Hi Tobias, On Fri, Mar 17, 2023 at 07:41:28PM +0000, Tobias Frost wrote: > Am 17. März 2023 19:18:50 UTC schrieb Salvatore Bonaccorso > <car...@debian.org>: > > > >On Thu, Mar 16, 2023 at 04:06:29PM +0100, Tobias Frost wrote: > >> Package: release.debian.org > >> Severity: normal > >> Tags: bullseye > >> User: release.debian....@packages.debian.org > >> Usertags: pu > >> X-Debbugs-Cc: intel-microc...@packages.debian.org, Salvatore Bonaccorso > >> <car...@debian.org> > >> Control: affects -1 + src:intel-microcode > >> > >> (Please refer to #1032847#12 for security team's feedback > >> that this should go through SPU.) > >> > >> The upload updates intel microcodes to target (See #1031334) > >> - INTEL-SA-00700: CVE-2022-21216 > >> - INTEL-SA-00730: CVE-2022-33972 > >> - INTEL-SA-00738: CVE-2022-33196 > >> - INTEL-SA-00767: CVE-2022-38090 > >> > >> the CVEs are information disclosure via local access vulnerbilities and > >> potential privilege escalations. > > > >Note that speaking of fixed CVEs, for bullseye and older with the > >upload CVE-2022-21233 get fixed as well (this one was as well not > >warranting a DSA, it is as well SGX releated). > > yes, this CVE is fixed in 3.20220809.1, which is part of this update. > to make sure i don't miss it: i thought i do not need to repeat the > cve in d/changelog if it is mentioned in earlier d/changelog > entries, right?
Yes this is correct, you do not need to mention it. I just wanted to make double sure it's as well on the radar (and have not checked if you have uploaded with -v to incude the intermediate changelog entries as well). Thank you! Regards, Salvatore