Your message dated Sat, 09 Nov 2024 10:51:02 +0000 with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk> and subject line Closing bugs released with 12.8 has caused the Debian Bug report #1086601, regarding bookworm-pu: package intel-microcode/3.20240910.1~deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1086601: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086601 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package intel-microcode/3.20240910.1~deb12u1
- From: Henrique de Moraes Holschuh <hmh@debian.org>
- Date: Fri, 1 Nov 2024 21:14:48 -0300
- Message-id: <ZyVu+A3IZCCNS/tk@khazad-dum.debian.net>Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] As requested by the security team, I would like to bring the microcode update level for Intel processors in Bullseye and Bookworm to match what we have in Sid and Trixie. This is the bug report for Bookworm, a separate one will be filled for Bullseye. This fixes: * Two CVEs in many Intel processors - Mitigations for INTEL-SA-01103 (CVE-2024-23984) - Mitigations for INTEL-SA-01097 (CVE-2024-24968) * Other unspecified functional issues on several processors There are no releavant issues reported on this microcode update, considering the version of intel-microcode already available as security updates for bookworm and bullseye. [ Impact ] If this update is not approved, owners of most recent "client" Intel processors and a few server processors will depend on UEFI updates to be protected from the issues listed above. [ Tests ] There were no bug reports from users of Debian sid or Trixie, these packages have been tested there since 2024-09-21 (sid), 2024-09-27 (trixie). [ Risks ] Unknown, but not believed to be any different from other Intel microcode updates. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] As per the debdiff, only documentation changes, package documentation changes, and the binary blob change from upstream. changelog | 52 ++++++++++++++++++++++++++++++++++-- debian/changelog | 73 ++++++++++++++++++++++++++++++++++++++++++++++++--- intel-ucode/06-97-02 |binary intel-ucode/06-97-05 |binary intel-ucode/06-9a-03 |binary intel-ucode/06-9a-04 |binary intel-ucode/06-aa-04 |binary intel-ucode/06-b7-01 |binary intel-ucode/06-ba-02 |binary intel-ucode/06-ba-03 |binary intel-ucode/06-ba-08 |binary intel-ucode/06-be-00 |binary intel-ucode/06-bf-02 |binary intel-ucode/06-bf-05 |binary releasenote.md | 35 ++++++++++++++++++++++++ 15 files changed, 155 insertions(+), 5 deletions(-) [ Other info ] The package version with "~" is needed to guarantee smooth updates to the next debian release. -- Henrique Holschuh
diff --git a/changelog b/changelog index d5e45bc..e6eb97c 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,33 @@ +2024-09-10: + * New upstream microcode datafile 20240910 + - Mitigations for INTEL-SA-01103 (CVE-2024-23984) + A potential security vulnerability in the Running Average Power Limit + (RAPL) interface for some Intel Processors may allow information + disclosure. + - Mitigations for INTEL-SA-01097 (CVE-2024-24968) + A potential security vulnerability in some Intel Processors may allow + denial of service. + - Fixes for unspecified functional issues on several processor models + - The processor voltage limit issue on Core 13rd/14th gen REQUIRES A + FIRMWARE UPDATE. It is present in this release for sig 0xb0671, but + THE VOLTAGE ISSUE FIX ONLY WORKS WHEN THE MICROCODE UPDATE IS LOADED + THROUGH THE FIT TABLE IN FIRMWARE. Contact your system vendor for a + firmware update that includes the appropriate microcode update for + your processor. + * Updated Microcodes: + sig 0x00090672, pf_mask 0x07, 2024-02-22, rev 0x0036, size 224256 + sig 0x00090675, pf_mask 0x07, 2024-02-22, rev 0x0036 + sig 0x000b06f2, pf_mask 0x07, 2024-02-22, rev 0x0036 + sig 0x000b06f5, pf_mask 0x07, 2024-02-22, rev 0x0036 + sig 0x000906a3, pf_mask 0x80, 2024-02-22, rev 0x0434, size 222208 + sig 0x000906a4, pf_mask 0x80, 2024-02-22, rev 0x0434 + sig 0x000a06a4, pf_mask 0xe6, 2024-06-17, rev 0x001f, size 137216 + sig 0x000b0671, pf_mask 0x32, 2024-07-18, rev 0x0129, size 215040 + sig 0x000b06a2, pf_mask 0xe0, 2024-02-22, rev 0x4122, size 220160 + sig 0x000b06a3, pf_mask 0xe0, 2024-02-22, rev 0x4122 + sig 0x000b06a8, pf_mask 0xe0, 2024-02-22, rev 0x4122 + sig 0x000b06e0, pf_mask 0x19, 2024-03-25, rev 0x001a, size 138240 + 2024-08-13: * New upstream microcode datafile 20240813 (second release) - Mitigations for INTEL-SA-01083 (CVE-2024-24853) @@ -15,12 +45,17 @@ - Mitigations for INTEL-SA-01038 (CVE-2023-42667) Improper isolation in the Intel Core Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable - escalation of privilege via local access. + escalation of privilege via local access. Intel disclosed that some + processor models were already fixed by the previous microcode update. - Mitigations for INTEL-SA-01046 (CVE-2023-49141) Improper isolation in some Intel® Processors stream cache mechanism may allow an authenticated user to potentially enable escalation of - privilege via local access. + privilege via local access. Intel disclosed that some processor models + were already fixed by the previous microcode update. - Fix for unspecified functional issues on several processor models + - Fix for errata TGL068/ADL075/ICL088/... "Processor may hang during a + microcode update". It is not clear which processors were fixed by this + release, or by one of the microcode updates from 2024-05. * Updated microcodes: sig 0x00050657, pf_mask 0xbf, 2024-03-01, rev 0x5003707, size 39936 sig 0x0005065b, pf_mask 0xbf, 2024-04-01, rev 0x7002904, size 30720 @@ -69,6 +104,19 @@ Improper input validation in some Intel TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access. + - Mitigations for INTEL-SA-01046 (CVE-2023-49141) + Improper isolation in some Intel Processors stream cache mechanism may + allow an authenticated user to potentially enable escalation of + privilege via local access (time-travel entry, added after Intel + released this information during the full disclosure for the 20240813 + update). Processor signatures 0x806f4-0x806f8, 0xb0671, 0x90672, and + 0x90675 + - Mitigations for INTEL-SA-01100 (CVE-2024-24980) for the Intel + Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel + Xeon Processors may allow a privileged user to potentially enable + escalation of privilege via local access (time-travel entry, added after + Intel released this information during the full disclosure for the + 20240813 update). Processor signatures 0xc06f1 and 0xc06f2. - Fix for unspecified functional issues on 4th gen and 5th gen Xeon Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for Core i3 N-series processors. diff --git a/debian/changelog b/debian/changelog index 5038f31..5e6276e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,46 @@ +intel-microcode (3.20240910.1~deb12u1) bookworm; urgency=medium + + * Build for bookworm + * All trixie-only changes (from 3.20240813.2) are reverted on this branch + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 01 Nov 2024 20:13:41 -0300 + +intel-microcode (3.20240910.1) unstable; urgency=medium + + * New upstream microcode datafile 20240910 (closes: #1081363) + - Mitigations for INTEL-SA-01103 (CVE-2024-23984) + A potential security vulnerability in the Running Average Power Limit + (RAPL) interface for some Intel Processors may allow information + disclosure. + - Mitigations for INTEL-SA-01097 (CVE-2024-24968) + A potential security vulnerability in some Intel Processors may allow + denial of service. + - Fixes for unspecified functional issues on several processor models + - The processor voltage limit issue on Core 13rd/14th gen REQUIRES A + FIRMWARE UPDATE. It is present in this release for sig 0xb0671, but + THE VOLTAGE ISSUE FIX ONLY WORKS WHEN THE MICROCODE UPDATE IS LOADED + THROUGH THE FIT TABLE IN FIRMWARE. Contact your system vendor for a + firmware update that includes the appropriate microcode update for + your processor. + * Updated Microcodes: + sig 0x00090672, pf_mask 0x07, 2024-02-22, rev 0x0036, size 224256 + sig 0x00090675, pf_mask 0x07, 2024-02-22, rev 0x0036 + sig 0x000b06f2, pf_mask 0x07, 2024-02-22, rev 0x0036 + sig 0x000b06f5, pf_mask 0x07, 2024-02-22, rev 0x0036 + sig 0x000906a3, pf_mask 0x80, 2024-02-22, rev 0x0434, size 222208 + sig 0x000906a4, pf_mask 0x80, 2024-02-22, rev 0x0434 + sig 0x000a06a4, pf_mask 0xe6, 2024-06-17, rev 0x001f, size 137216 + sig 0x000b0671, pf_mask 0x32, 2024-07-18, rev 0x0129, size 215040 + sig 0x000b06a2, pf_mask 0xe0, 2024-02-22, rev 0x4122, size 220160 + sig 0x000b06a3, pf_mask 0xe0, 2024-02-22, rev 0x4122 + sig 0x000b06a8, pf_mask 0xe0, 2024-02-22, rev 0x4122 + sig 0x000b06e0, pf_mask 0x19, 2024-03-25, rev 0x001a, size 138240 + * Update changelog for 3.20240813.1 with new information + * Update changelog for 3.20240514.1 with new information + * source: update symlinks to reflect id of the latest release, 20240910 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 21 Sep 2024 16:40:07 -0300 + intel-microcode (3.20240813.1~deb12u1) bookworm; urgency=medium * Build for bookworm (no changes from 3.20240813.1) @@ -22,12 +65,17 @@ intel-microcode (3.20240813.1) unstable; urgency=medium - Mitigations for INTEL-SA-01038 (CVE-2023-42667) Improper isolation in the Intel Core Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable - escalation of privilege via local access. + escalation of privilege via local access. Intel disclosed that some + processor models were already fixed by the previous microcode update. - Mitigations for INTEL-SA-01046 (CVE-2023-49141) - Improper isolation in some Intel® Processors stream cache mechanism may + Improper isolation in some Intel Processors stream cache mechanism may allow an authenticated user to potentially enable escalation of - privilege via local access. + privilege via local access. Intel disclosed that some processor models + were already fixed by the previous microcode update. - Fix for unspecified functional issues on several processor models + - Fix for errata TGL068/ADL075/ICL088/... "Processor may hang during a + microcode update". It is not clear which processors were fixed by this + release, or by one of the microcode updates from 2024-05. * Updated microcodes: sig 0x00050657, pf_mask 0xbf, 2024-03-01, rev 0x5003707, size 39936 sig 0x0005065b, pf_mask 0xbf, 2024-04-01, rev 0x7002904, size 30720 @@ -91,6 +139,25 @@ intel-microcode (3.20240514.1) unstable; urgency=medium Improper input validation in some Intel TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access. + * Mitigations for INTEL-SA-01046 (CVE-2023-49141) + Improper isolation in some Intel Processors stream cache mechanism may + allow an authenticated user to potentially enable escalation of + privilege via local access (time-travel entry, added after Intel + released this information during the full disclosure for the 20240813 + update) + * Mitigations for INTEL-SA-01046 (CVE-2023-49141) + Improper isolation in some Intel Processors stream cache mechanism may + allow an authenticated user to potentially enable escalation of + privilege via local access (time-travel entry, added after Intel + released this information during the full disclosure for the 20240813 + update). Processor signatures 0x806f4-0x806f8, 0xb0671, 0x90672, and + 0x90675 + * Mitigations for INTEL-SA-01100 (CVE-2024-24980) for the Intel + Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel + Xeon Processors may allow a privileged user to potentially enable + escalation of privilege via local access (time-travel entry, added after + Intel released this information during the full disclosure for the + 20240813 update). Processor signatures 0xc06f1 and 0xc06f2. * Fix for unspecified functional issues on 4th gen and 5th gen Xeon Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for Core i3 N-series processors. diff --git a/intel-ucode/06-97-02 b/intel-ucode/06-97-02 index 05450f8..efd034d 100644 Binary files a/intel-ucode/06-97-02 and b/intel-ucode/06-97-02 differ diff --git a/intel-ucode/06-97-05 b/intel-ucode/06-97-05 index 05450f8..efd034d 100644 Binary files a/intel-ucode/06-97-05 and b/intel-ucode/06-97-05 differ diff --git a/intel-ucode/06-9a-03 b/intel-ucode/06-9a-03 index b4f9b45..ac46000 100644 Binary files a/intel-ucode/06-9a-03 and b/intel-ucode/06-9a-03 differ diff --git a/intel-ucode/06-9a-04 b/intel-ucode/06-9a-04 index 27bfc92..5630a87 100644 Binary files a/intel-ucode/06-9a-04 and b/intel-ucode/06-9a-04 differ diff --git a/intel-ucode/06-aa-04 b/intel-ucode/06-aa-04 index 170887a..f7ce6aa 100644 Binary files a/intel-ucode/06-aa-04 and b/intel-ucode/06-aa-04 differ diff --git a/intel-ucode/06-b7-01 b/intel-ucode/06-b7-01 index fc76856..ed73396 100644 Binary files a/intel-ucode/06-b7-01 and b/intel-ucode/06-b7-01 differ diff --git a/intel-ucode/06-ba-02 b/intel-ucode/06-ba-02 index c2b3de7..76a1275 100644 Binary files a/intel-ucode/06-ba-02 and b/intel-ucode/06-ba-02 differ diff --git a/intel-ucode/06-ba-03 b/intel-ucode/06-ba-03 index c2b3de7..76a1275 100644 Binary files a/intel-ucode/06-ba-03 and b/intel-ucode/06-ba-03 differ diff --git a/intel-ucode/06-ba-08 b/intel-ucode/06-ba-08 index c2b3de7..76a1275 100644 Binary files a/intel-ucode/06-ba-08 and b/intel-ucode/06-ba-08 differ diff --git a/intel-ucode/06-be-00 b/intel-ucode/06-be-00 index 7be2d62..5316c7e 100644 Binary files a/intel-ucode/06-be-00 and b/intel-ucode/06-be-00 differ diff --git a/intel-ucode/06-bf-02 b/intel-ucode/06-bf-02 index 05450f8..efd034d 100644 Binary files a/intel-ucode/06-bf-02 and b/intel-ucode/06-bf-02 differ diff --git a/intel-ucode/06-bf-05 b/intel-ucode/06-bf-05 index 05450f8..efd034d 100644 Binary files a/intel-ucode/06-bf-05 and b/intel-ucode/06-bf-05 differ diff --git a/microcode-20240813.d b/microcode-20240910.d similarity index 100% rename from microcode-20240813.d rename to microcode-20240910.d diff --git a/releasenote.md b/releasenote.md index e501368..f00475e 100644 --- a/releasenote.md +++ b/releasenote.md @@ -1,3 +1,38 @@ +# Release Notes +## [microcode-20240910](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910) + +### Purpose + +- Security updates for [INTEL-SA-01103](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html) +- Security updates for [INTEL-SA-01097](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html) +- Update for functional issues. Refer to [Intel® Core™ Ultra Processor](https://cdrdv2.intel.com/v1/dl/getContent/792254) for details. +- Update for functional issues. Refer to [13th Generation Intel® Core™ Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details. +- Update for functional issues. Refer to [12th Generation Intel® Core™ Processor Family](https://cdrdv2.intel.com/v1/dl/getContent/682436) for details. +- Update for functional issues. Refer to [Intel® Processors and Intel® Core™ i3 N-Series](https://cdrdv2.intel.com/v1/dl/getContent/764616) for details. + +### New Platforms + +| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products +|:---------------|:---------|:------------|:---------|:---------|:--------- +| TWL | N0 | 06-be-00/19 | | 0000001a | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E + +### Updated Platforms + +| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products +|:---------------|:---------|:------------|:---------|:---------|:--------- +| ADL | C0 | 06-97-02/07 | 00000035 | 00000036 | Core Gen12 +| ADL | H0 | 06-97-05/07 | 00000035 | 00000036 | Core Gen12 +| ADL | L0 | 06-9a-03/80 | 00000433 | 00000434 | Core Gen12 +| ADL | R0 | 06-9a-04/80 | 00000433 | 00000434 | Core Gen12 +| ADL-N | N0 | 06-be-00/11 | 00000017 | 0000001a | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E +| MTL | C0 | 06-aa-04/e6 | 0000001e | 0000001f | Core™ Ultra Processor +| RPL-E/HX/S | B0 | 06-b7-01/32 | 00000123 | 00000129 | Core Gen13/Gen14 +| RPL-H/P/PX 6+8 | J0 | 06-ba-02/e0 | 00004121 | 00004122 | Core Gen13 +| RPL-HX/S | C0 | 06-bf-02/07 | 00000035 | 00000036 | Core Gen13/Gen14 +| RPL-S | H0 | 06-bf-05/07 | 00000035 | 00000036 | Core Gen13/Gen14 +| RPL-U 2+8 | Q0 | 06-ba-03/e0 | 00004121 | 00004122 | Core Gen13 + + # Release Notes ## [microcode-20240813](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813) diff --git a/supplementary-ucode-20240813_BDX-ML.bin b/supplementary-ucode-20240910_BDX-ML.bin similarity index 100% rename from supplementary-ucode-20240813_BDX-ML.bin rename to supplementary-ucode-20240910_BDX-ML.binAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1074088-done@bugs.debian.org, 1074126-done@bugs.debian.org, 1076473-done@bugs.debian.org, 1077668-done@bugs.debian.org, 1079689-done@bugs.debian.org, 1079733-done@bugs.debian.org, 1080363-done@bugs.debian.org, 1080402-done@bugs.debian.org, 1080968-done@bugs.debian.org, 1081034-done@bugs.debian.org, 1081035-done@bugs.debian.org, 1081169-done@bugs.debian.org, 1081317-done@bugs.debian.org, 1081343-done@bugs.debian.org, 1081388-done@bugs.debian.org, 1081389-done@bugs.debian.org, 1081394-done@bugs.debian.org, 1081399-done@bugs.debian.org, 1081410-done@bugs.debian.org, 1081413-done@bugs.debian.org, 1081418-done@bugs.debian.org, 1081750-done@bugs.debian.org, 1082024-done@bugs.debian.org, 1082153-done@bugs.debian.org, 1082155-done@bugs.debian.org, 1082322-done@bugs.debian.org, 1082701-done@bugs.debian.org, 1082710-done@bugs.debian.org, 1082746-done@bugs.debian.org, 1082783-done@bugs.debian.org, 1082902-done@bugs.debian.org, 1082935-done@bugs.debian.org, 1083026-done@bugs.debian.org, 1083090-done@bugs.debian.org, 1083162-done@bugs.debian.org, 1083223-done@bugs.debian.org, 1084171-done@bugs.debian.org, 1084845-done@bugs.debian.org, 1084907-done@bugs.debian.org, 1085026-done@bugs.debian.org, 1085176-done@bugs.debian.org, 1085227-done@bugs.debian.org, 1085281-done@bugs.debian.org, 1085430-done@bugs.debian.org, 1085591-done@bugs.debian.org, 1085708-done@bugs.debian.org, 1085711-done@bugs.debian.org, 1085965-done@bugs.debian.org, 1086116-done@bugs.debian.org, 1086149-done@bugs.debian.org, 1086151-done@bugs.debian.org, 1086154-done@bugs.debian.org, 1086157-done@bugs.debian.org, 1086163-done@bugs.debian.org, 1086164-done@bugs.debian.org, 1086193-done@bugs.debian.org, 1086207-done@bugs.debian.org, 1086601-done@bugs.debian.org, 1086611-done@bugs.debian.org, 1086613-done@bugs.debian.org, 1086632-done@bugs.debian.org, 1081535-done@bugs.debian.org
- Subject: Closing bugs released with 12.8
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 Nov 2024 10:51:02 +0000
- Message-id: <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk>Source: release.debian.org Version: 12.8 Hi, Each of the updates tracked by these bugs was included in today's 12.8 bookworm point release. Regards, Adam
--- End Message ---