Re: DLA-2743-1 amd64-microcode incomplete
On Mon, Sep 20, 2021, at 02:34, Ola Lundqvist wrote: > Hi Henrique and others > > A question about this. Can't we simply do a binary build and upload that to > solve the problem? At least for non-ELTS, uploading a binary build typically works, and at least once I fixed such an issue by just doing a binary (arch) upload, yes. But I am not involved directly with the ELTS upload, and I don't know what's acceptable/accepted there. > On Wed, 15 Sept 2021 at 12:54, Henrique de Moraes Holschuh > wrote: >> Hello, >> >> The microcode packages have been whitelisted for at least a decade, however >> non-free auto-building is spotty. Intel-microcode faces the same issue. I >> don't really recall if contrib is any better. >> >> This has bitten me so many times, I never do uploads of non-free >> intel-microcode or amd64-microcode missing binaries to debian-security, or >> when racing the deadline for a s-p-u. They're all source+i386+amd64. >> >> For unstable, source-only works and has worked well for a while. It likely >> works for stable as well as it should have inherited that from unstable... >> But old(*)stable, security and backports? I would not hold my breath: I'd >> have to "test the waters" first to know. >> >> On Tue, Aug 31, 2021, at 16:22, Holger Levsen wrote: >> > On Tue, Aug 31, 2021 at 01:13:28PM +0200, Philipp Hahn wrote: >> > > What needs to be done to get "amd64-micocode" in version >> > > "3.20181128.1~deb9u1" into "stretch-security"? >> > > Build it manually and upload it somewhere? >> > >> > yes. (and utkarsh is on it.) >> > >> > > Can we so something to prevent this from happening again: >> > >> > it seems security/non-free is currently not autobuilt at all, so >> > I suppose this needs to be addressed and than amd64-microcode needs to >> > be whitelisted to be autobuilt there (as any other non-free package). >> >> -- Henrique de Moraes Holschuh
Re: DLA-2743-1 amd64-microcode incomplete
Hello, The microcode packages have been whitelisted for at least a decade, however non-free auto-building is spotty. Intel-microcode faces the same issue. I don't really recall if contrib is any better. This has bitten me so many times, I never do uploads of non-free intel-microcode or amd64-microcode missing binaries to debian-security, or when racing the deadline for a s-p-u. They're all source+i386+amd64. For unstable, source-only works and has worked well for a while. It likely works for stable as well as it should have inherited that from unstable... But old(*)stable, security and backports? I would not hold my breath: I'd have to "test the waters" first to know. On Tue, Aug 31, 2021, at 16:22, Holger Levsen wrote: > On Tue, Aug 31, 2021 at 01:13:28PM +0200, Philipp Hahn wrote: > > What needs to be done to get "amd64-micocode" in version > > "3.20181128.1~deb9u1" into "stretch-security"? > > Build it manually and upload it somewhere? > > yes. (and utkarsh is on it.) > > > Can we so something to prevent this from happening again: > > it seems security/non-free is currently not autobuilt at all, so > I suppose this needs to be addressed and than amd64-microcode needs to > be whitelisted to be autobuilt there (as any other non-free package). -- Henrique de Moraes Holschuh
[SECURITY] [DLA 1789-2] intel-microcode security update
Package: intel-microcode Version: 3.20190618~deb8u1 CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 Debian Bug : 929073 DLA-1789-1 shipped updated CPU microcode for most types of Intel CPUs as mitigations for the MSBDS, MFBDS, MLPDS and MDSUM hardware vulnerabilities. This update provides additional support for some Sandybridge server and Core-X CPUs which were not covered in the original May microcode release. For a list of specific CPU models now supported please refer to the entries listed under CPUID 206D6 and 206D7 at https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf For Debian 8 "Jessie", these problems have been fixed in version 3.20190618.1~deb8u1 of the intel-microcode package. We recommend that you upgrade your intel-microcode packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode -- Henrique Holschuh signature.asc Description: PGP signature
Accepted intel-microcode 3.20190618.1~deb8u1 (amd64 i386 source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 19 Jun 2019 09:47:43 -0300 Binary: intel-microcode Source: intel-microcode Architecture: amd64 i386 source Version: 3.20190618.1~deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Henrique de Moraes Holschuh Changed-By: Henrique de Moraes Holschuh Description: intel-microcode - Processor microcode firmware for Intel CPUs Changes: intel-microcode (3.20190618.1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-lts (no changes) * Refer to DLA 1789-1 for details . intel-microcode (3.20190618.1) unstable; urgency=medium . * New upstream microcode datafile 20190618 + SECURITY UPDATE Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 for Sandybridge server and Core-X processors + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2019-05-21, rev 0x061f, size 18432 sig 0x000206d7, pf_mask 0x6d, 2019-05-21, rev 0x0718, size 19456 * Add some missing (minor) changelog entries to 3.20190514.1 * Reformat 3.20190514.1 changelog entry to match rest of changelog Checksums-Sha1: 97ffbee2784c614b02c717bf0d6b40dd875f0d48 1817 intel-microcode_3.20190618.1~deb8u1.dsc 6bc31df92d064088e5eef6b9c43285a311ca6063 2617272 intel-microcode_3.20190618.1~deb8u1.tar.xz 12a16f066efd49c81f7380d15b302693430b0b92 1941996 intel-microcode_3.20190618.1~deb8u1_amd64.deb a890d0aa2632d4c45df054e7f1d4dd87ff481f3a 2082652 intel-microcode_3.20190618.1~deb8u1_i386.deb Checksums-Sha256: d734fd125b8a7f32501b3ee592a40d7aec9b2f1cf7419f012b7ea299806ccc83 1817 intel-microcode_3.20190618.1~deb8u1.dsc 554749ebe392c52e1f58420e45e542e6e1669128a10d81544666df6e9ed144b1 2617272 intel-microcode_3.20190618.1~deb8u1.tar.xz 477d7430d39f7891db3efc568695965e5079c612cfb073999e7feb62008d21ca 1941996 intel-microcode_3.20190618.1~deb8u1_amd64.deb 0f71ab5c1676d54a9737b36ba22700480498f131fb2c301c549075c125229467 2082652 intel-microcode_3.20190618.1~deb8u1_i386.deb Files: c1165e83781ce3af31bf5d68a1a342b3 1817 non-free/admin standard intel-microcode_3.20190618.1~deb8u1.dsc 39a8635bb11e2b83de9aa88c4f3f95eb 2617272 non-free/admin standard intel-microcode_3.20190618.1~deb8u1.tar.xz c6bc498998d37823160ad9aec4805ded 1941996 non-free/admin standard intel-microcode_3.20190618.1~deb8u1_amd64.deb a81bec36d7855c654cee91760869cbc1 2082652 non-free/admin standard intel-microcode_3.20190618.1~deb8u1_i386.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEMr8sdJFqJgkTTH+qsZwaZk2P+bEFAl0KyKIACgkQsZwaZk2P +bE70A/8DrLa416gSAL9xY5tLOGjg9j2iAti0jJDxS5+zvq47aBeRljg6tgh+Nky H2o9xyZW82y0amUWCMpfP5z8SH0ddhcH/Sxez9Et1XLKHJhW8EjUmfQyDjVF3fXR OL5UogBYPj6MYE4I9uViwzM8xw+caa9P8PjzZTh37kif3ZNiZsA0PGMS2VFCGOhq ty8qdiquxyNcWqW+XtvJEHA/q/MOTZPtl6mCiNuKFp2GHHOciBlhVMEM4HOnj5M6 hMssNXa7U217jwZEHeTfmpepF96AmErIlokfkFwIlT9UvqSUVPvvogEKyic27WJ2 dRSe2PtKW8WUsEcwruuLSkelkkGrLO9UUxcU7AC3z2c0vp/0IbrnS6q7YoLvnp/T ncv+DGyfZrwXeGCQLhhtMLiFPUJmtMqssqw4KAnsI9dxyIG0zq4EOmlSZsOixs84 X5lxQ1tnVQzHDbqNDzpnr2PXMEFB2KPCp/cYJ2HHR6E9/7a/v9yLRSezCnHZ+Ze+ 6asfq8NpFt0Odt/1GvuKbPXo5odSQvlRiv+/kXXyyl/pvgrp3sNupFjzq0vKrmtr gMOJmVDzGJ6sskP8idNnqlSwA2aU+pTIODXMi8ekJWOBWKCrIHQF7F6onDw+Gc/z pZiKCaCcwAp6RuzFbKPjMQ7ESJkrBaC68X3IDOUS+JKH65XtmdY= =wbAQ -END PGP SIGNATURE-
[SECURITY] [DLA 1789-1] intel-microcode security update
Package: intel-microcode Version: 3.20190514.1~deb8u1 CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 Debian Bug : 929007 This update ships updated CPU microcode for most types of Intel CPUs. It provides microcode support to implement mitigations for the MSBDS, MFBDS, MLPDS and MDSUM hardware vulnerabilities. To fully resolve these vulnerabilities it is also necessary to update the Linux kernel packages. Please refer to DLA-1787-1 for the Linux kernel updates required to mitigate these hardware vulnerabilities on Intel processors. For Debian 8 "Jessie", these problems have been fixed in version 3.20190514.1~deb8u1 of the intel-microcode package, and also by the Linux kernel package updates described in DLA-1787-1. We recommend that you upgrade your intel-microcode packages, and Linux kernel packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode -- Henrique Holschuh signature.asc Description: PGP signature
Accepted intel-microcode 3.20190514.1~deb8u1 (amd64 i386 source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 14 May 2019 22:00:43 -0300 Source: intel-microcode Binary: intel-microcode Architecture: amd64 i386 source Version: 3.20190514.1~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Henrique de Moraes Holschuh Changed-By: Henrique de Moraes Holschuh Closes: 907402 Description: intel-microcode - Processor microcode firmware for Intel CPUs Changes: intel-microcode (3.20190514.1~deb8u1) jessie-security; urgency=high . * Rebuild for jessie-lts (no changes) . intel-microcode (3.20190514.1) unstable; urgency=high . * New upstream microcode datafile 20190514 * SECURITY UPDATE Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 * New Microcodes: sig 0x00030678, pf_mask 0x02, 2019-04-22, rev 0x0838, size 52224 sig 0x00030678, pf_mask 0x0c, 2019-04-22, rev 0x0838, size 52224 sig 0x00030679, pf_mask 0x0f, 2019-04-23, rev 0x090c, size 52224 sig 0x000406c3, pf_mask 0x01, 2019-04-23, rev 0x0368, size 69632 sig 0x000406c4, pf_mask 0x01, 2019-04-23, rev 0x0411, size 68608 sig 0x00050657, pf_mask 0xbf, 2019-02-27, rev 0x521, size 47104 * Updated Microcodes: sig 0x000206a7, pf_mask 0x12, 2019-02-17, rev 0x002f, size 12288 sig 0x000306a9, pf_mask 0x12, 2019-02-13, rev 0x0021, size 14336 sig 0x000306c3, pf_mask 0x32, 2019-02-26, rev 0x0027, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-03-07, rev 0x002d, size 19456 sig 0x000306e4, pf_mask 0xed, 2019-03-14, rev 0x042e, size 16384 sig 0x000306e7, pf_mask 0xed, 2019-03-14, rev 0x0715, size 17408 sig 0x000306f2, pf_mask 0x6f, 2019-03-01, rev 0x0043, size 34816 sig 0x000306f4, pf_mask 0x80, 2019-03-01, rev 0x0014, size 18432 sig 0x00040651, pf_mask 0x72, 2019-02-26, rev 0x0025, size 21504 sig 0x00040661, pf_mask 0x32, 2019-02-26, rev 0x001b, size 25600 sig 0x00040671, pf_mask 0x22, 2019-03-07, rev 0x0020, size 14336 sig 0x000406e3, pf_mask 0xc0, 2019-04-01, rev 0x00cc, size 100352 sig 0x000406f1, pf_mask 0xef, 2019-03-02, rev 0xb36, size 30720 sig 0x00050654, pf_mask 0xb7, 2019-04-02, rev 0x25e, size 32768 sig 0x00050662, pf_mask 0x10, 2019-03-23, rev 0x001a, size 32768 sig 0x00050663, pf_mask 0x10, 2019-03-23, rev 0x717, size 24576 sig 0x00050664, pf_mask 0x10, 2019-03-23, rev 0xf15, size 23552 sig 0x00050665, pf_mask 0x10, 2019-03-23, rev 0xe0d, size 19456 sig 0x000506c9, pf_mask 0x03, 2019-01-15, rev 0x0038, size 17408 sig 0x000506ca, pf_mask 0x03, 2019-03-01, rev 0x0016, size 15360 sig 0x000506e3, pf_mask 0x36, 2019-04-01, rev 0x00cc, size 100352 sig 0x000506f1, pf_mask 0x01, 2019-03-21, rev 0x002e, size 11264 sig 0x000706a1, pf_mask 0x01, 2019-01-02, rev 0x002e, size 73728 sig 0x000806e9, pf_mask 0x10, 2019-04-01, rev 0x00b4, size 98304 sig 0x000806e9, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806ea, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806eb, pf_mask 0xd0, 2019-03-30, rev 0x00b8, size 98304 sig 0x000806ec, pf_mask 0x94, 2019-03-30, rev 0x00b8, size 97280 sig 0x000906e9, pf_mask 0x2a, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ea, pf_mask 0x22, 2019-04-01, rev 0x00b4, size 98304 sig 0x000906eb, pf_mask 0x02, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 sig 0x000906ed, pf_mask 0x22, 2019-03-17, rev 0x00b8, size 97280 . intel-microcode (3.20190312.1) unstable; urgency=medium . * New upstream microcode datafile 20190312 + Removed Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 + New Microcodes: sig 0x000806e9, pf_mask 0x10, 2018-10-18, rev 0x009e, size 98304 sig 0x000806eb, pf_mask 0xd0, 2018-10-25, rev 0x00a4, size 99328 sig 0x000806ec, pf_mask 0x94, 2019-02-12, rev 0x00b2, size 98304 sig 0x000906ec, pf_mask 0x22, 2018-09-29, rev 0x00a2, size 98304 sig 0x000906ed, pf_mask 0x22, 2019-02-04, rev 0x00b0, size 97280 + Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2018-11-20, rev 0x0041, size 34816 sig 0x000306f4, pf_mask 0x80, 2018-11-06, rev 0x0013, size 17408 sig 0x00050654, pf_mask 0xb7, 2019-01-28, rev 0x25a, size 33792 sig 0x00050662, pf_mask 0x10, 2018-12-06, rev 0x0019, size 32768 sig 0x00050663, pf_mask 0x10, 2018-12-06, rev 0x716, size 23552 sig 0x00050664, pf_mask 0x10, 2018-11-17, rev 0xf14, size 23552 sig 0x00050665, pf_mask 0x10, 2018-11-17, rev 0xe0c, size 19456 sig 0x000506c9, pf_mask 0x03, 2018-09-14, rev 0x0036, size 17408 sig 0x000506ca, pf_mask 0x03, 2018-09-20, rev 0x0010, size 15360 sig 0x000706a1, pf_mask 0x01, 2018-09-21, rev 0x002c, size 73728 sig 0x000806e9, pf_mask
Accepted intel-microcode 3.20180807a.1~deb8u1 (amd64 i386 source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 15 Sep 2018 17:09:08 -0300 Source: intel-microcode Binary: intel-microcode Architecture: amd64 i386 source Version: 3.20180807a.1~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Henrique de Moraes Holschuh Changed-By: Henrique de Moraes Holschuh Closes: 903135 903141 906158 906160 Description: intel-microcode - Processor microcode firmware for Intel CPUs Changes: intel-microcode (3.20180807a.1~deb8u1) jessie-security; urgency=high . * Upload to Debian jessie-security (no changes) * Security fixes: Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 Intel SA-00115, CVE-2018-3639, CVE-2018-3640 Intel SA-00088, CVE-2017-5753, CVE-2017-5754 . intel-microcode (3.20180807a.1) unstable; urgency=high . [ Henrique de Moraes Holschuh ] * New upstream microcode datafile 20180807a (closes: #906158, #906160, #903135, #903141) + New Microcodes: sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264 sig 0x000206e6, pf_mask 0x04, 2018-05-15, rev 0x000d, size 9216 sig 0x000506c2, pf_mask 0x01, 2018-05-11, rev 0x0014, size 15360 sig 0x000506ca, pf_mask 0x03, 2018-05-11, rev 0x000c, size 14336 sig 0x000506f1, pf_mask 0x01, 2018-05-11, rev 0x0024, size 10240 + Updated Microcodes: sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288 sig 0x000106e5, pf_mask 0x13, 2018-05-08, rev 0x000a, size 9216 sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216 sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096 sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288 sig 0x000206f2, pf_mask 0x05, 2018-05-16, rev 0x003b, size 14336 sig 0x000306a9, pf_mask 0x12, 2018-04-10, rev 0x0020, size 13312 sig 0x000306c3, pf_mask 0x32, 2018-04-02, rev 0x0025, size 23552 sig 0x000306d4, pf_mask 0xc0, 2018-03-22, rev 0x002b, size 18432 sig 0x00040651, pf_mask 0x72, 2018-04-02, rev 0x0024, size 22528 sig 0x00040661, pf_mask 0x32, 2018-04-02, rev 0x001a, size 25600 sig 0x00040671, pf_mask 0x22, 2018-04-03, rev 0x001e, size 13312 sig 0x000406e3, pf_mask 0xc0, 2018-04-17, rev 0x00c6, size 99328 sig 0x00050662, pf_mask 0x10, 2018-05-25, rev 0x0017, size 31744 sig 0x00050663, pf_mask 0x10, 2018-04-20, rev 0x713, size 22528 sig 0x00050664, pf_mask 0x10, 2018-04-20, rev 0xf12, size 22528 sig 0x000506c9, pf_mask 0x03, 2018-05-11, rev 0x0032, size 16384 sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328 sig 0x000706a1, pf_mask 0x01, 2018-05-22, rev 0x0028, size 73728 sig 0x000806e9, pf_mask 0xc0, 2018-03-24, rev 0x008e, size 98304 sig 0x000806ea, pf_mask 0xc0, 2018-05-15, rev 0x0096, size 98304 sig 0x000906e9, pf_mask 0x2a, 2018-03-24, rev 0x008e, size 98304 sig 0x000906ea, pf_mask 0x22, 2018-05-02, rev 0x0096, size 97280 sig 0x000906eb, pf_mask 0x02, 2018-03-24, rev 0x008e, size 98304 + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + Implements SSBD support (Spectre v4 mitigation), Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation for older processors with signatures 0x106a5, 0x106e5, 0x20652, 0x20655. Intel SA-0088, CVE-2017-5753, CVE-2017-5754 * source: update symlinks to reflect id of the latest release, 20180807a * debian/intel-microcode.docs: ship license and releasenote upstream files. * debian/changelog: update entry for 3.20180703.1 with L1TF information . [ Julian Andres Klode ] * initramfs: include all microcode for MODULES=most. Default to early instead of auto, and install all of the microcode, not just the one matching the current CPU, if MODULES=most is set in the initramfs-tools config (LP: #1778738) Checksums-Sha1: f73f5e172708bd370cceb85f42dfd6193399b3c5 1817 intel-microcode_3.20180807a.1~deb8u1.dsc 7be06cad9c5d97daaf098cbbb723b913bd36c316 1982656 intel-microcode_3.20180807a.1~deb8u1.tar.xz e1446d5183b15fed4ac872150de87edf15119753 1296306 intel-microcode_3.20180807a.1~deb8u1_amd64.deb 166dadeb7f19084774a3e2bed33e47887e60822c 1436940 intel-microcode_3.20180807a.1~deb8u1_i386.deb Checksums-Sha256: 3517aa4f8d5aa2a28543dcca8a9a4fdeefa76c48e47deae901e315c135aa8b97 1817 intel-microcode_3.20180807a.1~deb8u1.dsc 4fc04018ba2dec97e9959816d6fb3b61de8c391286395287ed2691e2bbd23f4e 1982656 intel-microcode_3.20180807a.1~deb8u1.tar.xz b719189883cb8b30e721732f210ddafc022892c78c6ad929274c9c7f9ad5a735 1296306 intel-microcode_3.20180807a.1~deb8u1_amd64.deb 2e96e8697a9fe11034c2f082d33248bea7c104c13c871d3f7679ff8aecad367b 1436940 intel-microcode_3.2