[SECURITY] [DLA 2248-1] intel-microcode security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2248-1] intel-microcode security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Sat, 13 Jun 2020 20:59:48 +0530
Message-id: <[🔎] 2b875375-1ab8-836f-1e06-836615f5ee12@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : intel-microcode
Version        : 3.20200609.2~deb8u1
CVE ID         : CVE-2020-0543 CVE-2020-0548 CVE-2020-0549


The following CVE(s) were reported against src:intel-microcode.

CVE-2020-0543

    A new domain bypass transient execution attack known as Special
    Register Buffer Data Sampling (SRBDS) has been found. This flaw
    allows data values from special internal registers to be leaked
    by an attacker able to execute code on any core of the CPU. An
    unprivileged, local attacker can use this flaw to infer values
    returned by affected instructions known to be commonly used
    during cryptographic operations that rely on uniqueness, secrecy,
    or both.

CVE-2020-0548

    A flaw was found in Intel processors where a local attacker is
    able to gain information about registers used for vector
    calculations by observing register states from other processes
    running on the system. This results in a race condition where
    store buffers, which were not cleared, could be read by another
    process or a CPU sibling. The highest threat from this
    vulnerability is data confidentiality where an attacker could
    read arbitrary data as it passes through the processor.

CVE-2020-0549

    A microarchitectural timing flaw was found on some Intel
    processors. A corner case exists where data in-flight during the
    eviction process can end up in the “fill buffers” and not properly
    cleared by the MDS mitigations. The fill buffer contents (which
    were expected to be blank) can be inferred using MDS or TAA style
    attack methods to allow a local attacker to infer fill buffer
    values.

For Debian 8 "Jessie", these problems have been fixed in version
3.20200609.2~deb8u1.

We recommend that you upgrade your intel-microcode packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl7k8OUACgkQgj6WdgbD
S5Y7mw//QpSny0v3MhSFem+X6FKRFQ4TQgzlEp7pE0KJgp8Xnpd5K/iQLhgGLWLh
jQqp8Hx55N4GwL/p0nB40ARMbKDahMVxi4aty2o72hYho1TF1xQyMXGNzYjadw0J
bWsZF4N6XvUG35i5Ai0o3rvEHEBH5K2tB3eLP9esXGF0py8okXS2598ta17fTvq4
ES99Kh6x+AP6WNfKS92Z01KRcZ7P8cXZ8nnojhl7Z7hvpBqMtrJ+c/MyTMHjjnPz
8bueR8PK4FMk08Xokq7aBD2N3Aw1HZVr9smiOto1XTXd+P0pV9OnLo9KFvD8r+HQ
4VlCFcdJEaTHwk6UrkGvFp936e9KUzwscmr/CCuEb2lZHcKAaH4a/ujWKGrPyZLE
xXdib4TKF/qE0JgPqS+F0KtM0ucHcfDegEgDtNBha9/rLjAg99KN3cT4QU/Pjfpz
GQpmvrdbeJUhjiADMIdP24PwWC6ze6FRjgCIbA39eaNUYOuolvdC2lj7mPWFMHXI
nbxMcrGhcNzxrAdg4R9wIr/3j8k0xwZy8GOrHLq/mO3lwXO1w4R/aic6HsUgdLyS
y7fsbTakq7IQI/8sTvGOhxkW5wFGcvjbvzaYtZAcfngo+FaTVY2CYFhji6+B6eY1
G3ZPdVBraeXQBGUZ8pS19abw9LOV0qVVA0pSS1zRnLrAJ/6ZGAA=
=cqVo
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2246-1] xawtv security update
Next by Date: [SECURITY] [DLA 2249-1] libexif security update
Previous by thread: [SECURITY] [DLA 2246-1] xawtv security update
Next by thread: [SECURITY] [DLA 2249-1] libexif security update
Index(es):
- Date
- Thread