Univention Bugzilla – Bug 52754
intel-microcode: Multiple issues (4.4)
Last modified: 2021-02-17 16:53:38 CET
New Debian intel-microcode 3.20201118.1~deb9u1 fixes: This update addresses the following issues: * Information disclosure issue in Intel SGX via RAPL interface (CVE-2020-8695) * Vector Register Leakage-Active (CVE-2020-8696) * Fast forward store predictor (CVE-2020-8698)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/intel-microcode_3.20200616.1~deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/intel-microcode_3.20201118.1~deb9u1.dsc @@ -1,3 +1,84 @@ +3.20201118.1~deb9u1 [Mon, 25 Jan 2021 11:29:27 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * Rebuild for stretch LTS, with changes to avoid regressions + * Stable Release Manager: this intel-microcode update *keeps the same + revision* of Skylake D0/R0 microcode updates already in Debian 10; they're + "downgraded" from the point of view of intel-microcode 3.20201118.1. + For these two processor models, an attempt to update to revisions 0xd8 + and higher can hang the system should the system firmware have a microcode + revision older than 0x80 -- and revision 0x72/0x74/0x76 apparently are + common enough in the field to ensure many users are affected. + Refer to: + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 + * Downgraded microcodes (to upstream release 20200616): + sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 + sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 + +3.20201118.1 [Sun, 27 Dec 2020 15:59:32 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode datafile 20201118 + * Removes a faulty microcode update from release 2020-11-10 for Tiger Lake + processors. Note that Debian already had removed this specific falty + microcode update on the 3.20201110.1 release + * Add a microcode update for the Pentium Silver N/J5xxx and Celeron + N/J4xxx which didn't make it to release 20201110, fixing security issues + (INTEL-SA-00381, INTEL-SA-00389) + * Updated Microcodes: + sig 0x000706a1, pf_mask 0x01, 2020-06-09, rev 0x0034, size 74752 + * Removed Microcodes: + sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520 + +3.20201110.1 [Thu, 12 Nov 2020 15:03:36 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode datafile 20201110 (closes: #974533) + * Implements mitigation for CVE-2020-8696 and CVE-2020-8698, + aka INTEL-SA-00381: AVX register information leakage; + Fast-Forward store predictor information leakage + * Implements mitigation for CVE-2020-8695, Intel SGX information + disclosure via RAPL, aka INTEL-SA-00389 + * Fixes critical errata on several processor models + * Reintroduces SRBDS mitigations(CVE-2020-0543, INTEL-SA-00320) + for Skylake-U/Y, Skylake Xeon E3 + * New Microcodes + sig 0x0005065b, pf_mask 0xbf, 2020-08-20, rev 0x700001e, size 27648 + sig 0x000806a1, pf_mask 0x10, 2020-06-26, rev 0x0028, size 32768 + sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520 + sig 0x000a0652, pf_mask 0x20, 2020-07-08, rev 0x00e0, size 93184 + sig 0x000a0653, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 94208 + sig 0x000a0655, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 93184 + sig 0x000a0661, pf_mask 0x80, 2020-07-02, rev 0x00e0, size 93184 + * Updated Microcodes + sig 0x000306f2, pf_mask 0x6f, 2020-05-27, rev 0x0044, size 34816 + sig 0x000406e3, pf_mask 0xc0, 2020-07-14, rev 0x00e2, size 105472 + sig 0x00050653, pf_mask 0x97, 2020-06-18, rev 0x1000159, size 33792 + sig 0x00050654, pf_mask 0xb7, 2020-06-16, rev 0x2006a08, size 35840 + sig 0x00050656, pf_mask 0xbf, 2020-06-18, rev 0x4003003, size 52224 + sig 0x00050657, pf_mask 0xbf, 2020-06-18, rev 0x5003003, size 52224 + sig 0x000506c9, pf_mask 0x03, 2020-02-27, rev 0x0040, size 17408 + sig 0x000506ca, pf_mask 0x03, 2020-02-27, rev 0x001e, size 15360 + sig 0x000506e3, pf_mask 0x36, 2020-07-14, rev 0x00e2, size 105472 + sig 0x000706a8, pf_mask 0x01, 2020-06-09, rev 0x0018, size 75776 + sig 0x000706e5, pf_mask 0x80, 2020-07-30, rev 0x00a0, size 109568 + sig 0x000806e9, pf_mask 0x10, 2020-05-27, rev 0x00de, size 104448 + sig 0x000806e9, pf_mask 0xc0, 2020-05-27, rev 0x00de, size 104448 + sig 0x000806ea, pf_mask 0xc0, 2020-06-17, rev 0x00e0, size 104448 + sig 0x000806eb, pf_mask 0xd0, 2020-06-03, rev 0x00de, size 104448 + sig 0x000806ec, pf_mask 0x94, 2020-05-18, rev 0x00de, size 104448 + sig 0x000906e9, pf_mask 0x2a, 2020-05-26, rev 0x00de, size 104448 + sig 0x000906ea, pf_mask 0x22, 2020-05-25, rev 0x00de, size 103424 + sig 0x000906eb, pf_mask 0x02, 2020-05-25, rev 0x00de, size 104448 + sig 0x000906ec, pf_mask 0x22, 2020-06-03, rev 0x00de, size 103424 + sig 0x000906ed, pf_mask 0x22, 2020-05-24, rev 0x00de, size 103424 + sig 0x000a0660, pf_mask 0x80, 2020-07-08, rev 0x00e0, size 94208 + * 0x806c1: remove the new Tiger Lake update: causes hang on cold/warm boot + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + INTEL-SA-00381 AND INTEL-SA-00389 MITIGATIONS ARE THEREFORE NOT INSTALLED + FOR 0x806c1 TIGER LAKE PROCESSORS by this package update. Contact your + system vendor for a firmware update, or wait fo a possible fix in a future + Intel microcode release. + * source: update symlinks to reflect id of the latest release, 20201110 + * source: ship new upstream documentation (security.md, releasenote.md) + 3.20200616.1~deb9u1 [Sun, 05 Jul 2020 15:26:41 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: * Rebuild for Debian oldstable (stretch), no changes <http://10.200.17.11/4.4-7/#9104529832198792262>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] e12a8cbe5c Bug #52754: intel-microcode 3.20201118.1~deb9u1 doc/errata/staging/intel-microcode.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x896>