Hi Henrique, On Thu, Jul 10, 2025 at 09:12:23AM +0200, Salvatore Bonaccorso wrote: > Source: amd64-microcode > Version: 3.20250311.1 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > Control: found -1 3.20250311.1~deb12u1 > > Hi Henrique, > > The following vulnerabilities were published for amd64-microcode. > > CVE-2024-36350[0]: > | A transient execution vulnerability in some AMD processors may allow > | an attacker to infer data from previous stores, potentially > | resulting in the leakage of privileged information. > > > CVE-2024-36357[1]: > | A transient execution vulnerability in some AMD processors may allow > | an attacker to infer data in the L1D cache, potentially resulting in > | the leakage of sensitive information across privileged boundaries. > > My understanding from the patch levels in amd-ucode/README is that we > are not yet covered by the needed updates on microcode side[2] for > CVE-2024-36350/TSA-SQ and CVE-2024-36357/TSA-L1 in > amd64-microcode/3.20250311.1. Correct? > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-36350 > https://www.cve.org/CVERecord?id=CVE-2024-36350 > [1] https://security-tracker.debian.org/tracker/CVE-2024-36357 > https://www.cve.org/CVERecord?id=CVE-2024-36357 > [2] > https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf
If not wrong, those updates might be included in https://gitlab.com/kernel-firmware/linux-firmware/-/commit/331eac9144402d6cfa02ff3b2888a40bb9a7a01a Is this correct? Regards, Salvatore
