Bug 46489 - intel-microcode: Spectre Variant 2: branch target injection [BTI] (4.3)
intel-microcode: Spectre Variant 2: branch target injection [BTI] (4.3)
Status: CLOSED WORKSFORME
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
Other Linux
: P5 normal (vote)
: ---
Assigned To: Philipp Hahn
UCS maintainers
https://etherpad-lite.knut.univention...
:
Depends on:
Blocks: 46982
  Show dependency treegraph
 
Reported: 2018-03-05 13:33 CET by Philipp Hahn
Modified: 2019-04-11 19:24 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-03-05 13:33:59 CET
CVE-2017-5715 hw: cpu: speculative execution branch target injection

Operating systems like Windows running as VM in Qemu might need the new IBRS/IBPB features to protect themselves from hostile user level processes. (Linux does not need it when compiled with Retpoline).
We should provide an updated package "intel-microcode".

- Debian packaged 2018-01-08, which was later on recalled by Intel.

- Currently Debian does not have a newer version prepared: <https://packages.debian.org/search?keywords=intel-microcode&searchon=sourcenames&suite=all&section=all>

- There is 2018-03 from Intel: <https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf>

The µCode update by itself is not enough; Qemu (and libvirt and maybe UVMM) also need an update:
* <https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/>
* <https://www.qemu.org/2018/01/04/spectre/>
* <https://usn.ubuntu.com/usn/usn-3560-1/>
* <https://usn.ubuntu.com/usn/usn-3561-1/>
This should be done by a separate bug.

Also see Bug #45064 for another issue requiring a µCode update.
Comment 1 Arvid Requate univentionstaff 2018-05-16 18:31:18 CEST
Probably not required any more?

==============================================================================
root@backup11:~# apt-cache policy intel-microcode
intel-microcode:
  Installiert:           3.20180425.1
  Installationskandidat: 3.20180425.1
  Versionstabelle:
 *** 3.20180425.1 500
        500 http://updates.software-univention.de/4.2/maintained 4.2-4/amd64/ Packages
        100 /var/lib/dpkg/status
     3.20170707.1~deb9u1 500
        500 http://updates.software-univention.de/4.3/maintained 4.3-0/amd64/ Packages
==============================================================================
Comment 2 Philipp Hahn univentionstaff 2018-08-13 13:18:00 CEST
According to <http://xen1.knut.univention.de:8000/packages/source/intel-microcode/> we already released at least 2017-07-07 for UCS-4.2 and UCS-4.3:

3.20180425.1	4.2-3/errata, 4.2-4
3.20170707.1~deb9u1	4.3-0

3.20180703.2 is currently in the pipeline.