Bug 53522 - intel-microcode: Multiple issues (5.0)
intel-microcode: Multiple issues (5.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 5.0
All Linux
: P3 normal (vote)
: UCS 5.0-0-errata
Assigned To: Quality Assurance
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-06-28 10:39 CEST by Quality Assurance
Modified: 2021-06-30 18:54 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2021-06-28 10:39:48 CEST
New Debian intel-microcode 3.20210608.2~deb10u1 fixes:
This update addresses the following issues:
* vt-d related privilege escalation (CVE-2020-24489)
* improper isolation of shared resources in some Intel Processors  (CVE-2020-24511)
* observable timing discrepancy in some Intel Processors (CVE-2020-24512)
* information disclosure on some Intel Atom processors (CVE-2020-24513)
Comment 1 Quality Assurance univentionstaff 2021-06-28 11:00:04 CEST
--- mirror/ftp/pool/main/i/intel-microcode/intel-microcode_3.20210216.1~deb10u1.dsc
+++ apt/ucs_5.0-0-errata5.0-0/source/intel-microcode_3.20210608.2~deb10u1.dsc
@@ -1,3 +1,87 @@
+3.20210608.2~deb10u1 [Wed, 23 Jun 2021 17:52:40 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * SECURITY UPDATE with known possible regressions
+  * Refer to the changelog entry for 3.20210608.1 for the list of security
+    fixes in this release.
+  * Possible regression: CoffeLake processors with signature 0x906ea *and*
+    Intel Wireless LAN on-board
+    - The Intel WiFi firmware might stop working, refer to:
+    https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56
+  * Possible regression: Skylake R0/D0 (signatures 0x406e3 and 0x506e3),
+    - Motherboards with severely outdated firmware where the UEFI/BIOS microcode
+      revision is less than 0x80 may hang on boot.  Refer to:
+    https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+  * Reintroduces all fixes (including several security updates) to Skylake
+    D0/R0 that were temporarily disabled in past releases.  Refer to changelog
+    entries since (and including) 3.20200609.1 for the list of security fixes.
+
+3.20210608.2 [Wed, 23 Jun 2021 13:42:19 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Correct INTEL-SA-00442 CVE id to CVE-2020-24489 in changelog and
+    debian/changelog (3.20210608.1).
+
+3.20210608.1 [Tue, 08 Jun 2021 22:37:57 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode datafile 20210608 (closes: #989615)
+    * Implements mitigations for CVE-2020-24511 CVE-2020-24512
+      (INTEL-SA-00464), information leakage through shared resources,
+      and timing discrepancy sidechannels
+    * Implements mitigations for CVE-2020-24513 (INTEL-SA-00465),
+      Domain-bypass transient execution vulnerability in some Intel Atom
+      Processors, affects Intel SGX.
+    * Implements mitigations for CVE-2020-24489 (INTEL-SA-00442), Intel
+      VT-d privilege escalation
+    * Fixes critical errata on several processors
+    * New Microcodes:
+      sig 0x00050655, pf_mask 0xb7, 2018-11-16, rev 0x3000010, size 47104
+      sig 0x000606a5, pf_mask 0x87, 2021-03-08, rev 0xc0002f0, size 283648
+      sig 0x000606a6, pf_mask 0x87, 2021-04-25, rev 0xd0002a0, size 283648
+      sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
+      sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
+      sig 0x000806c1, pf_mask 0x80, 2021-03-31, rev 0x0088, size 109568
+      sig 0x000806c2, pf_mask 0xc2, 2021-04-07, rev 0x0016, size 94208
+      sig 0x000806d1, pf_mask 0xc2, 2021-04-23, rev 0x002c, size 99328
+      sig 0x00090661, pf_mask 0x01, 2021-02-04, rev 0x0011, size 19456
+      sig 0x000906c0, pf_mask 0x01, 2021-03-23, rev 0x001d, size 19456
+      sig 0x000a0671, pf_mask 0x02, 2021-04-11, rev 0x0040, size 100352
+    * Updated Microcodes:
+      sig 0x000306f2, pf_mask 0x6f, 2021-01-27, rev 0x0046, size 34816
+      sig 0x000306f4, pf_mask 0x80, 2021-02-05, rev 0x0019, size 19456
+      sig 0x000406e3, pf_mask 0xc0, 2021-01-25, rev 0x00ea, size 105472
+      sig 0x000406f1, pf_mask 0xef, 2021-02-06, rev 0xb00003e, size 31744
+      sig 0x00050653, pf_mask 0x97, 2021-03-08, rev 0x100015b, size 34816
+      sig 0x00050654, pf_mask 0xb7, 2021-03-08, rev 0x2006b06, size 36864
+      sig 0x00050656, pf_mask 0xbf, 2021-03-08, rev 0x4003102, size 30720
+      sig 0x00050657, pf_mask 0xbf, 2021-03-08, rev 0x5003102, size 30720
+      sig 0x0005065b, pf_mask 0xbf, 2021-04-23, rev 0x7002302, size 27648
+      sig 0x00050663, pf_mask 0x10, 2021-02-04, rev 0x700001b, size 24576
+      sig 0x00050664, pf_mask 0x10, 2021-02-04, rev 0xf000019, size 24576
+      sig 0x00050665, pf_mask 0x10, 2021-02-04, rev 0xe000012, size 19456
+      sig 0x000506c9, pf_mask 0x03, 2020-10-23, rev 0x0044, size 17408
+      sig 0x000506ca, pf_mask 0x03, 2020-10-23, rev 0x0020, size 15360
+      sig 0x000506e3, pf_mask 0x36, 2021-01-25, rev 0x00ea, size 105472
+      sig 0x000506f1, pf_mask 0x01, 2020-10-23, rev 0x0034, size 11264
+      sig 0x000706a1, pf_mask 0x01, 2020-10-23, rev 0x0036, size 74752
+      sig 0x000706a8, pf_mask 0x01, 2020-10-23, rev 0x001a, size 75776
+      sig 0x000706e5, pf_mask 0x80, 2020-11-01, rev 0x00a6, size 110592
+      sig 0x000806a1, pf_mask 0x10, 2020-11-06, rev 0x002a, size 32768
+      sig 0x000806e9, pf_mask 0x10, 2021-01-05, rev 0x00ea, size 104448
+      sig 0x000806e9, pf_mask 0xc0, 2021-01-05, rev 0x00ea, size 104448
+      sig 0x000806ea, pf_mask 0xc0, 2021-01-06, rev 0x00ea, size 103424
+      sig 0x000806eb, pf_mask 0xd0, 2021-01-05, rev 0x00ea, size 104448
+      sig 0x000806ec, pf_mask 0x94, 2021-01-05, rev 0x00ea, size 104448
+      sig 0x000906e9, pf_mask 0x2a, 2021-01-05, rev 0x00ea, size 104448
+      sig 0x000906ea, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 102400
+      sig 0x000906eb, pf_mask 0x02, 2021-01-05, rev 0x00ea, size 104448
+      sig 0x000906ec, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424
+      sig 0x000906ed, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424
+      sig 0x000a0652, pf_mask 0x20, 2021-02-07, rev 0x00ea, size 93184
+      sig 0x000a0653, pf_mask 0x22, 2021-03-08, rev 0x00ea, size 94208
+      sig 0x000a0655, pf_mask 0x22, 2021-03-08, rev 0x00ec, size 94208
+      sig 0x000a0660, pf_mask 0x80, 2020-12-08, rev 0x00e8, size 94208
+      sig 0x000a0661, pf_mask 0x80, 2021-02-07, rev 0x00ea, size 93184
+  * source: update symlinks to reflect id of the latest release, 20210608
+
 3.20210216.1~deb10u1 [Sat, 20 Mar 2021 11:57:37 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
 
   * RELEASE MANAGER INFORMATION: this update mitigates an extra security

<http://piuparts.knut.univention.de/5.0-0/#6314566960966097910>
Comment 2 Erik Damrose univentionstaff 2021-06-30 09:48:22 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-0] 3614dee8c7 Bug #53522: intel-microcode 3.20210608.2~deb10u1
 doc/errata/staging/intel-microcode.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
Comment 3 Erik Damrose univentionstaff 2021-06-30 18:54:32 CEST
<https://errata.software-univention.de/#/?erratum=5.0x35>