Source: amd64-microcode Version: 3.20250311.1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 3.20250311.1~deb12u1
Hi Henrique, The following vulnerabilities were published for amd64-microcode. CVE-2024-36350[0]: | A transient execution vulnerability in some AMD processors may allow | an attacker to infer data from previous stores, potentially | resulting in the leakage of privileged information. CVE-2024-36357[1]: | A transient execution vulnerability in some AMD processors may allow | an attacker to infer data in the L1D cache, potentially resulting in | the leakage of sensitive information across privileged boundaries. My understanding from the patch levels in amd-ucode/README is that we are not yet covered by the needed updates on microcode side[2] for CVE-2024-36350/TSA-SQ and CVE-2024-36357/TSA-L1 in amd64-microcode/3.20250311.1. Correct? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36350 https://www.cve.org/CVERecord?id=CVE-2024-36350 [1] https://security-tracker.debian.org/tracker/CVE-2024-36357 https://www.cve.org/CVERecord?id=CVE-2024-36357 [2] https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf Regards, Salvatore
