Univention Bugzilla – Full Text Bug Listing |
Summary: | intel-microcode: Multiple issues (4.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Quality Assurance <qa> |
Component: | Security updates | Assignee: | Quality Assurance <qa> |
Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
Severity: | normal | ||
Priority: | P3 | CC: | requate |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-4-errata | ||
Hardware: | All | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) |
Description
Quality Assurance
2018-08-09 10:19:42 CEST
Debian is missing the i386 package: <https://packages.debian.org/jessie/intel-microcode> As the build is reproducible, I re-build the package manually on omar: dpkg-source -x /mnt/build-storage/upstream/debian-security/pool/updates/non-free/i/intel-microcode/intel-microcode_3.20180703.2~deb8u1.dsc cd intel-microcode-3.20180703.2~deb8u1 pdebuild --architecture i386 --debbuildopts -B --use-pdebuild-internal -- --basetgz /var/univention/buildsystem2/pbuilder/ucs_4.2-0-errata4.2-4.tgz mv ../intel-microcode_3.20180703.2~deb8u1_i386.deb /var/univention/buildsystem2/apt/ucs_4.2-0-errata4.2-4/i386/ repo-apt-ftparchive --release ucs_4.2-0-errata4.2-4 --arch i386 --- mirror/ftp/4.2/unmaintained/4.2-4/source/intel-microcode_3.20180425.1.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/intel-microcode_3.20180703.2~deb8u1.dsc @@ -1,3 +1,37 @@ +3.20180703.2~deb8u1 [Fri, 27 Jul 2018 05:30:17 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Rebuild for jessie-security (no changes) + +3.20180703.2 [Thu, 05 Jul 2018 14:26:36 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * source: fix badly named symlink that resulted in most microcode + updates not being shipped in the binary package. Oops! + +3.20180703.1 [Thu, 05 Jul 2018 10:03:53 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode data file 20180703 (closes: #903018) + + Updated Microcodes: + sig 0x000206d6, pf_mask 0x6d, 2018-05-08, rev 0x061d, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2018-05-08, rev 0x0714, size 19456 + sig 0x000306e4, pf_mask 0xed, 2018-04-25, rev 0x042d, size 15360 + sig 0x000306e7, pf_mask 0xed, 2018-04-25, rev 0x0714, size 17408 + sig 0x000306f2, pf_mask 0x6f, 2018-04-20, rev 0x003d, size 33792 + sig 0x000306f4, pf_mask 0x80, 2018-04-20, rev 0x0012, size 17408 + sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672 + sig 0x00050654, pf_mask 0xb7, 2018-05-15, rev 0x200004d, size 31744 + sig 0x00050665, pf_mask 0x10, 2018-04-20, rev 0xe00000a, size 18432 + + First batch of fixes for: Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + + SSBD support (Spectre-v4 mitigation) and fix Spectre-v3a for: + Sandybridge server, Ivy Bridge server, Haswell server, Skylake server, + Broadwell server, a few HEDT Core i7/i9 models that are actually gimped + server dies. + * source: update symlinks to reflect id of the latest release, 20180703 + +3.20180425.1~bpo8+1 [Thu, 03 May 2018 23:06:51 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * Rebuild for jessie-backports-sloppy (no changes) + 3.20180425.1 [Wed, 02 May 2018 16:48:44 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: * New upstream microcode data file 20180425 (closes: #897443, #895878) <http://10.200.17.11/4.2-4/#7177476282043659402> OK: yaml OK: errata-announce OK: patch OK: piuparts [4.2-4] 967d74fbe6 Bug #47543: intel-microcode 3.20180703.2~deb8u1 doc/errata/staging/intel-microcode.yaml | 3 --- 1 file changed, 3 deletions(-) [4.2-4] b049cda2f0 Bug #47543: intel-microcode 3.20180703.2~deb8u1 doc/errata/staging/intel-microcode.yaml | 3 +++ 1 file changed, 3 insertions(+) [4.2-4] e2e579074b Bug #47543: intel-microcode 3.20180703.2~deb8u1 doc/errata/staging/intel-microcode.yaml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) [4.2-4] 4e32864432 Bug #47543: intel-microcode 3.20180703.2~deb8u1 doc/errata/staging/intel-microcode.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (In reply to Philipp Hahn from comment #1) > Debian is missing the i386 package: > <https://packages.debian.org/jessie/intel-microcode> > > As the build is reproducible, I re-build the package manually on omar: > dpkg-source -x > /mnt/build-storage/upstream/debian-security/pool/updates/non-free/i/intel- > microcode/intel-microcode_3.20180703.2~deb8u1.dsc > cd intel-microcode-3.20180703.2~deb8u1 > pdebuild --architecture i386 --debbuildopts -B --use-pdebuild-internal -- > --basetgz /var/univention/buildsystem2/pbuilder/ucs_4.2-0-errata4.2-4.tgz > mv ../intel-microcode_3.20180703.2~deb8u1_i386.deb > /var/univention/buildsystem2/apt/ucs_4.2-0-errata4.2-4/i386/ > repo-apt-ftparchive --release ucs_4.2-0-errata4.2-4 --arch i386 The package does not build reproducible: $ md5sum upstream/debian-security/pool/updates/non-free/i/intel-microcode/intel-microcode_3.20180703.2~deb8u1_i386.deb buildsystem/apt/ucs_4.2-0-errata4.2-4/i386/intel-microcode_3.20180703.2~deb8u1_i386.deb be7853968a3a1c4df7955300121274a3 upstream/debian-security/pool/updates/non-free/i/intel-microcode/intel-microcode_3.20180703.2~deb8u1_i386.deb 8d53c87cedc708bafbbd92571dc70679 buildsystem/apt/ucs_4.2-0-errata4.2-4/i386/intel-microcode_3.20180703.2~deb8u1_i386.deb I contacted Markus Koschany from Debian and the uploaded the missing binary. I replaced my build with it: cp upstream/debian-security/pool/updates/non-free/i/intel-microcode/intel-microcode_3.20180703.2~deb8u1_i386.deb buildsystem/apt/ucs_4.2-0-errata4.2-4/i386/intel-microcode_3.20180703.2~deb8u1_i386.deb repo-apt-ftparchive --release ucs_4.2-0-errata4.2-4 --arch i386 --stat grep be7853968a3a1c4df7955300121274a3 buildsystem/apt/ucs_4.2-0-errata4.2-4/i386/Packages FYI: <https://downloadcenter.intel.com/search?keyword=linux+microcode> lists 2018-07-03 as the latest version, which is what this update provides. But it does not seem to include all updates from <https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf>, as for example my test system with "Sandy Bridge" still lists µCode 0x2D instead of 0x2E # iucode-tool -S iucode-tool: system has processor(s) with signature 0x000206a7 # sed -ne '/microcode/p;/^$/q' /proc/cpuinfo microcode : 0x2d /usr/share/doc/intel-microcode/changelog.Debian.gz explicitly talks about "Sandybridge server", so I guess that no yCode update is included for this desktop CPU and we are still ate 3.20180312.1 for that CPU. Intel already provides the next update 2018-08-07: <https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File> Maybe for CVE-2018-3646 (AKA Foreshadow)? (In reply to Philipp Hahn from comment #5) > FYI: <https://downloadcenter.intel.com/search?keyword=linux+microcode> lists > 2018-07-03 as the latest version, which is what this update provides. But it > does not seem to include all updates from > <https://www.intel.com/content/dam/www/public/us/en/documents/sa00115- > microcode-update-guidance.pdf>, as for example my test system with "Sandy > Bridge" still lists µCode 0x2D instead of 0x2E That update is now included: > SNB D2 6-2a-7/12 0000002d->0000002e Core Gen2; Xeon E3 # sed -ne '/microcode/p;/^$/q' /proc/cpuinfo microcode : 0x2d # cp intel-ucode/* /lib/firmware/intel-ucode/ # echo 1 > /sys/devices/system/cpu/microcode/reload # sed -ne '/microcode/p;/^$/q' /proc/cpuinfo microcode : 0x2e As discussed we will release the current verified version and do another erratum when Debian provides a new package. |