Bug#1072238: bullseye-pu: package intel-microcode/3.20240514.1~deb11u1

2024-06-09 Thread Henrique de Moraes Holschuh 
I have uploaded it source-only a few days ago, but missed emailing this bug 
report about it :-(

Thank you, and sorry for the delay!

On Wed, Jun 5, 2024, at 18:18, Jonathan Wiltshire wrote:
> Please go ahead.

-- 
  Henrique de Moraes Holschuh

Bug#1072238: bullseye-pu: package intel-microcode/3.20240514.1~deb11u1

2024-06-05 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

Hi,

On Thu, May 30, 2024 at 03:56:03PM -0300, Henrique de Moraes Holschuh wrote:
> As requested by the security team, I would like to bring the microcode
> update level for Intel processors in Bullseye and Bookworm to match what
> we have in Sid and Trixie.  This is the bug report for Bullseye, a
> separate one will be filled for Bookworm.

Please go ahead.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1072238: bullseye-pu: package intel-microcode/3.20240514.1~deb11u1

2024-05-30 Thread Henrique de Moraes Holschuh 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]

As requested by the security team, I would like to bring the microcode
update level for Intel processors in Bullseye and Bookworm to match what
we have in Sid and Trixie.  This is the bug report for Bullseye, a
separate one will be filled for Bookworm.

This fixes:
* Several CVEs in many Intel processors
  - INTEL-SA-01051 (CVE-2023-45733)
  Hardware logic contains race conditions in some Intel Processors may
  allow an authenticated user to potentially enable partial information
  disclosure via local access.
  - INTEL-SA-01052 (CVE-2023-46103)
  Sequence of processor instructions leads to unexpected behavior in
  Intel Core Ultra Processors may allow an authenticated user to
  potentially enable denial of service via local access.
  - Mitigations for INTEL-SA-01036 (CVE-2023-45745,  CVE-2023-47855)
  Improper input validation in some Intel TDX module software before
  version 1.5.05.46.698 may allow a privileged user to potentially enable
  escalation of privilege via local access.
* Unspecified functional issues on 4th gen and 5th gen Xeon Scalable,
  12th, 13th and 14th gen Intel Core processors, as well as for Core i3
  N-series processors.

There are no releavant issues reported on this microcode update,
considering the version of intel-microcode already available for
bookworm and bullseye.

[ Impact ]

If this update is not approved, owners of most recent "client" Intel
processors and a few server processors will depend on UEFI updates to be
protected against RFDS as well as the other issues listed above.

[ Tests ]

There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2024-05-18 (sid), 2024-05-22
(trixie).

[ Risks ]

Unknown, but not believed to be any different from other Intel microcode
updates.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.

Diffstat:
 changelog|   39 +++
 debian/changelog |   50 ++
 intel-ucode/06-8f-05 |binary
 intel-ucode/06-8f-06 |binary
 intel-ucode/06-8f-07 |binary
 intel-ucode/06-8f-08 |binary
 intel-ucode/06-97-02 |binary
 intel-ucode/06-97-05 |binary
 intel-ucode/06-9a-03 |binary
 intel-ucode/06-9a-04 |binary
 intel-ucode/06-b7-01 |binary
 intel-ucode/06-be-00 |binary
 intel-ucode/06-bf-02 |binary
 intel-ucode/06-bf-05 |binary
 intel-ucode/06-cf-01 |binary
 intel-ucode/06-cf-02 |binary
 releasenote.md   |   42 ++
 17 files changed, 131 insertions(+)

[ Other info ]

The package version with "~" is needed to guarantee smooth updates to
the next debian release.

-- 
  Henrique Holschuh
diff --git a/changelog b/changelog
index fe44e7e..83989c4 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,42 @@
+2024-05-14:
+  * New upstream microcode datafile 20240514
+- Mitigations for INTEL-SA-01051 (CVE-2023-45733)
+  Hardware logic contains race conditions in some Intel Processors may
+  allow an authenticated user to potentially enable partial information
+  disclosure via local access.
+- Mitigations for INTEL-SA-01052 (CVE-2023-46103)
+  Sequence of processor instructions leads to unexpected behavior in
+  Intel Core Ultra Processors may allow an authenticated user to
+  potentially enable denial of service via local access.
+- Mitigations for INTEL-SA-01036 (CVE-2023-45745,  CVE-2023-47855)
+  Improper input validation in some Intel TDX module software before
+  version 1.5.05.46.698 may allow a privileged user to potentially enable
+  escalation of privilege via local access.
+- Fix for unspecified functional issues on 4th gen and 5th gen Xeon
+  Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for
+  Core i3 N-series processors.
+  * Updated microcodes:
+sig 0x000806f8, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0, size 581632
+sig 0x000806f7, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+sig 0x000806f6, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+sig 0x000806f5, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+sig 0x000806f4, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
+sig 0x000806f8, pf_mask 0x10, 2024-02-05, rev 0x2c000390, size 614400
+sig 0x000806f6, pf_mask 0x10, 2024-02-05, rev 0x2c000390
+sig 0x000806f5, pf_mask 0x10, 2024-02-05, rev 0x2c000390
+sig 0x000806f4, pf_mask 0x10, 2024-02-05, rev 0x2c000390
+sig 0x00090672, pf_mask 0x07, 2023-12-05, rev 0x0035, size 224256
+sig 0x00090675, pf_mask 0x07,