Bug#1068084: bookworm-pu: package intel-microcode/3.20240312.1~deb12u1

2024-04-03 Thread Henrique de Moraes Holschuh
Uploaded.

On Mon, Apr 1, 2024, at 08:48, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
>
> On Sat, Mar 30, 2024 at 07:47:05AM -0300, Henrique de Moraes Holschuh wrote:
>> As requested by the security team, I would like to bring the microcode
>> update level for Intel processors in Bullseye and Bookworm to match what
>> we have in Sid and Trixie.  This is the bug report for Bookworm, a
>> separate one will be filled for Bullseye.
>
> Please go ahead.
>
> Thanks,
>
> -- 
> Jonathan Wiltshire  j...@debian.org
> Debian Developer http://people.debian.org/~jmw
>
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
> ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

-- 
  Henrique de Moraes Holschuh 



Processed: Re: Bug#1068084: bookworm-pu: package intel-microcode/3.20240312.1~deb12u1

2024-04-01 Thread Debian Bug Tracking System
Processing control commands:

> tag -1 confirmed
Bug #1068084 [release.debian.org] bookworm-pu: package 
intel-microcode/3.20240312.1~deb12u1
Added tag(s) confirmed.

-- 
1068084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068084
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems



Bug#1068084: bookworm-pu: package intel-microcode/3.20240312.1~deb12u1

2024-04-01 Thread Jonathan Wiltshire
Control: tag -1 confirmed

On Sat, Mar 30, 2024 at 07:47:05AM -0300, Henrique de Moraes Holschuh wrote:
> As requested by the security team, I would like to bring the microcode
> update level for Intel processors in Bullseye and Bookworm to match what
> we have in Sid and Trixie.  This is the bug report for Bookworm, a
> separate one will be filled for Bullseye.

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1



Bug#1068084: bookworm-pu: package intel-microcode/3.20240312.1~deb12u1

2024-03-30 Thread Henrique de Moraes Holschuh
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]

As requested by the security team, I would like to bring the microcode
update level for Intel processors in Bullseye and Bookworm to match what
we have in Sid and Trixie.  This is the bug report for Bookworm, a
separate one will be filled for Bullseye.

This fixes:
* Several CVEs in many Intel processors
  - Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368)
  - Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-38575)
  - Mitigations for INTEL-SA-INTEL-SA-00898 (CVE-2023-28746), aka RFDS
  - Mitigations for INTEL-SA-INTEL-SA-00960 (CVE-2023-22655), aka TECRA
  - Mitigations for INTEL-SA-INTEL-SA-01045 (CVE-2023-43490)
* Other unspecified functional issues on many processors

There are no releavant issues reported on this microcode update,
considering the version of intel-microcode already available as security
updates for bookworm and bullseye.

[ Impact ]

If this update is not approved, owners of most recent "client" Intel
processors and a few server processors will depend on UEFI updates to be
protected against RFDS as well as the other issues listed above.

[ Tests ]

There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2024-03-13 (sid), 2024-03-18
(trixie).

[ Risks ]

Unknown, but not believed to be any different from other Intel microcode
updates.

Linux kernel updates related to the RFDS microcode update fixes are
either already available in Bookworm and Bullseye, or have already been
requested as spu's.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.

Diffstat:
 b/changelog|   77 +++
 b/debian/changelog |   88 
 b/intel-ucode/06-55-03 |binary
 b/intel-ucode/06-55-06 |binary
 b/intel-ucode/06-55-07 |binary
 b/intel-ucode/06-55-0b |binary
 b/intel-ucode/06-56-05 |binary
 b/intel-ucode/06-5f-01 |binary
 b/intel-ucode/06-6a-06 |binary
 b/intel-ucode/06-6c-01 |binary
 b/intel-ucode/06-7a-01 |binary
 b/intel-ucode/06-7a-08 |binary
 b/intel-ucode/06-7e-05 |binary
 b/intel-ucode/06-8c-01 |binary
 b/intel-ucode/06-8c-02 |binary
 b/intel-ucode/06-8d-01 |binary
 b/intel-ucode/06-8e-0c |binary
 b/intel-ucode/06-8f-05 |binary
 b/intel-ucode/06-8f-06 |binary
 b/intel-ucode/06-8f-07 |binary
 b/intel-ucode/06-8f-08 |binary
 b/intel-ucode/06-96-01 |binary
 b/intel-ucode/06-97-02 |binary
 b/intel-ucode/06-97-05 |binary
 b/intel-ucode/06-9a-03 |binary
 b/intel-ucode/06-9a-04 |binary
 b/intel-ucode/06-9c-00 |binary
 b/intel-ucode/06-9e-09 |binary
 b/intel-ucode/06-9e-0a |binary
 b/intel-ucode/06-9e-0c |binary
 b/intel-ucode/06-9e-0d |binary
 b/intel-ucode/06-a5-02 |binary
 b/intel-ucode/06-a5-03 |binary
 b/intel-ucode/06-a5-05 |binary
 b/intel-ucode/06-a6-00 |binary
 b/intel-ucode/06-a6-01 |binary
 b/intel-ucode/06-a7-01 |binary
 b/intel-ucode/06-aa-04 |binary
 b/intel-ucode/06-b7-01 |binary
 b/intel-ucode/06-ba-02 |binary
 b/intel-ucode/06-ba-03 |binary
 b/intel-ucode/06-ba-08 |binary
 b/intel-ucode/06-be-00 |binary
 b/intel-ucode/06-bf-02 |binary
 b/intel-ucode/06-bf-05 |binary
 b/intel-ucode/06-cf-01 |binary
 b/intel-ucode/06-cf-02 |binary
 b/releasenote.md   |   96 +
 49 files changed, 261 insertions(+)

[ Other info ]

The package version with "~" is needed to guarantee smooth updates to
the next debian release.

-- 
  Henrique Holschuh
diff --git a/changelog b/changelog
index cbf9f66..fe44e7e 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,80 @@
+2024-03-12:
+  * New upstream microcode datafile 20240312
+- Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368):
+  Protection mechanism failure of bus lock regulator for some Intel
+  Processors may allow an unauthenticated user to potentially enable
+  denial of service via network access.
+- Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-38575):
+  Non-transparent sharing of return predictor targets between contexts in
+  some Intel Processors may allow an authorized user to potentially
+  enable information disclosure via local access.  Affects SGX as well.
+- Mitigations for INTEL-SA-INTEL-SA-00898 (CVE-2023-28746), aka RFDS:
+  Information exposure through microarchitectural state after transient
+  execution from some register files for some Intel Atom Processors and
+  E-cores of Intel Core Processors may allow an authenticated user to
+  potentially enable information disclosure via local access.  Enhances
+  VERW instruction to clear stale register buffers.