Comment 1 Quality Assurance 2021-02-13 16:00:20 CET

--- mirror/ftp/4.4/unmaintained/4.4-6/source/intel-microcode_3.20200616.1~deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-7/source/intel-microcode_3.20201118.1~deb9u1.dsc
@@ -1,3 +1,84 @@
+3.20201118.1~deb9u1 [Mon, 25 Jan 2021 11:29:27 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Rebuild for stretch LTS, with changes to avoid regressions
+  * Stable Release Manager: this intel-microcode update *keeps the same
+    revision* of Skylake D0/R0 microcode updates already in Debian 10; they're
+    "downgraded" from the point of view of intel-microcode 3.20201118.1.
+    For these two processor models, an attempt to update to revisions 0xd8
+    and higher can hang the system should the system firmware have a microcode
+    revision older than 0x80 -- and revision 0x72/0x74/0x76 apparently are
+    common enough in the field to ensure many users are affected.
+    Refer to:
+    https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+  * Downgraded microcodes (to upstream release 20200616):
+    sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+    sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+
+3.20201118.1 [Sun, 27 Dec 2020 15:59:32 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode datafile 20201118
+    * Removes a faulty microcode update from release 2020-11-10 for Tiger Lake
+      processors.  Note that Debian already had removed this specific falty
+      microcode update on the 3.20201110.1 release
+    * Add a microcode update for the Pentium Silver N/J5xxx and Celeron
+      N/J4xxx which didn't make it to release 20201110, fixing security issues
+      (INTEL-SA-00381, INTEL-SA-00389)
+    * Updated Microcodes:
+      sig 0x000706a1, pf_mask 0x01, 2020-06-09, rev 0x0034, size 74752
+    * Removed Microcodes:
+      sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520
+
+3.20201110.1 [Thu, 12 Nov 2020 15:03:36 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode datafile 20201110 (closes: #974533)
+    * Implements mitigation for CVE-2020-8696 and CVE-2020-8698,
+      aka INTEL-SA-00381: AVX register information leakage;
+      Fast-Forward store predictor information leakage
+    * Implements mitigation for CVE-2020-8695, Intel SGX information
+      disclosure via RAPL, aka INTEL-SA-00389
+    * Fixes critical errata on several processor models
+    * Reintroduces SRBDS mitigations(CVE-2020-0543, INTEL-SA-00320)
+      for Skylake-U/Y, Skylake Xeon E3
+    * New Microcodes
+      sig 0x0005065b, pf_mask 0xbf, 2020-08-20, rev 0x700001e, size 27648
+      sig 0x000806a1, pf_mask 0x10, 2020-06-26, rev 0x0028, size 32768
+      sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520
+      sig 0x000a0652, pf_mask 0x20, 2020-07-08, rev 0x00e0, size 93184
+      sig 0x000a0653, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 94208
+      sig 0x000a0655, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 93184
+      sig 0x000a0661, pf_mask 0x80, 2020-07-02, rev 0x00e0, size 93184
+    * Updated Microcodes
+      sig 0x000306f2, pf_mask 0x6f, 2020-05-27, rev 0x0044, size 34816
+      sig 0x000406e3, pf_mask 0xc0, 2020-07-14, rev 0x00e2, size 105472
+      sig 0x00050653, pf_mask 0x97, 2020-06-18, rev 0x1000159, size 33792
+      sig 0x00050654, pf_mask 0xb7, 2020-06-16, rev 0x2006a08, size 35840
+      sig 0x00050656, pf_mask 0xbf, 2020-06-18, rev 0x4003003, size 52224
+      sig 0x00050657, pf_mask 0xbf, 2020-06-18, rev 0x5003003, size 52224
+      sig 0x000506c9, pf_mask 0x03, 2020-02-27, rev 0x0040, size 17408
+      sig 0x000506ca, pf_mask 0x03, 2020-02-27, rev 0x001e, size 15360
+      sig 0x000506e3, pf_mask 0x36, 2020-07-14, rev 0x00e2, size 105472
+      sig 0x000706a8, pf_mask 0x01, 2020-06-09, rev 0x0018, size 75776
+      sig 0x000706e5, pf_mask 0x80, 2020-07-30, rev 0x00a0, size 109568
+      sig 0x000806e9, pf_mask 0x10, 2020-05-27, rev 0x00de, size 104448
+      sig 0x000806e9, pf_mask 0xc0, 2020-05-27, rev 0x00de, size 104448
+      sig 0x000806ea, pf_mask 0xc0, 2020-06-17, rev 0x00e0, size 104448
+      sig 0x000806eb, pf_mask 0xd0, 2020-06-03, rev 0x00de, size 104448
+      sig 0x000806ec, pf_mask 0x94, 2020-05-18, rev 0x00de, size 104448
+      sig 0x000906e9, pf_mask 0x2a, 2020-05-26, rev 0x00de, size 104448
+      sig 0x000906ea, pf_mask 0x22, 2020-05-25, rev 0x00de, size 103424
+      sig 0x000906eb, pf_mask 0x02, 2020-05-25, rev 0x00de, size 104448
+      sig 0x000906ec, pf_mask 0x22, 2020-06-03, rev 0x00de, size 103424
+      sig 0x000906ed, pf_mask 0x22, 2020-05-24, rev 0x00de, size 103424
+      sig 0x000a0660, pf_mask 0x80, 2020-07-08, rev 0x00e0, size 94208
+  * 0x806c1: remove the new Tiger Lake update: causes hang on cold/warm boot
+    https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
+    INTEL-SA-00381 AND INTEL-SA-00389 MITIGATIONS ARE THEREFORE NOT INSTALLED
+    FOR 0x806c1 TIGER LAKE PROCESSORS by this package update.  Contact your
+    system vendor for a firmware update, or wait fo a possible fix in a future
+    Intel microcode release.
+  * source: update symlinks to reflect id of the latest release, 20201110
+  * source: ship new upstream documentation (security.md, releasenote.md)
+
 3.20200616.1~deb9u1 [Sun, 05 Jul 2020 15:26:41 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
 
   * Rebuild for Debian oldstable (stretch), no changes

<http://10.200.17.11/4.4-7/#9104529832198792262>

Comment 2 Philipp Hahn 2021-02-14 12:19:18 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-7] e12a8cbe5c Bug #52754: intel-microcode 3.20201118.1~deb9u1
 doc/errata/staging/intel-microcode.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Comment 3 Erik Damrose 2021-02-17 16:53:38 CET

<https://errata.software-univention.de/#/?erratum=4.4x896>