Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1
Hi Adam, > Anton, do you have any idea how widespread use of the existing stretch- > backports package has been? No, I do not have this information. If you are not sure - feel free to reject this request. Best regards Anton Am Do., 2. Juli 2020 um 22:14 Uhr schrieb Adam D. Barratt < a...@adam-barratt.org.uk>: > Apologies for letting this sit for a while. > > On Mon, 2020-03-23 at 18:08 -0300, Henrique de Moraes Holschuh wrote: > > On Sat, 21 Mar 2020, Adam D. Barratt wrote: > > > On Sun, 2020-03-15 at 21:37 +0100, Anton Gladky wrote: > > > > I have prepared an update for amd64-microcode for Debian Stretch, > > > > which fixes CVE-2017-5715. Please see an attached debdiff. > > > > > > > > This is the newer upstream version, which fixes CVE-2017-5715. > > > > Security team marked this CVE for Stretch as [1]. > > > > > > Do you have any input / thoughts on this proposed update? > > > > The microcode might be safe enough, we don't have regressions > > reported against the lastest one (which is just a revert by AMD of an > > update that did cause regressions when not applied through UEFI). > > > > But that's with recent kernels. > > > > I have no idea about the kernel codepaths it might activate, though, > > if new MSRs are exposed. > > I'm torn as to what to do with this request, given that we're about to > hit the EOL point release for stretch. > > Anton, do you have any idea how widespread use of the existing stretch- > backports package has been? > > Regards, > > Adam > >
Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1
Apologies for letting this sit for a while. On Mon, 2020-03-23 at 18:08 -0300, Henrique de Moraes Holschuh wrote: > On Sat, 21 Mar 2020, Adam D. Barratt wrote: > > On Sun, 2020-03-15 at 21:37 +0100, Anton Gladky wrote: > > > I have prepared an update for amd64-microcode for Debian Stretch, > > > which fixes CVE-2017-5715. Please see an attached debdiff. > > > > > > This is the newer upstream version, which fixes CVE-2017-5715. > > > Security team marked this CVE for Stretch as [1]. > > > > Do you have any input / thoughts on this proposed update? > > The microcode might be safe enough, we don't have regressions > reported against the lastest one (which is just a revert by AMD of an > update that did cause regressions when not applied through UEFI). > > But that's with recent kernels. > > I have no idea about the kernel codepaths it might activate, though, > if new MSRs are exposed. I'm torn as to what to do with this request, given that we're about to hit the EOL point release for stretch. Anton, do you have any idea how widespread use of the existing stretch- backports package has been? Regards, Adam
Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1
On Sat, 21 Mar 2020, Adam D. Barratt wrote: > On Sun, 2020-03-15 at 21:37 +0100, Anton Gladky wrote: > > I have prepared an update for amd64-microcode for Debian Stretch, > > which fixes CVE-2017-5715. Please see an attached debdiff. > > > > This is the newer upstream version, which fixes CVE-2017-5715. > > Security team marked this CVE for Stretch as [1]. > > Do you have any input / thoughts on this proposed update? The microcode might be safe enough, we don't have regressions reported against the lastest one (which is just a revert by AMD of an update that did cause regressions when not applied through UEFI). But that's with recent kernels. I have no idea about the kernel codepaths it might activate, though, if new MSRs are exposed. -- Henrique Holschuh
Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1
Hi Henrique, On Sun, 2020-03-15 at 21:37 +0100, Anton Gladky wrote: > I have prepared an update for amd64-microcode for Debian Stretch, > which fixes CVE-2017-5715. Please see an attached debdiff. > > This is the newer upstream version, which fixes CVE-2017-5715. > Security team marked this CVE for Stretch as [1]. Do you have any input / thoughts on this proposed update? This would pull stretch's amd64-microcode to the version that's currently in stretch-backports and buster. That's an update for stretch from 2016 -> 2018, but still behind unstable and testing, which have a 2019 package. The complete set of package versions is currently: amd64-microcode | 2.20160316.1~deb8u1 | oldoldstable/non-free | source, amd64, i386 amd64-microcode | 3.20160316.3| oldstable/non-free | source, amd64, i386 amd64-microcode | 3.20181128.1~bpo9+1 | stretch-backports/non-free | source, amd64, i386 amd64-microcode | 3.20181128.1~deb8u1 | oldoldstable/updates/non-free | source, amd64, i386 amd64-microcode | 3.20181128.1| stable/non-free| source, amd64, i386 amd64-microcode | 3.20191218.1| testing/non-free | source, amd64, i386 amd64-microcode | 3.20191218.1| unstable/non-free | source, amd64, i386 Regards, Adam
Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, I have prepared an update for amd64-microcode for Debian Stretch, which fixes CVE-2017-5715. Please see an attached debdiff. This is the newer upstream version, which fixes CVE-2017-5715. Security team marked this CVE for Stretch as [1]. The package version with "~" is needed to guarantee the smooth update to the buster, where the current version is 3.20181128.1. Also I am preparing an update for Jessie [2] and it would be good to have 3.20181128.1~deb9u1 in Stretch for the smooth Jessie->Stretch upgrade. Please review the dediff and let me know, whether I may proceed with an update or make some changes. [1] https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c9dda4132363fd5b169a3aad5fec48a4e4d2f72#4716ef5aa8f2742228ba3b3633215c8b808565e3_171225_171225 [2] https://lists.debian.org/ Best regards Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl5ukfwRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wZgDw/+Js19fZilIjDbjr0w8iYC+qxnO47RGErn AedyJM95teD29SM9mIqPzXc2/u1x1NXwLY8ClFNHIOR1ZytvHKdzBU/KIyUk8WqH mAZrND1y+lGuwn6kigAFJlKBg1TDqnb48zXYoMyesnrs0ssQHydf9LfHlOjCNgTe j0W3clD9FyEsFibiZbhAnFd1Qsw4BL0kFgu9UqkPkUukoux1OS0RQ3EqJgGS9K2L ak6lGSzKgvXZPY5WHcsTVni9v4OK4qVyPR8z0Wbd7eZOwGXLtYWUsB1rzAVlvDoR CPStHhhneCzSvRYYAL4du2CaKRI7NLv+xIcJauraXWGVVvTVi6kkR7K3jb4BZeSV 5wIYzc5n5ErVXhwMJrDiD+ADhw4AqBz/8m81ogKN615BWb6+MFnFp57l8WlvTuNU EzcPTTndJwym76N2MsKn9xC79xAKx+IKK8LpDgN+0PhXGHOExCPddBubLgfXr45w WiydO+E/z+tuMOZWpU3RMDZBeRiAhXL/A9qfAhjftrI6LNdRAu3Mu/kOTkqwq8CN x3TPHjmhy46XKF7qd43jF40kNI5Kdk++9+LFQvhV8pzhndPSSzN6PGX8fA2o5zn8 Je14ja1dKx1j09oCJALip/qA3nxO5tvH83OW1Kc+tKegJYut/vydInANWfpGX3yC j+t+z6slM2g= =/zSd -END PGP SIGNATURE- diff -Nru amd64-microcode-3.20160316.3/debian/changelog amd64-microcode-3.20181128.1~deb9u1/debian/changelog --- amd64-microcode-3.20160316.3/debian/changelog 2016-11-30 02:54:53.0 +0100 +++ amd64-microcode-3.20181128.1~deb9u1/debian/changelog2020-03-12 20:29:09.0 +0100 @@ -1,3 +1,72 @@ +amd64-microcode (3.20181128.1~deb9u1) stretch; urgency=high + + * Non-maintainer upload by the Security Team. + * New upstream release. + * Add IBPB support for family 17h AMD processors (CVE-2017-5715) +(since version 3.20180515.1). + + -- Anton Gladky Thu, 12 Mar 2020 20:29:09 +0100 + +amd64-microcode (3.20181128.1) unstable; urgency=medium + + * New microcode update packages from AMD upstream: ++ New Microcodes: + sig 0x00800f82, patch id 0x0800820b, 2018-06-20 + * README: update for new release + + -- Henrique de Moraes Holschuh Sat, 15 Dec 2018 18:42:12 -0200 + +amd64-microcode (3.20180524.1) unstable; urgency=high + + * New microcode update packages from AMD upstream: ++ Re-added Microcodes: + sig 0x00610f01, patch id 0x06001119, 2012-07-13 + * This update avoids regressing sig 0x610f01 processors on systems with +outdated firmware by adding back exactly the same microcode patch that was +present before [for these processors]. It does not implement Spectre-v2 +mitigation for these processors. + * README: update for new release + + -- Henrique de Moraes Holschuh Fri, 25 May 2018 15:38:22 -0300 + +amd64-microcode (3.20180515.1) unstable; urgency=high + + * New microcode update packages from AMD upstream: ++ New Microcodes: + sig 0x00800f12, patch id 0x08001227, 2018-02-09 ++ Updated Microcodes: + sig 0x00600f12, patch id 0x0600063e, 2018-02-07 + sig 0x00600f20, patch id 0x06000852, 2018-02-06 ++ Removed Microcodes: + sig 0x00610f01, patch id 0x06001119, 2012-07-13 + * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support, +plus other unspecified fixes/updates. + * README, debian/copyright: update for new release + + -- Henrique de Moraes Holschuh Sat, 19 May 2018 13:51:06 -0300 + +amd64-microcode (3.20171205.2) unstable; urgency=medium + + * debian/control: update Vcs-* fields for salsa.debian.org + + -- Henrique de Moraes Holschuh Fri, 04 May 2018 07:51:40 -0300 + +amd64-microcode (3.20171205.1) unstable; urgency=high + + * New microcode updates (closes: #886382): +sig 0x00800f12, patch id 0x08001213, 2017-12-05 +Thanks to SuSE for distributing these ahead of AMD's official release! + * Add IBPB support for family 17h AMD processors (CVE-2017-5715) + * README: describe source for faml17h microcode update + * Upload to unstable to match IBPB microcode support on Intel in Debian +unstable. + * WARNING: requires at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 (or a +backport of commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf +"x86/microcode/AMD: Add support for fam17h microcode loading") otherwise +it will not be applied to the processor. + + -- Henrique de Moraes Holschuh Mon, 08 Jan 2018