Re: [SECURITY] [DLA 2743-1] amd64-microcode security update

To: debian-lts@lists.debian.org
Cc: Utkarsh Gupta <utkarsh@debian.org>
Subject: Re: [SECURITY] [DLA 2743-1] amd64-microcode security update
From: brn@iinet.net.au
Date: Thu, 14 Oct 2021 22:48:58 +0800
Message-id: <[🔎] 87ilxzach1.fsf@mail.domain>
In-reply-to: <CAPP0f95cbct55Vp=UGuP16RHkpPf5yhFn2bmHAa339mpKJkSTA@mail.gmail.com> (Utkarsh Gupta's message of "Mon, 16 Aug 2021 12:32:26 +0530")
References: <CAPP0f95cbct55Vp=UGuP16RHkpPf5yhFn2bmHAa339mpKJkSTA@mail.gmail.com>

Utkarsh Gupta <utkarsh@debian.org> writes:

> -----------------------------------------------------------------------
> Debian LTS Advisory DLA-2743-1              debian-lts@lists.debian.org
> https://www.debian.org/lts/security/                      Utkarsh Gupta
> August 16, 2021                             https://wiki.debian.org/LTS
> -----------------------------------------------------------------------
>
> Package        : amd64-microcode
> Version        : 3.20181128.1~deb9u1
> CVE ID         : CVE-2017-5715
> Debian Bug     : 886382
>
> It was discovered that systems with microprocessors utilizing
> speculative execution and indirect branch prediction may allow
> unauthorized disclosure of information to an attacker with local
> user access via a side-channel analysis (Spectre v2).
> Multiple fixes were done already in Linux kernel, intel-microcode,
> et al. This fix adds amd-microcode-based IBPB support.
>
> For Debian 9 stretch, this problem has been fixed in version
> 3.20181128.1~deb9u1.
>
> We recommend that you upgrade your amd64-microcode packages.
>
> For the detailed security status of amd64-microcode please refer to
> its security tracker page at:
> https://security-tracker.debian.org/tracker/amd64-microcode
>
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS

Greetings to the Debian LTS team :)

Since the published date of the Debian LTS Advisory (DLA-2743-1), to this point
in time, the upgraded package fails to be discovered by "aptitude update".

My investigation has found that the expected upgraded package,
"amd64-microcode_3.20181128.1~deb9u1_amd64.deb", is missing from:

https://security.debian.org/debian-security/pool/updates/non-free/a/amd64-microcode/

Also, the package list shown below has not been updated since 09
July, 2021:

https://security.debian.org/debian-security/dists/stretch/updates/non-free/binary-amd64/Packages.xz

Are you able to advise me on the actual status of this upgrade?

I welcome your feedback on this matter.

My kindest regards,
BRN.

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 2743-1] amd64-microcode security update
  - From: Utkarsh Gupta <utkarsh@debian.org>

Prev by Date: Re: Debian LTS and ELTS - September 2021
Next by Date: Re: ccextractor embeds unpatched and vulnerable source code from gpac in buster - 994746
Previous by thread: Re: DLA-2743-1 amd64-microcode incomplete
Next by thread: Re: [SECURITY] [DLA 2743-1] amd64-microcode security update
Index(es):
- Date
- Thread