------------------------------------------------------------------------- Debian LTS Advisory DLA-3525-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Ben Hutchings August 11, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : linux-5.10 Version : 5.10.179-5~deb10u1 CVE ID : CVE-2022-40982 CVE-2023-20569 CVE-2022-40982 Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware vulnerability for Intel CPUs which allows unprivileged speculative access to data which was previously stored in vector registers. This mitigation requires updated CPU microcode provided in the intel-microcode package. For details please refer to <https://downfall.page/> and <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html>. CVE-2023-20569 Daniel Trujillo, Johannes Wikner and Kaveh Razavi discovered INCEPTION, also known as Speculative Return Stack Overflow (SRSO), a transient execution attack that leaks arbitrary data on all AMD Zen CPUs. An attacker can mis-train the CPU BTB to predict non- architectural CALL instructions in kernel space and use this to control the speculative target of a subsequent kernel RET, potentially leading to information disclosure via a speculative side-channel. For details please refer to <https://comsec.ethz.ch/research/microarch/inception/> and <https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005>. For Debian 10 buster, these problems have been fixed in version 5.10.179-5~deb10u1. We recommend that you upgrade your linux-5.10 packages. For the detailed security status of linux-5.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-5.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature