intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?

To: debian-security@lists.debian.org
Subject: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
From: Christoph Pflügler <christoph@pfluegler.net>
Date: Fri, 8 Jan 2021 21:12:53 +0100
Message-id: <[🔎] a9259825-b7ea-8d38-e729-046fe2cba6da@pfluegler.net>

Installing package intel-microcode in Debian 10 (Buster) mitigates mostvulnerabilities as per spectre-meltdown-checker. However, CVE-2018-3640and CVE-2018-3615 are still displayed as unmitigated after reboot, withspectre-meltdown-checker --explain (executed as su) pointing to missingmicrocode upgrades.

According to the Debian package description of intel-microcode, the twovulnerabilities are fixed in the current version of the package.

This occurs in exactly the same way on two different machines, one withan i5-3320M CPU and another one with an E3-1235L v5.

If I remember correctly, I was all green as per spectre-meltdown-checkerin Debian 9 (Stretch).


Does anybody have an explanation and/or fix for this issue?


Thanks and best regards,

Christoph

Reply to:

Follow-Ups:
- Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
  - From: Michael Stone <mstone@debian.org>

Next by Date: Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
Next by thread: Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?
Index(es):
- Date
- Thread