Bug#1032847: unblock: intel-microcode/3.20230214.1

To: Tobias Frost <tobi@debian.org>, 1032847@bugs.debian.org
Cc: Henrique de Moraes Holschuh <hmh@debian.org>, Debian Security Team <team@security.debian.org>
Subject: Bug#1032847: unblock: intel-microcode/3.20230214.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 14 Mar 2023 08:32:46 +0100
Message-id: <[🔎] ZBAjHg0PjnWSpe4P@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1032847@bugs.debian.org
In-reply-to: <[🔎] 167864378107.1639743.217050103982559813.reportbug@isildor.loewenhoehle.ip>
References: <[🔎] 167864378107.1639743.217050103982559813.reportbug@isildor.loewenhoehle.ip> <[🔎] 167864378107.1639743.217050103982559813.reportbug@isildor.loewenhoehle.ip>

Hi Tobi,

On Sun, Mar 12, 2023 at 06:56:21PM +0100, Tobias Frost wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: intel-microcode@packages.debian.org, team@security.debian.org
> Control: affects -1 + src:intel-microcode
> 
> I've uploaded intel-microcode to DELAYED/5, ETA will be Mar 17 ~18:00 CET
> Please unblock package intel-microcode once it hits unstable.
> 
> The upload updates intel microcodes to target (See #1031334)
>        - INTEL-SA-00700: CVE-2022-21216
>        - INTEL-SA-00730: CVE-2022-33972
>        - INTEL-SA-00738: CVE-2022-33196
>        - INTEL-SA-00767: CVE-2022-38090
> 
> the CVEs are information disclosure via local access vulnerbilities and
> potential privilege escalations.
> 
> I plan to provide updated packages for bullseye (security team in CC).
> As well as LTS (buster) and ELTS (stretch an jessie) as part of the freexian LTS/ELTS project)
> 
> To keep the fixes consistent, I'd like to let them flow from sid -> jessie…

Thanks that is a good appraoch, make sure to handle back the
non-free-firmware -> non-free situation.

I talked with Henrique, and feel this covers my initial thinking as
well: The update for bullseye can go trough the next point release
(should not be too distant, and have the update as well accepted
early enough there to be exposed further a bit for testing by
interested parties).

In fact, INTE-SA-0700 might be the most important one, but still would
not warrant a DSA. Two are SGX related which affect intel-microcode
but not that relevant in Debian context (for the affected suites). And
for INTEL-SA-0738 Henrique told me the situation is similar with some
other updates we had in past, the update will not take entirely unless
loaded by the firmware, it is about early or late loading. Henrique
might comment better on this, if he finds time.

In any case an update in bullseye owuld be welcome, but we should
rather not push this via a DSA, but batch it in point release update
(I know this is unfortunately not an option for LTS and ELTS, which do
not have point release concept possible).

Regards,
Salvatore

Reply to:

References:
- Bug#1032847: unblock: intel-microcode/3.20230214.1
  - From: Tobias Frost <tobi@debian.org>

Prev by Date: Bug#1032923: unblock: ftools-fv/5.5.2+dfsg-2
Next by Date: Re: EC SRM key for bookworm?
Previous by thread: Processed: unblock: intel-microcode/3.20230214.1
Next by thread: Bug#1032847: unblock: intel-microcode/3.20230214.1
Index(es):
- Date
- Thread