[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Dear release team,

I have prepared an update for amd64-microcode for Debian Stretch, which
fixes CVE-2017-5715. Please see an attached debdiff.

This is the newer upstream version, which fixes CVE-2017-5715.
Security team marked this CVE for Stretch as <no-dsa> [1].

The package version with "~" is needed to guarantee the smooth update
to the buster, where the current version is 3.20181128.1.

Also I am preparing an update for Jessie [2] and it would be good
to have 3.20181128.1~deb9u1 in Stretch for the smooth Jessie->Stretch
upgrade.

Please review the dediff and let me know, whether I may proceed with an update
or make some changes.

[1] https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c9dda4132363fd5b169a3aad5fec48a4e4d2f72#4716ef5aa8f2742228ba3b3633215c8b808565e3_171225_171225
[2] https://lists.debian.org/<e348ef55-5aff-fc62-64e0-eddfdd2936c4@debian.org> 

Best regards

Anton

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl5ukfwRHGdsYWRrQGRl
Ymlhbi5vcmcACgkQ0+Fzg8+n/wZgDw/+Js19fZilIjDbjr0w8iYC+qxnO47RGErn
AedyJM95teD29SM9mIqPzXc2/u1x1NXwLY8ClFNHIOR1ZytvHKdzBU/KIyUk8WqH
mAZrND1y+lGuwn6kigAFJlKBg1TDqnb48zXYoMyesnrs0ssQHydf9LfHlOjCNgTe
j0W3clD9FyEsFibiZbhAnFd1Qsw4BL0kFgu9UqkPkUukoux1OS0RQ3EqJgGS9K2L
ak6lGSzKgvXZPY5WHcsTVni9v4OK4qVyPR8z0Wbd7eZOwGXLtYWUsB1rzAVlvDoR
CPStHhhneCzSvRYYAL4du2CaKRI7NLv+xIcJauraXWGVVvTVi6kkR7K3jb4BZeSV
5wIYzc5n5ErVXhwMJrDiD+ADhw4AqBz/8m81ogKN615BWb6+MFnFp57l8WlvTuNU
EzcPTTndJwym76N2MsKn9xC79xAKx+IKK8LpDgN+0PhXGHOExCPddBubLgfXr45w
WiydO+E/z+tuMOZWpU3RMDZBeRiAhXL/A9qfAhjftrI6LNdRAu3Mu/kOTkqwq8CN
x3TPHjmhy46XKF7qd43jF40kNI5Kdk++9+LFQvhV8pzhndPSSzN6PGX8fA2o5zn8
Je14ja1dKx1j09oCJALip/qA3nxO5tvH83OW1Kc+tKegJYut/vydInANWfpGX3yC
j+t+z6slM2g=
=/zSd
-----END PGP SIGNATURE-----

diff -Nru amd64-microcode-3.20160316.3/debian/changelog amd64-microcode-3.20181128.1~deb9u1/debian/changelog
--- amd64-microcode-3.20160316.3/debian/changelog	2016-11-30 02:54:53.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb9u1/debian/changelog	2020-03-12 20:29:09.000000000 +0100
@@ -1,3 +1,72 @@
+amd64-microcode (3.20181128.1~deb9u1) stretch; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * New upstream release.
+  * Add IBPB support for family 17h AMD processors (CVE-2017-5715)
+    (since version 3.20180515.1).
+
+ -- Anton Gladky <gladk@debian.org>  Thu, 12 Mar 2020 20:29:09 +0100
+
+amd64-microcode (3.20181128.1) unstable; urgency=medium
+
+  * New microcode update packages from AMD upstream:
+    + New Microcodes:
+      sig 0x00800f82, patch id 0x0800820b, 2018-06-20
+  * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 15 Dec 2018 18:42:12 -0200
+
+amd64-microcode (3.20180524.1) unstable; urgency=high
+
+  * New microcode update packages from AMD upstream:
+    + Re-added Microcodes:
+      sig 0x00610f01, patch id 0x06001119, 2012-07-13
+  * This update avoids regressing sig 0x610f01 processors on systems with
+    outdated firmware by adding back exactly the same microcode patch that was
+    present before [for these processors].  It does not implement Spectre-v2
+    mitigation for these processors.
+  * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Fri, 25 May 2018 15:38:22 -0300
+
+amd64-microcode (3.20180515.1) unstable; urgency=high
+
+  * New microcode update packages from AMD upstream:
+    + New Microcodes:
+      sig 0x00800f12, patch id 0x08001227, 2018-02-09
+    + Updated Microcodes:
+      sig 0x00600f12, patch id 0x0600063e, 2018-02-07
+      sig 0x00600f20, patch id 0x06000852, 2018-02-06
+    + Removed Microcodes:
+      sig 0x00610f01, patch id 0x06001119, 2012-07-13
+  * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support,
+    plus other unspecified fixes/updates.
+  * README, debian/copyright: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 19 May 2018 13:51:06 -0300
+
+amd64-microcode (3.20171205.2) unstable; urgency=medium
+
+  * debian/control: update Vcs-* fields for salsa.debian.org
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Fri, 04 May 2018 07:51:40 -0300
+
+amd64-microcode (3.20171205.1) unstable; urgency=high
+
+  * New microcode updates (closes: #886382):
+    sig 0x00800f12, patch id 0x08001213, 2017-12-05
+    Thanks to SuSE for distributing these ahead of AMD's official release!
+  * Add IBPB support for family 17h AMD processors (CVE-2017-5715)
+  * README: describe source for faml17h microcode update
+  * Upload to unstable to match IBPB microcode support on Intel in Debian
+    unstable.
+  * WARNING: requires at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 (or a
+    backport of commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf
+    "x86/microcode/AMD: Add support for fam17h microcode loading") otherwise
+    it will not be applied to the processor.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Mon, 08 Jan 2018 12:19:57 -0200
+
 amd64-microcode (3.20160316.3) unstable; urgency=medium
 
   * initramfs: Make the early initramfs reproducible (closes: #845194)
diff -Nru amd64-microcode-3.20160316.3/debian/control amd64-microcode-3.20181128.1~deb9u1/debian/control
--- amd64-microcode-3.20160316.3/debian/control	2016-11-30 02:53:04.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb9u1/debian/control	2018-12-15 03:43:55.000000000 +0100
@@ -5,8 +5,8 @@
 Uploaders: Giacomo Catenazzi <cate@debian.org>
 Build-Depends: debhelper (>= 9)
 Standards-Version: 3.9.8
-Vcs-Git: git://git.debian.org/users/hmh/amd64-microcode.git
-Vcs-Browser: http://git.debian.org/?p=users/hmh/amd64-microcode.git
+Vcs-Git: https://salsa.debian.org/hmh/amd64-microcode.git
+Vcs-Browser: https://salsa.debian.org/hmh/amd64-microcode
 XS-Autobuild: yes
 
 Package: amd64-microcode
diff -Nru amd64-microcode-3.20160316.3/debian/copyright amd64-microcode-3.20181128.1~deb9u1/debian/copyright
--- amd64-microcode-3.20160316.3/debian/copyright	2016-11-30 02:53:04.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb9u1/debian/copyright	2018-12-15 03:43:55.000000000 +0100
@@ -2,8 +2,9 @@
 Sun Jun 10 10:54:36 BRT 2012
 
 It was downloaded from http://www.amd64.org/support/microcode.html up to
-version 20120910 (now: http://www.amd64.org/microcode.html).  It was built from
-the linux-firmware git tree at  for version 20131007 onwards.
+version 20120910 (now: http://www.amd64.org/microcode.html).  For version
+20131007 onwards, it was built from the linux-firmware git repository at:
+https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/
 
 Debian only distributes the AMD64 microcode file in its unaltered form.
 
@@ -13,7 +14,7 @@
 
 Upstream Copyright: 
 
-    Copyright (C) 2010-2014 Advanced Micro Devices, Inc.,
+    Copyright (C) 2010-2018 Advanced Micro Devices, Inc.
     All rights reserved.
 
 Upstream License:
diff -Nru amd64-microcode-3.20160316.3/LICENSE.amd-ucode amd64-microcode-3.20181128.1~deb9u1/LICENSE.amd-ucode
--- amd64-microcode-3.20160316.3/LICENSE.amd-ucode	2016-11-30 02:53:04.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb9u1/LICENSE.amd-ucode	2018-05-19 18:45:14.000000000 +0200
@@ -1,4 +1,4 @@
-Copyright (C) 2010-2014 Advanced Micro Devices, Inc., All rights reserved.
+Copyright (C) 2010-2018 Advanced Micro Devices, Inc., All rights reserved.
 
 Permission is hereby granted by Advanced Micro Devices, Inc. ("AMD"),
 free of any license fees, to any person obtaining a copy of this
Binary files /tmp/LbpVUZ5fnT/amd64-microcode-3.20160316.3/microcode_amd_fam15h.bin and /tmp/F2EERKkYaF/amd64-microcode-3.20181128.1~deb9u1/microcode_amd_fam15h.bin differ
diff -Nru amd64-microcode-3.20160316.3/microcode_amd_fam15h.bin.asc amd64-microcode-3.20181128.1~deb9u1/microcode_amd_fam15h.bin.asc
--- amd64-microcode-3.20160316.3/microcode_amd_fam15h.bin.asc	2016-11-30 02:53:04.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb9u1/microcode_amd_fam15h.bin.asc	2018-12-15 03:36:28.000000000 +0100
@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
-iQEcBAABAgAGBQJW6d1MAAoJEOS+UznzKK5zSxkH+gJLffKGRM9BHe0D0/fkb0Gs
-FZVp0eUNREOQoYwHJq9Ms1RebaZJkaUnd8SXCODJrqxDsxqUgunUtP6Qfh3Ru6fV
-n0wgFVISKSQVLDP+I/ANFbWA2KhV5e4LuLQp5cDSItv6916kmNlM5kxtJ5QBrNXu
-kr5bNReYgYTl7PSoCPuPfVILToG0ltZQMdKI1GImRCMVrYjGMbv8EyUC3r8ZbChG
-Lv6K0AsULA81lXBAW0JYlxu6cNv1MJ3mxttwCswaJNcd+Y11ZQA8r2sjJoWbNSlS
-nsDPLsUKE/RsW9MlMxiI2Jqo9PrZz923bu/cWMU1FPp+cJII0T7idWGUTVhQjc8=
-=MTxP
+iQEcBAABAgAGBQJbB09SAAoJEOS+UznzKK5z8kAIAK1In82D88fGFbhluAl13UFu
+rs8BhXKL2w7B2KAspBNTmYpIQnfvVDrZzn6t6nqssuJ4bnWH8sf0mC/w5dSQLG4M
+WdpDd+qkdkDGJFlbl3zkr14Q7ZCQPV44pT7BOF07VPflOeQQjRWug9cdyqRIfO4n
+XGR5wvBOJZ2BlriRkYagQHn6iB/UJWXodmTr8CRGIHTApQg6K0NPNvmbwa/W5Z9X
+bS6eniACMfFDH7NXG2uTpFiGa3DYbDyNZiZeM7Uv3BFxtAOGY8vTFghtRyk0qxAl
+o6d8fT6ozkTUxE40Lgb6MegDJPwJ+uDfB7jKVPnYsbDAp6K7L8k/7PQQQRJ69Pc=
+=k2EA
 -----END PGP SIGNATURE-----
Binary files /tmp/LbpVUZ5fnT/amd64-microcode-3.20160316.3/microcode_amd_fam17h.bin and /tmp/F2EERKkYaF/amd64-microcode-3.20181128.1~deb9u1/microcode_amd_fam17h.bin differ
diff -Nru amd64-microcode-3.20160316.3/microcode_amd_fam17h.bin.asc amd64-microcode-3.20181128.1~deb9u1/microcode_amd_fam17h.bin.asc
--- amd64-microcode-3.20160316.3/microcode_amd_fam17h.bin.asc	1970-01-01 01:00:00.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb9u1/microcode_amd_fam17h.bin.asc	2018-12-15 21:35:27.000000000 +0100
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE15J9K0GJJtx9xI6sDKS4vABH4PkFAlv/CfcACgkQDKS4vABH
+4PksAhAAmfYROlv/xzR1iPxbxPLo9Cz9rv3iYwqAw8WD4Uum5KJHvkdyvofFWnPF
+FdH/wB3F6BniA/HxKHw4NoyhiKSqTcSl/RgKPwoSOFxBBUQQZdlkl1w5ta1mwiCu
+iSDP2+pdbjZmAKhH+GDkixZiECz8J9+oR8SM+VsWI6DopTIymc9mQaOSLV0iPJgX
+tc8wAw+X9LkpnfSuLGyzg/jHzHa9KWl4ki13ii6h46bdavxVHY39JTCa/Bg2wSXE
+zM3JFuJdRJJZrJaxcou/USa8l6lZS38x6OgThh3Rqf6O3vlJEpS4HSLB2yqJoDEj
+GUvoiJTiZLPXM7NT3/t+/lSk2bOHG6h0KqIUda41ZdtksWThgCs+WZmepyXn4StY
+sOyYMzBP2EqvHaA/FnYeezq5fCHVVLel7SggT8HZg9eYqQO+6rnOcXzuM39v1wm/
+GM+M4KYzLiHi9+1nVO2MByik21+QMc3EjTxEzyWd95+VzAT2kxxlkZ5cD8cTAfnB
+ysFNrd1jSBK5MeYBmjUkjTL9xy71rZjGWI61XU5G66h6Vu2XryCkBq/vA35rLnZB
+GBxq6ZpxdSAD96fdHEJuAaNX0ZvcWyNhvzJHe1dOPmeMHB/+gw1j1j4cUGNhkZ6C
+okTEcOKwmfOs8soZmkdJvoi/cwzVjy1nvZSkasQ8NfIhOgHZdMw=
+=FqUC
+-----END PGP SIGNATURE-----
diff -Nru amd64-microcode-3.20160316.3/README amd64-microcode-3.20181128.1~deb9u1/README
--- amd64-microcode-3.20160316.3/README	2016-11-30 02:53:04.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb9u1/README	2018-12-15 21:35:27.000000000 +0100
@@ -1,43 +1,116 @@
 This amd64-microcode release was based on the linux-firmware tree.
+The linux-firmware tree can be found in kernel.org.
 
-From: Sherry Hurwitz <sherry.hurwitz@amd.com>
-Subject: [PATCH 1/1] linux-firmware: Update AMD microcode patch firmware
-Date: 2016-03-17 06:56:11 GMT
+commit 8aa9e3e3886d49b8e1427c1084cbbe567ca2b6ca
+Author:     Allen, John <John.Allen@amd.com>
+AuthorDate: Thu Nov 29 18:39:16 2018 +0000
+Commit:     Josh Boyer <jwboyer@kernel.org>
+CommitDate: Fri Dec 14 08:05:34 2018 -0500
+
+    linux-firmware: Update AMD cpu microcode
+    
+    * Update AMD cpu microcode for processor family 17h
+    
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+    
+    Signed-off-by: John Allen <john.allen@amd.com>
+    Signed-off-by: Josh Boyer <jwboyer@kernel.org>
 
-    linux-firmware: Update AMD microcode patch firmware
+commit 7518922bd5b98b137af7aaf3c836f5a498e91609
+Author: Sherry Hurwitz <sherry.hurwitz@amd.com>
+Date:   Thu May 24 20:57:59 2018 -0500
+
+    Update AMD cpu microcode for family 15h
+    
+    * Processor Revision ID 0x00610f01 was accidently not included in the previous
+      submitted microcode container file.
+    * Update the Version for family 15h microcode .bin file
+    
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+    
+    Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
+    Signed-off-by: Josh Boyer <jwboyer@kernel.org>
+
+commit 77101513943ef198e2050667c87abf19e6cbb1d8
+Author: Sherry Hurwitz <sherry.hurwitz@amd.com>
+Date:   Wed May 16 18:10:48 2018 -0500
+
+    linux-firmware: Update AMD cpu microcode
+    
+    * Add AMD cpu microcode for processor family 17h
+    * Update AMD cpu microcode for processor family 15h
+    * Update the AMD cpu microcode license copyright
+    * Add a Version for both microcode family 15h and 17h
+    
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+    
+    Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
+    Signed-off-by: Josh Boyer <jwboyer@kernel.org>
+
+commit 5f8ca0c1db6106a2d6d7e85eee778917ff03c3de
+Author: Sherry Hurwitz <sherry.hurwitz@amd.com>
+Date:   Thu Mar 17 01:56:11 2016 -0500
 
+    linux-firmware: Update AMD microcode patch firmware
+    
     For AMD Family 15h Processors to fix bugs in prior microcode patch
     file: amd-ucode/microcode_amd_fam15h.bin
     md5sum: 2384ef1d8ec8ca3930b62d82ea5a3813
-
+    
     Version: 2016_03_16
-
+    
     Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
+    Signed-off-by: Kyle McMartin <kyle@kernel.org>
 
 commit 8ac569dd3ca3ca685bd47ee86c1eeb6050864db3
 Author: Sherry Hurwitz <sherry.hurwitz@amd.com>
 Date:   Thu Nov 6 19:38:26 2014 -0600
 
     linux-firmware: Update AMD microcode patch firmware files
-
+    
     For AMD Family 15h Processors
     file:   amd-ucode/microcode_amd_family15h.bin
     md5sum: ee3f0f46936aa1788dc31ca3487e0ff3
-
+    
     For AMD Family 16h Processors
     file:   amd-ucode/microcode_amd_family16h.bin
     md5sum: 6a47a6393c52ddfc0b5b044efc076a77
-
+    
     Version: 2014_10_28
     Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
     Signed-off-by: Kyle McMartin <kyle@kernel.org>
 
-LICENSE.amd-ucode                      |    2 +-
-amd-ucode/microcode_amd_fam15h.bin     |binary
-amd-ucode/microcode_amd_fam15h.bin.asc |   16 ++++++++--------
-amd-ucode/microcode_amd_fam16h.bin     |binary
-amd-ucode/microcode_amd_fam16h.bin.asc |   11 +++++++++++
-6 files changed, 23 insertions(+), 10 deletions(-)
+commit 31f6b3076bab3c4b65f67fdb232f4579ed828b4f
+Author: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date:   Wed Jul 10 19:42:56 2013 -0500
+
+    linux-firmware: Add AMD microcode patch firmware files
+    
+    For AMD Families 10h ~ 14h Processors
+    file:   amd-ucode/microcode_amd.bin
+    md5sum: 55ae79b82cbfddcf7142058be3c9ec2d
+    
+    For AMD Family 15h Processors
+    file:   amd-ucode/microcode_amd_fam15h.bin
+    md5sum: 122ac7e56442c2b7c28eb26978b2d57c
+    
+    Version: 07_10_2013
+    
+    Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
+    Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+    [bwh: Include version in WHENCE and GPG signatures as separate files]
+    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+
+The microcode update for family 17h came from SuSE, and depends on specific
+kernel support for family 17h to be applied.  It implements IBPB support
+for family 17h processors (Zen).  Microcode update support for family 17h
+should be present in Linux 4.15, 4.14.13, 4.9.76, 4.4.111, and later.
 
 AMD did not update the relevant microcode documentation (errata fixed,
 microcode patch levels, etc), so there is no documentation for the family 0x16
Reply to: