Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ]
As requested by the security team, I would like to bring the microcode
update level for Intel processors in Bullseye and Bookworm to match what
we have in Sid and Trixie. This is the bug report for Bullseye, a
separate one will be filled for Bookworm.
This fixes:
* Several CVEs in many Intel processors
- INTEL-SA-01051 (CVE-2023-45733)
Hardware logic contains race conditions in some Intel Processors may
allow an authenticated user to potentially enable partial information
disclosure via local access.
- INTEL-SA-01052 (CVE-2023-46103)
Sequence of processor instructions leads to unexpected behavior in
Intel Core Ultra Processors may allow an authenticated user to
potentially enable denial of service via local access.
- Mitigations for INTEL-SA-01036 (CVE-2023-45745, CVE-2023-47855)
Improper input validation in some Intel TDX module software before
version 1.5.05.46.698 may allow a privileged user to potentially enable
escalation of privilege via local access.
* Unspecified functional issues on 4th gen and 5th gen Xeon Scalable,
12th, 13th and 14th gen Intel Core processors, as well as for Core i3
N-series processors.
There are no releavant issues reported on this microcode update,
considering the version of intel-microcode already available for
bookworm and bullseye.
[ Impact ]
If this update is not approved, owners of most recent "client" Intel
processors and a few server processors will depend on UEFI updates to be
protected against RFDS as well as the other issues listed above.
[ Tests ]
There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2024-05-18 (sid), 2024-05-22
(trixie).
[ Risks ]
Unknown, but not believed to be any different from other Intel microcode
updates.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.
Diffstat:
changelog | 39 +++++++++++++++++++++++++++++++++++++++
debian/changelog | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
intel-ucode/06-8f-05 |binary
intel-ucode/06-8f-06 |binary
intel-ucode/06-8f-07 |binary
intel-ucode/06-8f-08 |binary
intel-ucode/06-97-02 |binary
intel-ucode/06-97-05 |binary
intel-ucode/06-9a-03 |binary
intel-ucode/06-9a-04 |binary
intel-ucode/06-b7-01 |binary
intel-ucode/06-be-00 |binary
intel-ucode/06-bf-02 |binary
intel-ucode/06-bf-05 |binary
intel-ucode/06-cf-01 |binary
intel-ucode/06-cf-02 |binary
releasenote.md | 42 ++++++++++++++++++++++++++++++++++++++++++
17 files changed, 131 insertions(+)
[ Other info ]
The package version with "~" is needed to guarantee smooth updates to
the next debian release.
--
Henrique Holschuh
diff --git a/changelog b/changelog
index fe44e7e..83989c4 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,42 @@
+2024-05-14:
+ * New upstream microcode datafile 20240514
+ - Mitigations for INTEL-SA-01051 (CVE-2023-45733)
+ Hardware logic contains race conditions in some Intel Processors may
+ allow an authenticated user to potentially enable partial information
+ disclosure via local access.
+ - Mitigations for INTEL-SA-01052 (CVE-2023-46103)
+ Sequence of processor instructions leads to unexpected behavior in
+ Intel Core Ultra Processors may allow an authenticated user to
+ potentially enable denial of service via local access.
+ - Mitigations for INTEL-SA-01036 (CVE-2023-45745, CVE-2023-47855)
+ Improper input validation in some Intel TDX module software before
+ version 1.5.05.46.698 may allow a privileged user to potentially enable
+ escalation of privilege via local access.
+ - Fix for unspecified functional issues on 4th gen and 5th gen Xeon
+ Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for
+ Core i3 N-series processors.
+ * Updated microcodes:
+ sig 0x000806f8, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0, size 581632
+ sig 0x000806f7, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+ sig 0x000806f6, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+ sig 0x000806f5, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+ sig 0x000806f4, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+ sig 0x000806f8, pf_mask 0x10, 2024-02-05, rev 0x2c000390, size 614400
+ sig 0x000806f6, pf_mask 0x10, 2024-02-05, rev 0x2c000390
+ sig 0x000806f5, pf_mask 0x10, 2024-02-05, rev 0x2c000390
+ sig 0x000806f4, pf_mask 0x10, 2024-02-05, rev 0x2c000390
+ sig 0x00090672, pf_mask 0x07, 2023-12-05, rev 0x0035, size 224256
+ sig 0x00090675, pf_mask 0x07, 2023-12-05, rev 0x0035
+ sig 0x000b06f2, pf_mask 0x07, 2023-12-05, rev 0x0035
+ sig 0x000b06f5, pf_mask 0x07, 2023-12-05, rev 0x0035
+ sig 0x000906a3, pf_mask 0x80, 2023-12-05, rev 0x0433, size 222208
+ sig 0x000906a4, pf_mask 0x80, 2023-12-05, rev 0x0433
+ sig 0x000906a4, pf_mask 0x40, 2023-12-07, rev 0x0007, size 119808
+ sig 0x000b0671, pf_mask 0x32, 2024-01-25, rev 0x0123, size 215040
+ sig 0x000b06e0, pf_mask 0x11, 2023-12-07, rev 0x0017, size 138240
+ sig 0x000c06f2, pf_mask 0x87, 2024-02-05, rev 0x21000230, size 552960
+ sig 0x000c06f1, pf_mask 0x87, 2024-02-05, rev 0x21000230
+
2024-03-12:
* New upstream microcode datafile 20240312
- Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368):
diff --git a/debian/changelog b/debian/changelog
index 317fad2..10f37f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,53 @@
+intel-microcode (3.20240514.1~deb11u1) bullseye; urgency=medium
+
+ * Backport to Debian Bullseye
+ * debian/control: revert non-free-firmware change
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Wed, 29 May 2024 23:31:29 -0300
+
+intel-microcode (3.20240514.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20240514
+ * Mitigations for INTEL-SA-01051 (CVE-2023-45733)
+ Hardware logic contains race conditions in some Intel Processors may
+ allow an authenticated user to potentially enable partial information
+ disclosure via local access.
+ * Mitigations for INTEL-SA-01052 (CVE-2023-46103)
+ Sequence of processor instructions leads to unexpected behavior in
+ Intel Core Ultra Processors may allow an authenticated user to
+ potentially enable denial of service via local access.
+ * Mitigations for INTEL-SA-01036 (CVE-2023-45745, CVE-2023-47855)
+ Improper input validation in some Intel TDX module software before
+ version 1.5.05.46.698 may allow a privileged user to potentially enable
+ escalation of privilege via local access.
+ * Fix for unspecified functional issues on 4th gen and 5th gen Xeon
+ Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for
+ Core i3 N-series processors.
+ * Updated microcodes:
+ sig 0x000806f8, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0, size 581632
+ sig 0x000806f7, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+ sig 0x000806f6, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+ sig 0x000806f5, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+ sig 0x000806f4, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+ sig 0x000806f8, pf_mask 0x10, 2024-02-05, rev 0x2c000390, size 614400
+ sig 0x000806f6, pf_mask 0x10, 2024-02-05, rev 0x2c000390
+ sig 0x000806f5, pf_mask 0x10, 2024-02-05, rev 0x2c000390
+ sig 0x000806f4, pf_mask 0x10, 2024-02-05, rev 0x2c000390
+ sig 0x00090672, pf_mask 0x07, 2023-12-05, rev 0x0035, size 224256
+ sig 0x00090675, pf_mask 0x07, 2023-12-05, rev 0x0035
+ sig 0x000b06f2, pf_mask 0x07, 2023-12-05, rev 0x0035
+ sig 0x000b06f5, pf_mask 0x07, 2023-12-05, rev 0x0035
+ sig 0x000906a3, pf_mask 0x80, 2023-12-05, rev 0x0433, size 222208
+ sig 0x000906a4, pf_mask 0x80, 2023-12-05, rev 0x0433
+ sig 0x000906a4, pf_mask 0x40, 2023-12-07, rev 0x0007, size 119808
+ sig 0x000b0671, pf_mask 0x32, 2024-01-25, rev 0x0123, size 215040
+ sig 0x000b06e0, pf_mask 0x11, 2023-12-07, rev 0x0017, size 138240
+ sig 0x000c06f2, pf_mask 0x87, 2024-02-05, rev 0x21000230, size 552960
+ sig 0x000c06f1, pf_mask 0x87, 2024-02-05, rev 0x21000230
+ * source: update symlinks to reflect id of the latest release, 20240514
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Thu, 16 May 2024 21:40:52 -0300
+
intel-microcode (3.20240312.1~deb11u1) bullseye; urgency=medium
* Backport to Debian Bullseye
diff --git a/intel-ucode/06-8f-05 b/intel-ucode/06-8f-05
index bef4d36..ef5b752 100644
Binary files a/intel-ucode/06-8f-05 and b/intel-ucode/06-8f-05 differ
diff --git a/intel-ucode/06-8f-06 b/intel-ucode/06-8f-06
index bef4d36..ef5b752 100644
Binary files a/intel-ucode/06-8f-06 and b/intel-ucode/06-8f-06 differ
diff --git a/intel-ucode/06-8f-07 b/intel-ucode/06-8f-07
index 07ab364..d629737 100644
Binary files a/intel-ucode/06-8f-07 and b/intel-ucode/06-8f-07 differ
diff --git a/intel-ucode/06-8f-08 b/intel-ucode/06-8f-08
index bef4d36..ef5b752 100644
Binary files a/intel-ucode/06-8f-08 and b/intel-ucode/06-8f-08 differ
diff --git a/intel-ucode/06-97-02 b/intel-ucode/06-97-02
index 71c9c34..05450f8 100644
Binary files a/intel-ucode/06-97-02 and b/intel-ucode/06-97-02 differ
diff --git a/intel-ucode/06-97-05 b/intel-ucode/06-97-05
index 71c9c34..05450f8 100644
Binary files a/intel-ucode/06-97-05 and b/intel-ucode/06-97-05 differ
diff --git a/intel-ucode/06-9a-03 b/intel-ucode/06-9a-03
index a8339f9..b4f9b45 100644
Binary files a/intel-ucode/06-9a-03 and b/intel-ucode/06-9a-03 differ
diff --git a/intel-ucode/06-9a-04 b/intel-ucode/06-9a-04
index 5917702..27bfc92 100644
Binary files a/intel-ucode/06-9a-04 and b/intel-ucode/06-9a-04 differ
diff --git a/intel-ucode/06-b7-01 b/intel-ucode/06-b7-01
index d918b30..fc76856 100644
Binary files a/intel-ucode/06-b7-01 and b/intel-ucode/06-b7-01 differ
diff --git a/intel-ucode/06-be-00 b/intel-ucode/06-be-00
index 9ed1278..7be2d62 100644
Binary files a/intel-ucode/06-be-00 and b/intel-ucode/06-be-00 differ
diff --git a/intel-ucode/06-bf-02 b/intel-ucode/06-bf-02
index 71c9c34..05450f8 100644
Binary files a/intel-ucode/06-bf-02 and b/intel-ucode/06-bf-02 differ
diff --git a/intel-ucode/06-bf-05 b/intel-ucode/06-bf-05
index 71c9c34..05450f8 100644
Binary files a/intel-ucode/06-bf-05 and b/intel-ucode/06-bf-05 differ
diff --git a/intel-ucode/06-cf-01 b/intel-ucode/06-cf-01
index 5cdd274..85ed301 100644
Binary files a/intel-ucode/06-cf-01 and b/intel-ucode/06-cf-01 differ
diff --git a/intel-ucode/06-cf-02 b/intel-ucode/06-cf-02
index 5cdd274..85ed301 100644
Binary files a/intel-ucode/06-cf-02 and b/intel-ucode/06-cf-02 differ
diff --git a/microcode-20240312.d b/microcode-20240514.d
similarity index 100%
rename from microcode-20240312.d
rename to microcode-20240514.d
diff --git a/releasenote.md b/releasenote.md
index 32614fc..efbe46a 100644
--- a/releasenote.md
+++ b/releasenote.md
@@ -1,3 +1,45 @@
+# Release Notes
+## [microcode-20240514](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514)
+
+### Purpose
+
+- Security updates for [INTEL-SA-01051](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01051.html)
+- Security updates for [INTEL-SA-01052](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01052.html)
+- Security updates for [INTEL-SA-01036](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01036.html)
+- Update for functional issues. Refer to [5th Gen Intel® Xeon® Processor Scalable Family](https://cdrdv2.intel.com/v1/dl/getContent/793902) for details.
+- Update for functional issues. Refer to [4th Gen Intel® Xeon® Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/772415) for details.
+- Update for functional issues. Refer to [14th & 13th Generation Intel® Core™ Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details.
+- Update for functional issues. Refer to [12th Generation Intel® Core™ Processor Family](https://cdrdv2.intel.com/v1/dl/getContent/682436) for details.
+- Update for functional issues. Refer to [Intel® Processors and Intel® Core™ i3 N-Series](https://cdrdv2.intel.com/v1/dl/getContent/764616) for details.
+
+### New Platforms
+
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------
+
+
+### Updated Platforms
+
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------
+| ADL | C0 | 06-97-02/07 | 00000034 | 00000035 | Core Gen12
+| ADL | H0 | 06-97-05/07 | 00000034 | 00000035 | Core Gen12
+| ADL | L0 | 06-9a-03/80 | 00000432 | 00000433 | Core Gen12
+| ADL | R0 | 06-9a-04/80 | 00000432 | 00000433 | Core Gen12
+| ADL-N | N0 | 06-be-00/11 | 00000015 | 00000017 | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E
+| AZB | A0 | 06-9a-04/40 | 00000005 | 00000007 | Intel(R) Atom(R) C1100
+| AZB | R0 | 06-9a-04/40 | 00000005 | 00000007 | Intel(R) Atom(R) C1100
+| EMR-SP | A0 | 06-cf-01/87 | 21000200 | 21000230 | Xeon Scalable Gen5
+| EMR-SP | A1 | 06-cf-02/87 | 21000200 | 21000230 | Xeon Scalable Gen5
+| RPL-E/HX/S | B0 | 06-b7-01/32 | 00000122 | 00000123 | Core Gen13/Gen14
+| RPL-HX/S | C0 | 06-bf-02/07 | 00000034 | 00000035 | Core Gen13/Gen14
+| RPL-S | H0 | 06-bf-05/07 | 00000034 | 00000035 | Core Gen13/Gen14
+| SPR-HBM | Bx | 06-8f-08/10 | 2c000290 | 2c000390 | Xeon Max
+| SPR-SP | E2 | 06-8f-05/87 | 2b000590 | 2b0005c0 | Xeon Scalable Gen4
+| SPR-SP | E3 | 06-8f-06/87 | 2b000590 | 2b0005c0 | Xeon Scalable Gen4
+| SPR-SP | E4/S2 | 06-8f-07/87 | 2b000590 | 2b0005c0 | Xeon Scalable Gen4
+| SPR-SP | E5/S3 | 06-8f-08/87 | 2b000590 | 2b0005c0 | Xeon Scalable Gen4
+
# Release Notes
## [microcode-20240312](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312)
diff --git a/supplementary-ucode-20240312_BDX-ML.bin b/supplementary-ucode-20240514_BDX-ML.bin
similarity index 100%
rename from supplementary-ucode-20240312_BDX-ML.bin
rename to supplementary-ucode-20240514_BDX-ML.bin
signature.asc
Description: PGP signature
