--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
As requested by the security team, I would like to bring the microcode
update level for Intel processors in Bullseye and Bookworm to match what
we have in Sid and Trixie. This is the bug report for Bookworm, a
separate one will be filled for Bullseye.
This fixes:
* Two CVEs in many Intel processors
- Mitigations for INTEL-SA-01103 (CVE-2024-23984)
- Mitigations for INTEL-SA-01097 (CVE-2024-24968)
* Other unspecified functional issues on several processors
There are no releavant issues reported on this microcode update,
considering the version of intel-microcode already available as security
updates for bookworm and bullseye.
[ Impact ]
If this update is not approved, owners of most recent "client" Intel
processors and a few server processors will depend on UEFI updates to be
protected from the issues listed above.
[ Tests ]
There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2024-09-21 (sid), 2024-09-27
(trixie).
[ Risks ]
Unknown, but not believed to be any different from other Intel microcode
updates.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.
changelog | 52 ++++++++++++++++++++++++++++++++++--
debian/changelog | 73 ++++++++++++++++++++++++++++++++++++++++++++++++---
intel-ucode/06-97-02 |binary
intel-ucode/06-97-05 |binary
intel-ucode/06-9a-03 |binary
intel-ucode/06-9a-04 |binary
intel-ucode/06-aa-04 |binary
intel-ucode/06-b7-01 |binary
intel-ucode/06-ba-02 |binary
intel-ucode/06-ba-03 |binary
intel-ucode/06-ba-08 |binary
intel-ucode/06-be-00 |binary
intel-ucode/06-bf-02 |binary
intel-ucode/06-bf-05 |binary
releasenote.md | 35 ++++++++++++++++++++++++
15 files changed, 155 insertions(+), 5 deletions(-)
[ Other info ]
The package version with "~" is needed to guarantee smooth updates to
the next debian release.
--
Henrique Holschuh
diff --git a/changelog b/changelog
index d5e45bc..e6eb97c 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,33 @@
+2024-09-10:
+ * New upstream microcode datafile 20240910
+ - Mitigations for INTEL-SA-01103 (CVE-2024-23984)
+ A potential security vulnerability in the Running Average Power Limit
+ (RAPL) interface for some Intel Processors may allow information
+ disclosure.
+ - Mitigations for INTEL-SA-01097 (CVE-2024-24968)
+ A potential security vulnerability in some Intel Processors may allow
+ denial of service.
+ - Fixes for unspecified functional issues on several processor models
+ - The processor voltage limit issue on Core 13rd/14th gen REQUIRES A
+ FIRMWARE UPDATE. It is present in this release for sig 0xb0671, but
+ THE VOLTAGE ISSUE FIX ONLY WORKS WHEN THE MICROCODE UPDATE IS LOADED
+ THROUGH THE FIT TABLE IN FIRMWARE. Contact your system vendor for a
+ firmware update that includes the appropriate microcode update for
+ your processor.
+ * Updated Microcodes:
+ sig 0x00090672, pf_mask 0x07, 2024-02-22, rev 0x0036, size 224256
+ sig 0x00090675, pf_mask 0x07, 2024-02-22, rev 0x0036
+ sig 0x000b06f2, pf_mask 0x07, 2024-02-22, rev 0x0036
+ sig 0x000b06f5, pf_mask 0x07, 2024-02-22, rev 0x0036
+ sig 0x000906a3, pf_mask 0x80, 2024-02-22, rev 0x0434, size 222208
+ sig 0x000906a4, pf_mask 0x80, 2024-02-22, rev 0x0434
+ sig 0x000a06a4, pf_mask 0xe6, 2024-06-17, rev 0x001f, size 137216
+ sig 0x000b0671, pf_mask 0x32, 2024-07-18, rev 0x0129, size 215040
+ sig 0x000b06a2, pf_mask 0xe0, 2024-02-22, rev 0x4122, size 220160
+ sig 0x000b06a3, pf_mask 0xe0, 2024-02-22, rev 0x4122
+ sig 0x000b06a8, pf_mask 0xe0, 2024-02-22, rev 0x4122
+ sig 0x000b06e0, pf_mask 0x19, 2024-03-25, rev 0x001a, size 138240
+
2024-08-13:
* New upstream microcode datafile 20240813 (second release)
- Mitigations for INTEL-SA-01083 (CVE-2024-24853)
@@ -15,12 +45,17 @@
- Mitigations for INTEL-SA-01038 (CVE-2023-42667)
Improper isolation in the Intel Core Ultra Processor stream cache
mechanism may allow an authenticated user to potentially enable
- escalation of privilege via local access.
+ escalation of privilege via local access. Intel disclosed that some
+ processor models were already fixed by the previous microcode update.
- Mitigations for INTEL-SA-01046 (CVE-2023-49141)
Improper isolation in some Intel® Processors stream cache mechanism may
allow an authenticated user to potentially enable escalation of
- privilege via local access.
+ privilege via local access. Intel disclosed that some processor models
+ were already fixed by the previous microcode update.
- Fix for unspecified functional issues on several processor models
+ - Fix for errata TGL068/ADL075/ICL088/... "Processor may hang during a
+ microcode update". It is not clear which processors were fixed by this
+ release, or by one of the microcode updates from 2024-05.
* Updated microcodes:
sig 0x00050657, pf_mask 0xbf, 2024-03-01, rev 0x5003707, size 39936
sig 0x0005065b, pf_mask 0xbf, 2024-04-01, rev 0x7002904, size 30720
@@ -69,6 +104,19 @@
Improper input validation in some Intel TDX module software before
version 1.5.05.46.698 may allow a privileged user to potentially enable
escalation of privilege via local access.
+ - Mitigations for INTEL-SA-01046 (CVE-2023-49141)
+ Improper isolation in some Intel Processors stream cache mechanism may
+ allow an authenticated user to potentially enable escalation of
+ privilege via local access (time-travel entry, added after Intel
+ released this information during the full disclosure for the 20240813
+ update). Processor signatures 0x806f4-0x806f8, 0xb0671, 0x90672, and
+ 0x90675
+ - Mitigations for INTEL-SA-01100 (CVE-2024-24980) for the Intel
+ Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel
+ Xeon Processors may allow a privileged user to potentially enable
+ escalation of privilege via local access (time-travel entry, added after
+ Intel released this information during the full disclosure for the
+ 20240813 update). Processor signatures 0xc06f1 and 0xc06f2.
- Fix for unspecified functional issues on 4th gen and 5th gen Xeon
Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for
Core i3 N-series processors.
diff --git a/debian/changelog b/debian/changelog
index 5038f31..5e6276e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,46 @@
+intel-microcode (3.20240910.1~deb12u1) bookworm; urgency=medium
+
+ * Build for bookworm
+ * All trixie-only changes (from 3.20240813.2) are reverted on this branch
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Fri, 01 Nov 2024 20:13:41 -0300
+
+intel-microcode (3.20240910.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20240910 (closes: #1081363)
+ - Mitigations for INTEL-SA-01103 (CVE-2024-23984)
+ A potential security vulnerability in the Running Average Power Limit
+ (RAPL) interface for some Intel Processors may allow information
+ disclosure.
+ - Mitigations for INTEL-SA-01097 (CVE-2024-24968)
+ A potential security vulnerability in some Intel Processors may allow
+ denial of service.
+ - Fixes for unspecified functional issues on several processor models
+ - The processor voltage limit issue on Core 13rd/14th gen REQUIRES A
+ FIRMWARE UPDATE. It is present in this release for sig 0xb0671, but
+ THE VOLTAGE ISSUE FIX ONLY WORKS WHEN THE MICROCODE UPDATE IS LOADED
+ THROUGH THE FIT TABLE IN FIRMWARE. Contact your system vendor for a
+ firmware update that includes the appropriate microcode update for
+ your processor.
+ * Updated Microcodes:
+ sig 0x00090672, pf_mask 0x07, 2024-02-22, rev 0x0036, size 224256
+ sig 0x00090675, pf_mask 0x07, 2024-02-22, rev 0x0036
+ sig 0x000b06f2, pf_mask 0x07, 2024-02-22, rev 0x0036
+ sig 0x000b06f5, pf_mask 0x07, 2024-02-22, rev 0x0036
+ sig 0x000906a3, pf_mask 0x80, 2024-02-22, rev 0x0434, size 222208
+ sig 0x000906a4, pf_mask 0x80, 2024-02-22, rev 0x0434
+ sig 0x000a06a4, pf_mask 0xe6, 2024-06-17, rev 0x001f, size 137216
+ sig 0x000b0671, pf_mask 0x32, 2024-07-18, rev 0x0129, size 215040
+ sig 0x000b06a2, pf_mask 0xe0, 2024-02-22, rev 0x4122, size 220160
+ sig 0x000b06a3, pf_mask 0xe0, 2024-02-22, rev 0x4122
+ sig 0x000b06a8, pf_mask 0xe0, 2024-02-22, rev 0x4122
+ sig 0x000b06e0, pf_mask 0x19, 2024-03-25, rev 0x001a, size 138240
+ * Update changelog for 3.20240813.1 with new information
+ * Update changelog for 3.20240514.1 with new information
+ * source: update symlinks to reflect id of the latest release, 20240910
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 21 Sep 2024 16:40:07 -0300
+
intel-microcode (3.20240813.1~deb12u1) bookworm; urgency=medium
* Build for bookworm (no changes from 3.20240813.1)
@@ -22,12 +65,17 @@ intel-microcode (3.20240813.1) unstable; urgency=medium
- Mitigations for INTEL-SA-01038 (CVE-2023-42667)
Improper isolation in the Intel Core Ultra Processor stream cache
mechanism may allow an authenticated user to potentially enable
- escalation of privilege via local access.
+ escalation of privilege via local access. Intel disclosed that some
+ processor models were already fixed by the previous microcode update.
- Mitigations for INTEL-SA-01046 (CVE-2023-49141)
- Improper isolation in some Intel® Processors stream cache mechanism may
+ Improper isolation in some Intel Processors stream cache mechanism may
allow an authenticated user to potentially enable escalation of
- privilege via local access.
+ privilege via local access. Intel disclosed that some processor models
+ were already fixed by the previous microcode update.
- Fix for unspecified functional issues on several processor models
+ - Fix for errata TGL068/ADL075/ICL088/... "Processor may hang during a
+ microcode update". It is not clear which processors were fixed by this
+ release, or by one of the microcode updates from 2024-05.
* Updated microcodes:
sig 0x00050657, pf_mask 0xbf, 2024-03-01, rev 0x5003707, size 39936
sig 0x0005065b, pf_mask 0xbf, 2024-04-01, rev 0x7002904, size 30720
@@ -91,6 +139,25 @@ intel-microcode (3.20240514.1) unstable; urgency=medium
Improper input validation in some Intel TDX module software before
version 1.5.05.46.698 may allow a privileged user to potentially enable
escalation of privilege via local access.
+ * Mitigations for INTEL-SA-01046 (CVE-2023-49141)
+ Improper isolation in some Intel Processors stream cache mechanism may
+ allow an authenticated user to potentially enable escalation of
+ privilege via local access (time-travel entry, added after Intel
+ released this information during the full disclosure for the 20240813
+ update)
+ * Mitigations for INTEL-SA-01046 (CVE-2023-49141)
+ Improper isolation in some Intel Processors stream cache mechanism may
+ allow an authenticated user to potentially enable escalation of
+ privilege via local access (time-travel entry, added after Intel
+ released this information during the full disclosure for the 20240813
+ update). Processor signatures 0x806f4-0x806f8, 0xb0671, 0x90672, and
+ 0x90675
+ * Mitigations for INTEL-SA-01100 (CVE-2024-24980) for the Intel
+ Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel
+ Xeon Processors may allow a privileged user to potentially enable
+ escalation of privilege via local access (time-travel entry, added after
+ Intel released this information during the full disclosure for the
+ 20240813 update). Processor signatures 0xc06f1 and 0xc06f2.
* Fix for unspecified functional issues on 4th gen and 5th gen Xeon
Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for
Core i3 N-series processors.
diff --git a/intel-ucode/06-97-02 b/intel-ucode/06-97-02
index 05450f8..efd034d 100644
Binary files a/intel-ucode/06-97-02 and b/intel-ucode/06-97-02 differ
diff --git a/intel-ucode/06-97-05 b/intel-ucode/06-97-05
index 05450f8..efd034d 100644
Binary files a/intel-ucode/06-97-05 and b/intel-ucode/06-97-05 differ
diff --git a/intel-ucode/06-9a-03 b/intel-ucode/06-9a-03
index b4f9b45..ac46000 100644
Binary files a/intel-ucode/06-9a-03 and b/intel-ucode/06-9a-03 differ
diff --git a/intel-ucode/06-9a-04 b/intel-ucode/06-9a-04
index 27bfc92..5630a87 100644
Binary files a/intel-ucode/06-9a-04 and b/intel-ucode/06-9a-04 differ
diff --git a/intel-ucode/06-aa-04 b/intel-ucode/06-aa-04
index 170887a..f7ce6aa 100644
Binary files a/intel-ucode/06-aa-04 and b/intel-ucode/06-aa-04 differ
diff --git a/intel-ucode/06-b7-01 b/intel-ucode/06-b7-01
index fc76856..ed73396 100644
Binary files a/intel-ucode/06-b7-01 and b/intel-ucode/06-b7-01 differ
diff --git a/intel-ucode/06-ba-02 b/intel-ucode/06-ba-02
index c2b3de7..76a1275 100644
Binary files a/intel-ucode/06-ba-02 and b/intel-ucode/06-ba-02 differ
diff --git a/intel-ucode/06-ba-03 b/intel-ucode/06-ba-03
index c2b3de7..76a1275 100644
Binary files a/intel-ucode/06-ba-03 and b/intel-ucode/06-ba-03 differ
diff --git a/intel-ucode/06-ba-08 b/intel-ucode/06-ba-08
index c2b3de7..76a1275 100644
Binary files a/intel-ucode/06-ba-08 and b/intel-ucode/06-ba-08 differ
diff --git a/intel-ucode/06-be-00 b/intel-ucode/06-be-00
index 7be2d62..5316c7e 100644
Binary files a/intel-ucode/06-be-00 and b/intel-ucode/06-be-00 differ
diff --git a/intel-ucode/06-bf-02 b/intel-ucode/06-bf-02
index 05450f8..efd034d 100644
Binary files a/intel-ucode/06-bf-02 and b/intel-ucode/06-bf-02 differ
diff --git a/intel-ucode/06-bf-05 b/intel-ucode/06-bf-05
index 05450f8..efd034d 100644
Binary files a/intel-ucode/06-bf-05 and b/intel-ucode/06-bf-05 differ
diff --git a/microcode-20240813.d b/microcode-20240910.d
similarity index 100%
rename from microcode-20240813.d
rename to microcode-20240910.d
diff --git a/releasenote.md b/releasenote.md
index e501368..f00475e 100644
--- a/releasenote.md
+++ b/releasenote.md
@@ -1,3 +1,38 @@
+# Release Notes
+## [microcode-20240910](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910)
+
+### Purpose
+
+- Security updates for [INTEL-SA-01103](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html)
+- Security updates for [INTEL-SA-01097](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html)
+- Update for functional issues. Refer to [Intel® Core™ Ultra Processor](https://cdrdv2.intel.com/v1/dl/getContent/792254) for details.
+- Update for functional issues. Refer to [13th Generation Intel® Core™ Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details.
+- Update for functional issues. Refer to [12th Generation Intel® Core™ Processor Family](https://cdrdv2.intel.com/v1/dl/getContent/682436) for details.
+- Update for functional issues. Refer to [Intel® Processors and Intel® Core™ i3 N-Series](https://cdrdv2.intel.com/v1/dl/getContent/764616) for details.
+
+### New Platforms
+
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------
+| TWL | N0 | 06-be-00/19 | | 0000001a | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E
+
+### Updated Platforms
+
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------
+| ADL | C0 | 06-97-02/07 | 00000035 | 00000036 | Core Gen12
+| ADL | H0 | 06-97-05/07 | 00000035 | 00000036 | Core Gen12
+| ADL | L0 | 06-9a-03/80 | 00000433 | 00000434 | Core Gen12
+| ADL | R0 | 06-9a-04/80 | 00000433 | 00000434 | Core Gen12
+| ADL-N | N0 | 06-be-00/11 | 00000017 | 0000001a | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E
+| MTL | C0 | 06-aa-04/e6 | 0000001e | 0000001f | Core™ Ultra Processor
+| RPL-E/HX/S | B0 | 06-b7-01/32 | 00000123 | 00000129 | Core Gen13/Gen14
+| RPL-H/P/PX 6+8 | J0 | 06-ba-02/e0 | 00004121 | 00004122 | Core Gen13
+| RPL-HX/S | C0 | 06-bf-02/07 | 00000035 | 00000036 | Core Gen13/Gen14
+| RPL-S | H0 | 06-bf-05/07 | 00000035 | 00000036 | Core Gen13/Gen14
+| RPL-U 2+8 | Q0 | 06-ba-03/e0 | 00004121 | 00004122 | Core Gen13
+
+
# Release Notes
## [microcode-20240813](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813)
diff --git a/supplementary-ucode-20240813_BDX-ML.bin b/supplementary-ucode-20240910_BDX-ML.bin
similarity index 100%
rename from supplementary-ucode-20240813_BDX-ML.bin
rename to supplementary-ucode-20240910_BDX-ML.bin
signature.asc
Description: PGP signature
--- End Message ---
