Security Information / 2023 / Security Information -- DSA-5475-1 linux

Debian Security Advisory

DSA-5475-1 linux -- security update

Date Reported:

11 Aug 2023

Affected Packages:

linux

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2022-40982, CVE-2023-20569.

More information:

• CVE-2022-40982

  Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware vulnerability for Intel CPUs which allows unprivileged speculative access to data which was previously stored in vector registers.

  This mitigation requires updated CPU microcode provided in the intel-microcode package.

  For details please refer to https://downfall.page/ and https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html.

• CVE-2023-20569

  Daniel Trujillo, Johannes Wikner and Kaveh Razavi discovered INCEPTION, also known as Speculative Return Stack Overflow (SRSO), a transient execution attack that leaks arbitrary data on all AMD Zen CPUs. An attacker can mis-train the CPU BTB to predict non architectural CALL instructions in kernel space and use this to control the speculative target of a subsequent kernel RET, potentially leading to information disclosure via a speculative side-channel.

  For details please refer to https://comsec.ethz.ch/research/microarch/inception/ and https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005.

For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.179-5.

For the stable distribution (bookworm), these problems have been fixed in version 6.1.38-4.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux