medium
+
+ * Release managers:
+This update is being distributed by Debian in unstable, testing and
+jessie- and stretch-backports since 2018-10-30 without issues, and by
+most distros since 2018-08/2018-09, with no known reports of
+regressions on Westmere EP processors (Spectre mitigations are very
+expensive on Nehalem and Westmere, though).
+ * SECURITY FIX: this update adds the accumulated fixes for Westmere EP
+(signature 0x206c2) from nearly a decade, including but likely not
+limited to:
++ Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation)
+ Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
++ Implements SSBD support (Spectre v4 mitigation),
+ Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix)
+ Intel SA-00115, CVE-2018-3639, CVE-2018-3640
++ Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation.
+ Intel SA-0088, CVE-2017-5753, CVE-2017-5754
++ Very likely implements LAPIC sinkhole fix
++ Fixes AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging
+ may cause system crash
+ * This Westmere EP microcode update has been explicitly approved by
+Intel for general distribution by operating systems, refer to the
+changelog entry for 3.20180807a.2 below
+
+ -- Henrique de Moraes Holschuh Sun, 27 Jan 2019 13:07:47
-0200
+
+intel-microcode (3.20180807a.2) unstable; urgency=medium
+
+ * Makefile: unblacklist 0x206c2 (Westmere EP)
+According to pragyansri.pa...@intel.com, on message to LP#1795594
+on 2018-10-09, we can ship 0x206c2 updates without restrictions.
+Also, there are no reports in the field about this update causing
+issues (closes: #907402) (LP: #1795594)
+
+ -- Henrique de Moraes Holschuh Tue, 23 Oct 2018 19:52:40
-0300
+
intel-microcode (3.20180807a.1~deb9u1) stretch-security; urgency=high
* Upload to Debian stretch (no changes)
diff -Nru intel-microcode-3.20180807a.1~deb9u1/Makefile
intel-microcode-3.20180807a.2~deb9u1/Makefile
--- intel-microcode-3.20180807a.1~deb9u1/Makefile 2018-08-24
08:10:09.0 -0300
+++ intel-microcode-3.20180807a.2~deb9u1/Makefile 2019-01-27
10:04:48.0 -0200
@@ -31,27 +31,6 @@
# 0x106c0: alpha hardware, seen in a very very old microcode data file
IUC_EXCLUDE += -s !0x106c0
-# 0x206c2: Intel Westmere B1 (Xeon 3600, 5600, Core i7 2nd gen).
-#
-# When Intel released a fix for Intel SA-00030, they issued a MCU that
-# bumps the minimum acceptable version of the Intel TXT ACMs in the
-# TPM persistent storage. This permanently blacklists the vulnerable
-#
