Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] As requested by the security team, I would like to bring the microcode update level for Intel processors in Bookworm to match what we have in Sid and Trixie. This fixes: - Mitigations for INTEL-SA-01101 (CVE-2024-21853) - Mitigations for INTEL-SA-01079 (CVE-2024-23918) - Updated mitigations for INTEL-SA-01097 (CVE-2024-24968) - Mitigations for INTEL-SA-01103 (CVE-2024-23984) * Other unspecified functional issues on several processors There are no releavant issues reported on this microcode update, considering the version of intel-microcode already available as security updates for Bookworm. [ Impact ] If this update is not approved, owners of most recent "client" Intel processors and a few server processors will depend on UEFI updates to be protected from the issues listed above. [ Tests ] There were no bug reports from users of Debian sid or Trixie, these packages have been tested there since 2024-11-14 (sid), 2024-11-20 (trixie). [ Risks ] Unknown, but not believed to be any different from other Intel microcode updates. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] As per the debdiff, only documentation changes, package documentation changes, and the binary blob change from upstream. changelog | 66 ++++++++++++++++++++++++++++++++++++--- debian/changelog | 86 +++++++++++++++++++++++++++++++++++++++++++++++---- intel-ucode/06-8f-05 |binary intel-ucode/06-8f-06 |binary intel-ucode/06-8f-07 |binary intel-ucode/06-8f-08 |binary intel-ucode/06-97-02 |binary intel-ucode/06-97-05 |binary intel-ucode/06-9a-03 |binary intel-ucode/06-9a-04 |binary intel-ucode/06-aa-04 |binary intel-ucode/06-b7-01 |binary intel-ucode/06-ba-02 |binary intel-ucode/06-ba-03 |binary intel-ucode/06-ba-08 |binary intel-ucode/06-bf-02 |binary intel-ucode/06-bf-05 |binary intel-ucode/06-cf-01 |binary intel-ucode/06-cf-02 |binary releasenote.md | 72 ++++++++++++++++++++++++++++++++++++++++++ 20 files changed, 213 insertions(+), 11 deletions(-) [ Other info ] The package version with "~" is needed to guarantee smooth updates to the next debian release. -- Henrique Holschuh
diff --git a/changelog b/changelog
index e6eb97c..a611986 100644
--- a/changelog
+++ b/changelog
@@ -1,12 +1,57 @@
-2024-09-10:
- * New upstream microcode datafile 20240910
+2024-11-12:
+ * New upstream microcode datafile 20241112
+ - Mitigations for INTEL-SA-01101 (CVE-2024-21853)
+ Improper Finite State Machines (FSMs) in the Hardware logic in
+ some 4th and 5th Generation Intel Xeon Processors may allow an
+ authorized user to potentially enable denial of service via local
+ access.
+ - Mitigations for INTEL-SA-01079 (CVE-2024-23918)
+ Potential security vulnerabilities in some Intel Xeon processors
+ using Intel SGX may allow escalation of privilege. Intel disclosed
+ that some processor models were already fixed by a previous microcode
+ update.
+ - Updated mitigations for INTEL-SA-01097 (CVE-2024-24968)
+ Improper finite state machines (FSMs) in hardware logic in some
+ Intel Processors may allow an privileged user to potentially enable a
+ denial of service via local access.
- Mitigations for INTEL-SA-01103 (CVE-2024-23984)
A potential security vulnerability in the Running Average Power Limit
(RAPL) interface for some Intel Processors may allow information
- disclosure.
+ disclosure. Added mitigations for more processor models.
+ * Updated Microcodes:
+ sig 0x000806f8, pf_mask 0x87, 2024-06-20, rev 0x2b000603, size 588800
+ sig 0x000806f7, pf_mask 0x87, 2024-06-20, rev 0x2b000603
+ sig 0x000806f6, pf_mask 0x87, 2024-06-20, rev 0x2b000603
+ sig 0x000806f5, pf_mask 0x87, 2024-06-20, rev 0x2b000603
+ sig 0x000806f4, pf_mask 0x87, 2024-06-20, rev 0x2b000603
+ sig 0x00090672, pf_mask 0x07, 2024-05-29, rev 0x0037, size 224256
+ sig 0x00090675, pf_mask 0x07, 2024-05-29, rev 0x0037
+ sig 0x000b06f2, pf_mask 0x07, 2024-05-29, rev 0x0037
+ sig 0x000b06f5, pf_mask 0x07, 2024-05-29, rev 0x0037
+ sig 0x000906a3, pf_mask 0x80, 2024-06-03, rev 0x0435, size 223232
+ sig 0x000906a4, pf_mask 0x80, 2024-06-03, rev 0x0435
+ sig 0x000a06a4, pf_mask 0xe6, 2024-08-02, rev 0x0020, size 138240
+ sig 0x000b06a2, pf_mask 0xe0, 2024-05-29, rev 0x4123, size 220160
+ sig 0x000b06a3, pf_mask 0xe0, 2024-05-29, rev 0x4123
+ sig 0x000b06a8, pf_mask 0xe0, 2024-05-29, rev 0x4123
+ sig 0x000c06f2, pf_mask 0x87, 2024-06-20, rev 0x21000283, size 560128
+ sig 0x000c06f1, pf_mask 0x87, 2024-06-20, rev 0x21000283
+
+2024-10-29:
+ * New upstream microcode datafile 20241029
+ - Fixes errata RPL061: Incorrect Internal Voltage Request May Lead to
+ Unpredictable System Behavior. This errata could eventually cause
+ permanent hardware damage to the processor. This fix is only active
+ when the microcode update is loaded from FIT (i.e. in firmware).
+ * Updated Microcodes:
+ sig 0x000b0671, pf_mask 0x32, 2024-08-29, rev 0x012b, size 211968
+
+2024-09-10:
+ * New upstream microcode datafile 20240910
- Mitigations for INTEL-SA-01097 (CVE-2024-24968)
- A potential security vulnerability in some Intel Processors may allow
- denial of service.
+ Improper finite state machines (FSMs) in hardware logic in some
+ Intel Processors may allow an privileged user to potentially enable a
+ denial of service via local access.
- Fixes for unspecified functional issues on several processor models
- The processor voltage limit issue on Core 13rd/14th gen REQUIRES A
FIRMWARE UPDATE. It is present in this release for sig 0xb0671, but
@@ -52,6 +97,17 @@
allow an authenticated user to potentially enable escalation of
privilege via local access. Intel disclosed that some processor models
were already fixed by the previous microcode update.
+ - Mitigations for INTEL-SA-01079 (CVE-2024-23918)
+ Potential security vulnerabilities in some Intel Xeon processors
+ using Intel SGX may allow escalation of privilege. Intel released this
+ information during the full disclosure for the 20241112 update.
+ Processor signatures 0x606a6 and 0x606c1.
+ - Mitigations for INTEL-SA-01103 (CVE-2024-23984)
+ A potential security vulnerability in the Running Average Power Limit
+ (RAPL) interface for some Intel Processors may allow information
+ disclosure. Intel released this information during the full disclosure
+ for the 20240910 update. Processor signatures 0x5065b, 0x606a6,
+ 0x606c1.
- Fix for unspecified functional issues on several processor models
- Fix for errata TGL068/ADL075/ICL088/... "Processor may hang during a
microcode update". It is not clear which processors were fixed by this
diff --git a/debian/changelog b/debian/changelog
index 5e6276e..3d0dc0d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,69 @@
+intel-microcode (3.20241112.1~deb12u1) bookworm; urgency=medium
+
+ * Build for bookworm
+ * All trixie-only changes (from 3.20240813.2) are reverted on this branch
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 07 Dec 2024 14:49:05 -0300
+
+intel-microcode (3.20241112.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20241112 (closes: #1086483)
+ - Mitigations for INTEL-SA-01101 (CVE-2024-21853)
+ Improper Finite State Machines (FSMs) in the Hardware logic in some
+ 4th and 5th Generation Intel Xeon Processors may allow an authorized
+ user to potentially enable denial of service via local access.
+ - Mitigations for INTEL-SA-01079 (CVE-2024-23918)
+ Potential security vulnerabilities in some Intel Xeon processors
+ using Intel SGX may allow escalation of privilege. Intel disclosed
+ that some processor models were already fixed by a previous
+ microcode update.
+ - Updated mitigations for INTEL-SA-01097 (CVE-2024-24968)
+ Improper finite state machines (FSMs) in hardware logic in some
+ Intel Processors may allow an privileged user to potentially enable a
+ denial of service via local access.
+ - Mitigations for INTEL-SA-01103 (CVE-2024-23984)
+ A potential security vulnerability in the Running Average Power Limit
+ (RAPL) interface for some Intel Processors may allow information
+ disclosure. Added mitigations for more processor models.
+ * Updated Microcodes:
+ sig 0x000806f8, pf_mask 0x87, 2024-06-20, rev 0x2b000603, size 588800
+ sig 0x000806f7, pf_mask 0x87, 2024-06-20, rev 0x2b000603
+ sig 0x000806f6, pf_mask 0x87, 2024-06-20, rev 0x2b000603
+ sig 0x000806f5, pf_mask 0x87, 2024-06-20, rev 0x2b000603
+ sig 0x000806f4, pf_mask 0x87, 2024-06-20, rev 0x2b000603
+ sig 0x00090672, pf_mask 0x07, 2024-05-29, rev 0x0037, size 224256
+ sig 0x00090675, pf_mask 0x07, 2024-05-29, rev 0x0037
+ sig 0x000b06f2, pf_mask 0x07, 2024-05-29, rev 0x0037
+ sig 0x000b06f5, pf_mask 0x07, 2024-05-29, rev 0x0037
+ sig 0x000906a3, pf_mask 0x80, 2024-06-03, rev 0x0435, size 223232
+ sig 0x000906a4, pf_mask 0x80, 2024-06-03, rev 0x0435
+ sig 0x000a06a4, pf_mask 0xe6, 2024-08-02, rev 0x0020, size 138240
+ sig 0x000b06a2, pf_mask 0xe0, 2024-05-29, rev 0x4123, size 220160
+ sig 0x000b06a3, pf_mask 0xe0, 2024-05-29, rev 0x4123
+ sig 0x000b06a8, pf_mask 0xe0, 2024-05-29, rev 0x4123
+ sig 0x000c06f2, pf_mask 0x87, 2024-06-20, rev 0x21000283, size 560128
+ sig 0x000c06f1, pf_mask 0x87, 2024-06-20, rev 0x21000283
+ * source: update symlinks to reflect id of the latest release, 20241112
+ * Update changelog for 3.20240910.1 and 3.20240813.1 with new information:
+ INTEL-SA-1103 was addressed by 3.20240813.1 for some processor models,
+ and not by 3.20240910. INTEL-SA-1079 was addressed by 3.20240910.1 for
+ some processor models.
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Thu, 14 Nov 2024 15:37:40 -0300
+
+intel-microcode (3.20241029.1) UNRELEASED; urgency=medium
+
+ * New upstream microcode datafile 20241029
+ - Not relevant for operating system microcode updates
+ - Only when loaded from firmware, this update fixes the critical,
+ potentially hardware-damaging errata RPL061: Incorrect Internal
+ Voltage Request on Raptor Lake (Core 13th/14th gen) Intel
+ processors.
+ * Updated Microcodes:
+ sig 0x000b0671, pf_mask 0x32, 2024-08-29, rev 0x012b, size 211968
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Thu, 14 Nov 2024 14:49:03 -0300
+
intel-microcode (3.20240910.1~deb12u1) bookworm; urgency=medium
* Build for bookworm
@@ -8,13 +74,10 @@ intel-microcode (3.20240910.1~deb12u1) bookworm; urgency=medium
intel-microcode (3.20240910.1) unstable; urgency=medium
* New upstream microcode datafile 20240910 (closes: #1081363)
- - Mitigations for INTEL-SA-01103 (CVE-2024-23984)
- A potential security vulnerability in the Running Average Power Limit
- (RAPL) interface for some Intel Processors may allow information
- disclosure.
- Mitigations for INTEL-SA-01097 (CVE-2024-24968)
- A potential security vulnerability in some Intel Processors may allow
- denial of service.
+ Improper finite state machines (FSMs) in hardware logic in some
+ Intel Processors may allow an privileged user to potentially enable a
+ denial of service via local access.
- Fixes for unspecified functional issues on several processor models
- The processor voltage limit issue on Core 13rd/14th gen REQUIRES A
FIRMWARE UPDATE. It is present in this release for sig 0xb0671, but
@@ -72,6 +135,17 @@ intel-microcode (3.20240813.1) unstable; urgency=medium
allow an authenticated user to potentially enable escalation of
privilege via local access. Intel disclosed that some processor models
were already fixed by the previous microcode update.
+ - Mitigations for INTEL-SA-01079 (CVE-2024-23918)
+ Potential security vulnerabilities in some Intel Xeon processors
+ using Intel SGX may allow escalation of privilege. Intel released this
+ information during the full disclosure for the 20241112 update.
+ Processor signatures 0x606a6 and 0x606c1.
+ - Mitigations for INTEL-SA-01103 (CVE-2024-23984)
+ A potential security vulnerability in the Running Average Power Limit
+ (RAPL) interface for some Intel Processors may allow information
+ disclosure. Intel released this information during the full disclosure
+ for the 20240910 update. Processor signatures 0x5065b, 0x606a6,
+ 0x606c1.
- Fix for unspecified functional issues on several processor models
- Fix for errata TGL068/ADL075/ICL088/... "Processor may hang during a
microcode update". It is not clear which processors were fixed by this
diff --git a/intel-ucode/06-8f-05 b/intel-ucode/06-8f-05
index ef5b752..34b14f1 100644
Binary files a/intel-ucode/06-8f-05 and b/intel-ucode/06-8f-05 differ
diff --git a/intel-ucode/06-8f-06 b/intel-ucode/06-8f-06
index ef5b752..34b14f1 100644
Binary files a/intel-ucode/06-8f-06 and b/intel-ucode/06-8f-06 differ
diff --git a/intel-ucode/06-8f-07 b/intel-ucode/06-8f-07
index d629737..803094c 100644
Binary files a/intel-ucode/06-8f-07 and b/intel-ucode/06-8f-07 differ
diff --git a/intel-ucode/06-8f-08 b/intel-ucode/06-8f-08
index ef5b752..34b14f1 100644
Binary files a/intel-ucode/06-8f-08 and b/intel-ucode/06-8f-08 differ
diff --git a/intel-ucode/06-97-02 b/intel-ucode/06-97-02
index efd034d..68441d5 100644
Binary files a/intel-ucode/06-97-02 and b/intel-ucode/06-97-02 differ
diff --git a/intel-ucode/06-97-05 b/intel-ucode/06-97-05
index efd034d..68441d5 100644
Binary files a/intel-ucode/06-97-05 and b/intel-ucode/06-97-05 differ
diff --git a/intel-ucode/06-9a-03 b/intel-ucode/06-9a-03
index ac46000..d60fc12 100644
Binary files a/intel-ucode/06-9a-03 and b/intel-ucode/06-9a-03 differ
diff --git a/intel-ucode/06-9a-04 b/intel-ucode/06-9a-04
index 5630a87..f1f5fc6 100644
Binary files a/intel-ucode/06-9a-04 and b/intel-ucode/06-9a-04 differ
diff --git a/intel-ucode/06-aa-04 b/intel-ucode/06-aa-04
index f7ce6aa..267b835 100644
Binary files a/intel-ucode/06-aa-04 and b/intel-ucode/06-aa-04 differ
diff --git a/intel-ucode/06-b7-01 b/intel-ucode/06-b7-01
index ed73396..d57fa9d 100644
Binary files a/intel-ucode/06-b7-01 and b/intel-ucode/06-b7-01 differ
diff --git a/intel-ucode/06-ba-02 b/intel-ucode/06-ba-02
index 76a1275..19c9647 100644
Binary files a/intel-ucode/06-ba-02 and b/intel-ucode/06-ba-02 differ
diff --git a/intel-ucode/06-ba-03 b/intel-ucode/06-ba-03
index 76a1275..19c9647 100644
Binary files a/intel-ucode/06-ba-03 and b/intel-ucode/06-ba-03 differ
diff --git a/intel-ucode/06-ba-08 b/intel-ucode/06-ba-08
index 76a1275..19c9647 100644
Binary files a/intel-ucode/06-ba-08 and b/intel-ucode/06-ba-08 differ
diff --git a/intel-ucode/06-bf-02 b/intel-ucode/06-bf-02
index efd034d..68441d5 100644
Binary files a/intel-ucode/06-bf-02 and b/intel-ucode/06-bf-02 differ
diff --git a/intel-ucode/06-bf-05 b/intel-ucode/06-bf-05
index efd034d..68441d5 100644
Binary files a/intel-ucode/06-bf-05 and b/intel-ucode/06-bf-05 differ
diff --git a/intel-ucode/06-cf-01 b/intel-ucode/06-cf-01
index 85ed301..4f47576 100644
Binary files a/intel-ucode/06-cf-01 and b/intel-ucode/06-cf-01 differ
diff --git a/intel-ucode/06-cf-02 b/intel-ucode/06-cf-02
index 85ed301..4f47576 100644
Binary files a/intel-ucode/06-cf-02 and b/intel-ucode/06-cf-02 differ
diff --git a/microcode-20240910.d b/microcode-20241112.d
similarity index 100%
rename from microcode-20240910.d
rename to microcode-20241112.d
diff --git a/releasenote.md b/releasenote.md
index f00475e..1c417fa 100644
--- a/releasenote.md
+++ b/releasenote.md
@@ -1,3 +1,75 @@
+# Release Notes
+## [microcode-20241112](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112)
+
+### Purpose
+
+- Security updates for [INTEL-SA-01101](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01101.html)
+- Security updates for [INTEL-SA-01079](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html)
+- Updated security updates for [INTEL-SA-01097](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html)
+- Updated security updates for [INTEL-SA-01103](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html)
+- Update for functional issues. Refer to [Intel® Core™ Ultra Processor](https://cdrdv2.intel.com/v1/dl/getContent/792254) for details.
+- Update for functional issues. Refer to [14th/13th Generation Intel® Core™ Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details.
+- Update for functional issues. Refer to [12th Generation Intel® Core™ Processor Family](https://cdrdv2.intel.com/v1/dl/getContent/682436) for details.
+- Update for functional issues. Refer to [5th Gen Intel® Xeon® Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/793902) for details.
+- Update for functional issues. Refer to [4th Gen Intel® Xeon® Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/772415) for details.
+- Update for functional issues. Refer to [3rd Generation Intel® Xeon® Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780) for details.
+- Update for functional issues. Refer to [Intel® Xeon® D-2700 Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/714071) for details.
+- Update for functional issues. Refer to [Intel® Xeon® D-1700 and D-1800 Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/714069) for details
+
+
+### New Platforms
+
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------
+
+
+### Updated Platforms
+
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------
+| ADL | C0 | 06-97-02/07 | 00000036 | 00000037 | Core Gen12
+| ADL | H0 | 06-97-05/07 | 00000036 | 00000037 | Core Gen12
+| ADL | L0 | 06-9a-03/80 | 00000434 | 00000435 | Core Gen12
+| ADL | R0 | 06-9a-04/80 | 00000434 | 00000435 | Core Gen12
+| EMR-SP | A0 | 06-cf-01/87 | 21000230 | 21000283 | Xeon Scalable Gen5
+| EMR-SP | A1 | 06-cf-02/87 | 21000230 | 21000283 | Xeon Scalable Gen5
+| MTL | C0 | 06-aa-04/e6 | 0000001f | 00000020 | Core™ Ultra Processor
+| RPL-H/P/PX 6+8 | J0 | 06-ba-02/e0 | 00004122 | 00004123 | Core Gen13
+| RPL-HX/S | C0 | 06-bf-02/07 | 00000036 | 00000037 | Core Gen13/Gen14
+| RPL-S | H0 | 06-bf-05/07 | 00000036 | 00000037 | Core Gen13/Gen14
+| RPL-U 2+8 | Q0 | 06-ba-03/e0 | 00004122 | 00004123 | Core Gen13
+| SPR-SP | E3 | 06-8f-06/87 | 2b0005c0 | 2b000603 | Xeon Scalable Gen4
+| SPR-SP | E4/S2 | 06-8f-07/87 | 2b0005c0 | 2b000603 | Xeon Scalable Gen4
+| SPR-SP | E5/S3 | 06-8f-08/87 | 2b0005c0 | 2b000603 | Xeon Scalable Gen4
+
+### New Disclosures Updated in Prior Releases
+
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------
+| ICL-D | B0 | 06-6c-01/10 | 010002b0 | N/A | Xeon D-17xx/D-18xx, D-27xx/D-28xx
+| ICX-SP | Dx/M1 | 06-6a-06/87 | 0d0003e7 | N/A | Xeon Scalable Gen3
+
+
+# Release Notes
+## [microcode-20241029](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241029)
+
+### Purpose
+
+- Update for functional issues. Refer to [14th/13th Generation Intel® Core™ Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details.
+
+### New Platforms
+
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------
+
+
+### Updated Platforms
+
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------
+| RPL-E/HX/S | B0 | 06-b7-01/32 | 00000129 | 0000012b | Core Gen13/Gen14
+
+
# Release Notes
## [microcode-20240910](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910)
diff --git a/supplementary-ucode-20240910_BDX-ML.bin b/supplementary-ucode-20241112_BDX-ML.bin
similarity index 100%
rename from supplementary-ucode-20240910_BDX-ML.bin
rename to supplementary-ucode-20241112_BDX-ML.bin
signature.asc
Description: PGP signature
