Hi Tobi, On Sun, Mar 12, 2023 at 06:56:21PM +0100, Tobias Frost wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: intel-microc...@packages.debian.org, t...@security.debian.org > Control: affects -1 + src:intel-microcode > > I've uploaded intel-microcode to DELAYED/5, ETA will be Mar 17 ~18:00 CET > Please unblock package intel-microcode once it hits unstable. > > The upload updates intel microcodes to target (See #1031334) > - INTEL-SA-00700: CVE-2022-21216 > - INTEL-SA-00730: CVE-2022-33972 > - INTEL-SA-00738: CVE-2022-33196 > - INTEL-SA-00767: CVE-2022-38090 > > the CVEs are information disclosure via local access vulnerbilities and > potential privilege escalations. > > I plan to provide updated packages for bullseye (security team in CC). > As well as LTS (buster) and ELTS (stretch an jessie) as part of the freexian > LTS/ELTS project) > > To keep the fixes consistent, I'd like to let them flow from sid -> jessieā¦
Thanks that is a good appraoch, make sure to handle back the non-free-firmware -> non-free situation. I talked with Henrique, and feel this covers my initial thinking as well: The update for bullseye can go trough the next point release (should not be too distant, and have the update as well accepted early enough there to be exposed further a bit for testing by interested parties). In fact, INTE-SA-0700 might be the most important one, but still would not warrant a DSA. Two are SGX related which affect intel-microcode but not that relevant in Debian context (for the affected suites). And for INTEL-SA-0738 Henrique told me the situation is similar with some other updates we had in past, the update will not take entirely unless loaded by the firmware, it is about early or late loading. Henrique might comment better on this, if he finds time. In any case an update in bullseye owuld be welcome, but we should rather not push this via a DSA, but batch it in point release update (I know this is unfortunately not an option for LTS and ELTS, which do not have point release concept possible). Regards, Salvatore
