Bug 50488 - intel-microcode: Multiple issues (4.4)
intel-microcode: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-2-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-13 10:20 CET by Quality Assurance
Modified: 2019-11-13 16:04 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-11-13 10:20:48 CET
New Debian intel-microcode 3.20191112.1~deb9u1 fixes:
This update addresses the following issues:
* TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135)
* voltage modulation technical advisory (CVE-2019-11139)
Comment 1 Quality Assurance univentionstaff 2019-11-13 12:04:21 CET
--- mirror/ftp/4.4/unmaintained/4.4-1/source/intel-microcode_3.20190618.1~deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-2/source/intel-microcode_3.20191112.1~deb9u1.dsc
@@ -1,3 +1,69 @@
+3.20191112.1~deb9u1 [Wed, 13 Nov 2019 00:02:12 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Rebuild for stretch-security (no changes)
+  * Refer to DSA-4565-1 for details.
+
+3.20191112.1 [Tue, 12 Nov 2019 23:21:54 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode datafile 20191112
+    + SECURITY UPDATE
+      - Implements MDS mitigation (TSX TAA), INTEL-SA-00270, CVE-2019-11135
+      - Implements TA Indirect Sharing mitigation, and improves the
+        MDS mitigation (VERW)
+      - Fixes FIVR (Xeon Voltage Modulation) vulnerability, INTEL-SA-00271,
+        CVE-2019-11139
+      - Fixes SGX vulnerabilities and errata (including CVE-2019-0117)
+    + CRITICAL ERRATA FIXES
+      - Fixes Jcc conditional jump macro-fusion erratum (Skylake+, except
+        Ice Lake), causes a 0-3% typical perforance hit (can be as bad
+        as 10%).  But ensures the processor will actually jump where it
+        should, so don't even *dream* of not applying this fix.
+      - Fixes AVX SHUF* instruction implementation flaw erratum
+    + Removed Microcodes:
+      sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304
+    + New Microcodes:
+      sig 0x000406d8, pf_mask 0x01, 2019-09-16, rev 0x012d, size 84992
+      sig 0x00050656, pf_mask 0xbf, 2019-09-05, rev 0x400002c, size 51200
+      sig 0x00060663, pf_mask 0x80, 2018-04-17, rev 0x002a, size 87040
+      sig 0x000706a8, pf_mask 0x01, 2019-08-29, rev 0x0016, size 74752
+      sig 0x000706e5, pf_mask 0x80, 2019-09-05, rev 0x0046, size 102400
+      sig 0x000a0660, pf_mask 0x80, 2019-08-27, rev 0x00c6, size 91136
+    + Updated Microcodes:
+      sig 0x000406e3, pf_mask 0xc0, 2019-08-14, rev 0x00d4, size 101376
+      sig 0x00050654, pf_mask 0xb7, 2019-09-05, rev 0x2000065, size 34816
+      sig 0x00050657, pf_mask 0xbf, 2019-09-05, rev 0x500002c, size 51200
+      sig 0x000506e3, pf_mask 0x36, 2019-08-14, rev 0x00d4, size 101376
+      sig 0x000706a1, pf_mask 0x01, 2019-08-28, rev 0x0032, size 73728
+      sig 0x000806e9, pf_mask 0x10, 2019-08-14, rev 0x00c6, size 99328
+      sig 0x000806e9, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 100352
+      sig 0x000806ea, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 99328
+      sig 0x000806eb, pf_mask 0xd0, 2019-08-14, rev 0x00c6, size 100352
+      sig 0x000806ec, pf_mask 0x94, 2019-08-14, rev 0x00c6, size 100352
+      sig 0x000906e9, pf_mask 0x2a, 2019-08-14, rev 0x00c6, size 100352
+      sig 0x000906ea, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328
+      sig 0x000906eb, pf_mask 0x02, 2019-08-14, rev 0x00c6, size 100352
+      sig 0x000906ed, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328
+    + Updated Microcodes (previously removed):
+      sig 0x00050653, pf_mask 0x97, 2019-09-09, rev 0x1000151, size 32768
+
+3.20190918.1 [Thu, 19 Sep 2019 00:38:50 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode datafile 20190918
+    + SECURITY UPDATE
+      *Might* contain mitigations for INTEL-SA-00247 (RAMBleed), given
+      the set of processors being updated.
+    + Updated Microcodes:
+      sig 0x000306d4, pf_mask 0xc0, 2019-06-13, rev 0x002e, size 19456
+      sig 0x000306f4, pf_mask 0x80, 2019-06-17, rev 0x0016, size 18432
+      sig 0x00040671, pf_mask 0x22, 2019-06-13, rev 0x0021, size 14336
+      sig 0x000406f1, pf_mask 0xef, 2019-06-18, rev 0xb000038, size 30720
+      sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792
+      sig 0x00050657, pf_mask 0xbf, 2019-08-12, rev 0x500002b, size 51200
+      sig 0x00050662, pf_mask 0x10, 2019-06-17, rev 0x001c, size 32768
+      sig 0x00050663, pf_mask 0x10, 2019-06-17, rev 0x7000019, size 24576
+      sig 0x00050664, pf_mask 0x10, 2019-06-17, rev 0xf000017, size 24576
+      sig 0x00050665, pf_mask 0x10, 2019-06-17, rev 0xe00000f, size 19456
+
 3.20190618.1~deb9u1 [Wed, 19 Jun 2019 09:27:39 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
 
   * Rebuild for stretch-security (no changes)

<http://10.200.17.11/4.4-2/#3591732912185003196>
Comment 2 Philipp Hahn univentionstaff 2019-11-13 12:39:47 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

OK: grep . /sys/devices/system/cpu/vulnerabilities/*
OK: dmesg

[4.4-2] 21efa64d22 Bug #50486: linux 4.9.189-3+deb9u2 Bug #50488: intel-microcode 3.20191112.1~deb9u1
 doc/errata/staging/intel-microcode.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

[4.4-2] 2b982f4311 Bug #50488: intel-microcode 3.20191112.1~deb9u1
 doc/errata/staging/intel-microcode.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
Comment 3 Erik Damrose univentionstaff 2019-11-13 16:04:46 CET
<http://errata.software-univention.de/ucs/4.4/344.html>