Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Apologies for letting this sit for a while.

On Mon, 2020-03-23 at 18:08 -0300, Henrique de Moraes Holschuh wrote:
> On Sat, 21 Mar 2020, Adam D. Barratt wrote:
> > On Sun, 2020-03-15 at 21:37 +0100, Anton Gladky wrote:
> > > I have prepared an update for amd64-microcode for Debian Stretch,
> > > which fixes CVE-2017-5715. Please see an attached debdiff.
> > > 
> > > This is the newer upstream version, which fixes CVE-2017-5715.
> > > Security team marked this CVE for Stretch as <no-dsa> [1].
> > 
> > Do you have any input / thoughts on this proposed update?
> 
> The microcode might be safe enough, we don't have regressions
> reported against the lastest one (which is just a revert by AMD of an
> update that did cause regressions when not applied through UEFI).
> 
> But that's with recent kernels.
> 
> I have no idea about the kernel codepaths it might activate, though,
> if new MSRs are exposed.

I'm torn as to what to do with this request, given that we're about to
hit the EOL point release for stretch.

Anton, do you have any idea how widespread use of the existing stretch-
backports package has been?

Regards,

Adam