Univention Bugzilla – Bug 47543
intel-microcode: Multiple issues (4.2)
Last modified: 2018-08-15 16:20:34 CEST
New Debian intel-microcode 3.20180703.2~deb8u1 fixes: This update addresses the following issue(s): * * Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639) * Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka Rogue System Register Read (RSRE), Variant 3a. (CVE-2018-3640) 3.20180703.2~deb8u1 (Fri, 27 Jul 2018 05:30:17 +0200) * Non-maintainer upload by the LTS team. * Rebuild for jessie-security (no changes) 3.20180703.1 (Thu, 05 Jul 2018 10:03:53 -0300) * New upstream microcode data file 20180703 + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2018-05-08, rev 0x061d, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-05-08, rev 0x0714, size 19456 sig 0x000306e4, pf_mask 0xed, 2018-04-25, rev 0x042d, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-04-25, rev 0x0714, size 17408 sig 0x000306f2, pf_mask 0x6f, 2018-04-20, rev 0x003d, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-04-20, rev 0x0012, size 17408 sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672 sig 0x00050654, pf_mask 0xb7, 2018-05-15, rev 0x200004d, size 31744 sig 0x00050665, pf_mask 0x10, 2018-04-20, rev 0xe00000a, size 18432 + First batch of fixes for: Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + SSBD support (Spectre-v4 mitigation) and fix Spectre-v3a for: Sandybridge server, Ivy Bridge server, Haswell server, Skylake server, Broadwell server, a few HEDT Core i7/i9 models that are actually gimped server dies. * source: update symlinks to reflect id of the latest release, 20180703 * CVE-2018-3639 hw: cpu: speculative store bypass (CVE-2018-3639) * CVE-2018-3640 hw: cpu: speculative register load (CVE-2018-3640)
Debian is missing the i386 package: <https://packages.debian.org/jessie/intel-microcode> As the build is reproducible, I re-build the package manually on omar: dpkg-source -x /mnt/build-storage/upstream/debian-security/pool/updates/non-free/i/intel-microcode/intel-microcode_3.20180703.2~deb8u1.dsc cd intel-microcode-3.20180703.2~deb8u1 pdebuild --architecture i386 --debbuildopts -B --use-pdebuild-internal -- --basetgz /var/univention/buildsystem2/pbuilder/ucs_4.2-0-errata4.2-4.tgz mv ../intel-microcode_3.20180703.2~deb8u1_i386.deb /var/univention/buildsystem2/apt/ucs_4.2-0-errata4.2-4/i386/ repo-apt-ftparchive --release ucs_4.2-0-errata4.2-4 --arch i386
--- mirror/ftp/4.2/unmaintained/4.2-4/source/intel-microcode_3.20180425.1.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/intel-microcode_3.20180703.2~deb8u1.dsc @@ -1,3 +1,37 @@ +3.20180703.2~deb8u1 [Fri, 27 Jul 2018 05:30:17 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Rebuild for jessie-security (no changes) + +3.20180703.2 [Thu, 05 Jul 2018 14:26:36 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * source: fix badly named symlink that resulted in most microcode + updates not being shipped in the binary package. Oops! + +3.20180703.1 [Thu, 05 Jul 2018 10:03:53 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode data file 20180703 (closes: #903018) + + Updated Microcodes: + sig 0x000206d6, pf_mask 0x6d, 2018-05-08, rev 0x061d, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2018-05-08, rev 0x0714, size 19456 + sig 0x000306e4, pf_mask 0xed, 2018-04-25, rev 0x042d, size 15360 + sig 0x000306e7, pf_mask 0xed, 2018-04-25, rev 0x0714, size 17408 + sig 0x000306f2, pf_mask 0x6f, 2018-04-20, rev 0x003d, size 33792 + sig 0x000306f4, pf_mask 0x80, 2018-04-20, rev 0x0012, size 17408 + sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672 + sig 0x00050654, pf_mask 0xb7, 2018-05-15, rev 0x200004d, size 31744 + sig 0x00050665, pf_mask 0x10, 2018-04-20, rev 0xe00000a, size 18432 + + First batch of fixes for: Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + + SSBD support (Spectre-v4 mitigation) and fix Spectre-v3a for: + Sandybridge server, Ivy Bridge server, Haswell server, Skylake server, + Broadwell server, a few HEDT Core i7/i9 models that are actually gimped + server dies. + * source: update symlinks to reflect id of the latest release, 20180703 + +3.20180425.1~bpo8+1 [Thu, 03 May 2018 23:06:51 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * Rebuild for jessie-backports-sloppy (no changes) + 3.20180425.1 [Wed, 02 May 2018 16:48:44 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: * New upstream microcode data file 20180425 (closes: #897443, #895878) <http://10.200.17.11/4.2-4/#7177476282043659402>
OK: yaml OK: errata-announce OK: patch OK: piuparts [4.2-4] 967d74fbe6 Bug #47543: intel-microcode 3.20180703.2~deb8u1 doc/errata/staging/intel-microcode.yaml | 3 --- 1 file changed, 3 deletions(-) [4.2-4] b049cda2f0 Bug #47543: intel-microcode 3.20180703.2~deb8u1 doc/errata/staging/intel-microcode.yaml | 3 +++ 1 file changed, 3 insertions(+) [4.2-4] e2e579074b Bug #47543: intel-microcode 3.20180703.2~deb8u1 doc/errata/staging/intel-microcode.yaml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) [4.2-4] 4e32864432 Bug #47543: intel-microcode 3.20180703.2~deb8u1 doc/errata/staging/intel-microcode.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
(In reply to Philipp Hahn from comment #1) > Debian is missing the i386 package: > <https://packages.debian.org/jessie/intel-microcode> > > As the build is reproducible, I re-build the package manually on omar: > dpkg-source -x > /mnt/build-storage/upstream/debian-security/pool/updates/non-free/i/intel- > microcode/intel-microcode_3.20180703.2~deb8u1.dsc > cd intel-microcode-3.20180703.2~deb8u1 > pdebuild --architecture i386 --debbuildopts -B --use-pdebuild-internal -- > --basetgz /var/univention/buildsystem2/pbuilder/ucs_4.2-0-errata4.2-4.tgz > mv ../intel-microcode_3.20180703.2~deb8u1_i386.deb > /var/univention/buildsystem2/apt/ucs_4.2-0-errata4.2-4/i386/ > repo-apt-ftparchive --release ucs_4.2-0-errata4.2-4 --arch i386 The package does not build reproducible: $ md5sum upstream/debian-security/pool/updates/non-free/i/intel-microcode/intel-microcode_3.20180703.2~deb8u1_i386.deb buildsystem/apt/ucs_4.2-0-errata4.2-4/i386/intel-microcode_3.20180703.2~deb8u1_i386.deb be7853968a3a1c4df7955300121274a3 upstream/debian-security/pool/updates/non-free/i/intel-microcode/intel-microcode_3.20180703.2~deb8u1_i386.deb 8d53c87cedc708bafbbd92571dc70679 buildsystem/apt/ucs_4.2-0-errata4.2-4/i386/intel-microcode_3.20180703.2~deb8u1_i386.deb I contacted Markus Koschany from Debian and the uploaded the missing binary. I replaced my build with it: cp upstream/debian-security/pool/updates/non-free/i/intel-microcode/intel-microcode_3.20180703.2~deb8u1_i386.deb buildsystem/apt/ucs_4.2-0-errata4.2-4/i386/intel-microcode_3.20180703.2~deb8u1_i386.deb repo-apt-ftparchive --release ucs_4.2-0-errata4.2-4 --arch i386 --stat grep be7853968a3a1c4df7955300121274a3 buildsystem/apt/ucs_4.2-0-errata4.2-4/i386/Packages
FYI: <https://downloadcenter.intel.com/search?keyword=linux+microcode> lists 2018-07-03 as the latest version, which is what this update provides. But it does not seem to include all updates from <https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf>, as for example my test system with "Sandy Bridge" still lists µCode 0x2D instead of 0x2E # iucode-tool -S iucode-tool: system has processor(s) with signature 0x000206a7 # sed -ne '/microcode/p;/^$/q' /proc/cpuinfo microcode : 0x2d /usr/share/doc/intel-microcode/changelog.Debian.gz explicitly talks about "Sandybridge server", so I guess that no yCode update is included for this desktop CPU and we are still ate 3.20180312.1 for that CPU.
Intel already provides the next update 2018-08-07: <https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File> Maybe for CVE-2018-3646 (AKA Foreshadow)? (In reply to Philipp Hahn from comment #5) > FYI: <https://downloadcenter.intel.com/search?keyword=linux+microcode> lists > 2018-07-03 as the latest version, which is what this update provides. But it > does not seem to include all updates from > <https://www.intel.com/content/dam/www/public/us/en/documents/sa00115- > microcode-update-guidance.pdf>, as for example my test system with "Sandy > Bridge" still lists µCode 0x2D instead of 0x2E That update is now included: > SNB D2 6-2a-7/12 0000002d->0000002e Core Gen2; Xeon E3 # sed -ne '/microcode/p;/^$/q' /proc/cpuinfo microcode : 0x2d # cp intel-ucode/* /lib/firmware/intel-ucode/ # echo 1 > /sys/devices/system/cpu/microcode/reload # sed -ne '/microcode/p;/^$/q' /proc/cpuinfo microcode : 0x2e As discussed we will release the current verified version and do another erratum when Debian provides a new package.
<http://errata.software-univention.de/ucs/4.2/456.html>