Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
Hi Tobias,
On Fri, Mar 17, 2023 at 07:41:28PM +0000, Tobias Frost wrote:
> Am 17. März 2023 19:18:50 UTC schrieb Salvatore Bonaccorso <carnil@debian.org>:
> >
> >On Thu, Mar 16, 2023 at 04:06:29PM +0100, Tobias Frost wrote:
> >> Package: release.debian.org
> >> Severity: normal
> >> Tags: bullseye
> >> User: release.debian.org@packages.debian.org
> >> Usertags: pu
> >> X-Debbugs-Cc: intel-microcode@packages.debian.org, Salvatore Bonaccorso <carnil@debian.org>
> >> Control: affects -1 + src:intel-microcode
> >>
> >> (Please refer to #1032847#12 for security team's feedback
> >> that this should go through SPU.)
> >>
> >> The upload updates intel microcodes to target (See #1031334)
> >> - INTEL-SA-00700: CVE-2022-21216
> >> - INTEL-SA-00730: CVE-2022-33972
> >> - INTEL-SA-00738: CVE-2022-33196
> >> - INTEL-SA-00767: CVE-2022-38090
> >>
> >> the CVEs are information disclosure via local access vulnerbilities and
> >> potential privilege escalations.
> >
> >Note that speaking of fixed CVEs, for bullseye and older with the
> >upload CVE-2022-21233 get fixed as well (this one was as well not
> >warranting a DSA, it is as well SGX releated).
>
> yes, this CVE is fixed in 3.20220809.1, which is part of this update.
> to make sure i don't miss it: i thought i do not need to repeat the
> cve in d/changelog if it is mentioned in earlier d/changelog
> entries, right?
Yes this is correct, you do not need to mention it. I just wanted to
make double sure it's as well on the radar (and have not checked if
you have uploaded with -v to incude the intermediate changelog entries
as well).
Thank you!
Regards,
Salvatore
Reply to: