Hi Henrique, On Sat, Jul 19, 2025 at 10:59:33PM +0200, Salvatore Bonaccorso wrote: > Hi Henrique, > > On Thu, Jul 10, 2025 at 09:12:23AM +0200, Salvatore Bonaccorso wrote: > > Source: amd64-microcode > > Version: 3.20250311.1 > > Severity: grave > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > Control: found -1 3.20250311.1~deb12u1 > > > > Hi Henrique, > > > > The following vulnerabilities were published for amd64-microcode. > > > > CVE-2024-36350[0]: > > | A transient execution vulnerability in some AMD processors may allow > > | an attacker to infer data from previous stores, potentially > > | resulting in the leakage of privileged information. > > > > > > CVE-2024-36357[1]: > > | A transient execution vulnerability in some AMD processors may allow > > | an attacker to infer data in the L1D cache, potentially resulting in > > | the leakage of sensitive information across privileged boundaries. > > > > My understanding from the patch levels in amd-ucode/README is that we > > are not yet covered by the needed updates on microcode side[2] for > > CVE-2024-36350/TSA-SQ and CVE-2024-36357/TSA-L1 in > > amd64-microcode/3.20250311.1. Correct? > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-36350 > > https://www.cve.org/CVERecord?id=CVE-2024-36350 > > [1] https://security-tracker.debian.org/tracker/CVE-2024-36357 > > https://www.cve.org/CVERecord?id=CVE-2024-36357 > > [2] > > https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf > > If not wrong, those updates might be included in > https://gitlab.com/kernel-firmware/linux-firmware/-/commit/331eac9144402d6cfa02ff3b2888a40bb9a7a01a > > Is this correct?
Will potentially as well need https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=3768c184de68a85b9df6697e7f93a2f61de90a99 ? Regards, Salvatore
