[SECURITY] [DLA 1446-1] intel-microcode security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1446-1] intel-microcode security update
From: Markus Koschany <apo@debian.org>
Date: Fri, 27 Jul 2018 07:08:13 +0200
Message-id: <[🔎] c20debef-f36e-a8aa-f674-400a40df1930@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : intel-microcode
Version        : 3.20180703.2~deb8u1
CVE ID         : CVE-2018-3639 CVE-2018-3640

Security researchers identified two software analysis methods that, if
used for malicious purposes, have the potential to improperly gather
sensitive data from multiple types of computing devices with different
vendors’ processors and operating systems.

This update requires an update to the intel-microcode package, which
is non-free. Users who have already installed the version from
jessie-backports-sloppy do not need to upgrade.

CVE-2018-3639 – Speculative Store Bypass (SSB) – also known as Variant 4

    Systems with microprocessors utilizing speculative execution and
    speculative execution of memory reads before the addresses of all
    prior memory writes are known may allow unauthorized disclosure of
    information to an attacker with local user access via a side-channel
    analysis.


CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as
                Variant 3a

    Systems with microprocessors utilizing speculative execution and
    that perform speculative reads of system registers may allow
    unauthorized disclosure of system parameters to an attacker with
    local user access via a side-channel analysis.

For Debian 8 "Jessie", these problems have been fixed in version
3.20180703.2~deb8u1.

We recommend that you upgrade your intel-microcode packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltaqL1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTRFRAAwWxspmLvIzQevNqpdDQx6brgt9nwTQX5j+WNuvknBXmREZHIk3m1Wt9v
DT0/gbrvwg2UqMnsKRfiqLIekA1RtNS7rW/0gyhTp1eWenkaps8susW2Gn48I5Ty
tNjnZ2juZo+qWFUbW0Y8VTxetndkz521SzJdXXbLP7lJsMNM0jwLDlmbWWxYAGjg
BVRjSfTMq8b9txeNNP2mh0Zu7W8TxweXeBXRwuygfUJEcLLercCjiiBnhfxI3HGv
Rxz/I2sBpC6Vp8xMau8jHStRjyhZhjc9AteJWoptzhfKd976xY0UtVaVg9ydaD7B
Jwm1VoOCkaIGjfbuTracdegvhb4XsE+lkdFzrj6CDHuAE/fd0F902CMz62YdrqXL
MIIAdYDmXox+5NXGpc9cfORKIBJd4maF7NSZOadm8l+VVGTeMu5KO96y7Nrn1fY4
q8VlvoMmgNoYgWZ5QiDxZSp5+LPOYaJq08E0dOWzPwFhA+9GTfZUR2cLvMc1D94B
j8DcZ8a+2/fcpCDuKRYXcmMGAsyXgDnVxwDRYTwyai/Kd8LQUdEbEjZO4Mo+ZJrp
0PtonxJkNie/J2Q0orCFDZOLMB1GtzcODNfp8QPav+mh8Bjpyg49v7hcKln+jZ2s
HmQOzm5m4tlFCrk/p/YTxBUSldftyStngp+uf/Fhxm6dzyN+Qo0=
=hWlG
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1445-1] busybox security update
Next by Date: [SECURITY] [DLA 1442-2] mailman regression update
Previous by thread: [SECURITY] [DLA 1445-1] busybox security update
Next by thread: [SECURITY] [DLA 1442-2] mailman regression update
Index(es):
- Date
- Thread