Re: [SECURITY] [DLA 2743-1] amd64-microcode security update
- To: debian-lts@lists.debian.org
- Cc: Utkarsh Gupta <utkarsh@debian.org>
- Subject: Re: [SECURITY] [DLA 2743-1] amd64-microcode security update
- From: brn@iinet.net.au
- Date: Thu, 14 Oct 2021 22:48:58 +0800
- Message-id: <[🔎] 87ilxzach1.fsf@mail.domain>
- In-reply-to: <CAPP0f95cbct55Vp=UGuP16RHkpPf5yhFn2bmHAa339mpKJkSTA@mail.gmail.com> (Utkarsh Gupta's message of "Mon, 16 Aug 2021 12:32:26 +0530")
- References: <CAPP0f95cbct55Vp=UGuP16RHkpPf5yhFn2bmHAa339mpKJkSTA@mail.gmail.com>
Utkarsh Gupta <utkarsh@debian.org> writes:
> -----------------------------------------------------------------------
> Debian LTS Advisory DLA-2743-1 debian-lts@lists.debian.org
> https://www.debian.org/lts/security/ Utkarsh Gupta
> August 16, 2021 https://wiki.debian.org/LTS
> -----------------------------------------------------------------------
>
> Package : amd64-microcode
> Version : 3.20181128.1~deb9u1
> CVE ID : CVE-2017-5715
> Debian Bug : 886382
>
> It was discovered that systems with microprocessors utilizing
> speculative execution and indirect branch prediction may allow
> unauthorized disclosure of information to an attacker with local
> user access via a side-channel analysis (Spectre v2).
> Multiple fixes were done already in Linux kernel, intel-microcode,
> et al. This fix adds amd-microcode-based IBPB support.
>
> For Debian 9 stretch, this problem has been fixed in version
> 3.20181128.1~deb9u1.
>
> We recommend that you upgrade your amd64-microcode packages.
>
> For the detailed security status of amd64-microcode please refer to
> its security tracker page at:
> https://security-tracker.debian.org/tracker/amd64-microcode
>
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
Greetings to the Debian LTS team :)
Since the published date of the Debian LTS Advisory (DLA-2743-1), to this point
in time, the upgraded package fails to be discovered by "aptitude update".
My investigation has found that the expected upgraded package,
"amd64-microcode_3.20181128.1~deb9u1_amd64.deb", is missing from:
https://security.debian.org/debian-security/pool/updates/non-free/a/amd64-microcode/
Also, the package list shown below has not been updated since 09
July, 2021:
https://security.debian.org/debian-security/dists/stretch/updates/non-free/binary-amd64/Packages.xz
Are you able to advise me on the actual status of this upgrade?
I welcome your feedback on this matter.
My kindest regards,
BRN.
Reply to: