| Summary: | Update request: microcode-0.20191115-1.mga7.nonfree | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Thomas Backlund <tmb> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | jim, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | microcode | CVE: | |
| Status comment: | |||
|
Description
Thomas Backlund
2019-12-19 12:16:12 CET
Advisory, added to svn:
type: security
subject: Updated microcode packages fix security vulnerabilities
CVE:
- CVE-2019-0117
- CVE-2019-11135
- CVE-2019-11139
- CVE-2018-12207
src:
7:
nonfree:
- microcode-0.20191115-1.mga7.nonfree
description: |
NOTE! This is a refresh of the 2019112 security update we released
as MGASA-2019-0334.
This update provides the Intel 20191115 microcode release that adds
more microcode side fixes and mitigations for the Core Gen 6 to Core
gen 10, some Xeon E series, adressing atleast the following security
issues:
A flaw was found in the implementation of SGX around the access control
of protected memory. A local attacker of a system with SGX enabled and
an affected intel GPU with the ability to execute code is able to infer
the contents of the SGX protected memory (CVE-2019-0117).
TSX Asynchronous Abort condition on some CPUs utilizing speculative
execution may allow an authenticated user to potentially enable information
disclosure via a side channel with local access. (CVE-2019-11135).
Improper conditions check in the voltage modulation interface for some
Intel(R) Xeon(R) Scalable Processors may allow a privileged user to
potentially enable denial of service via local access (CVE-2019-11139).
Improper invalidation for page table updates by a virtual guest operating
system for multiple Intel(R) Processors may allow an authenticated user to
potentially enable denial of service of the host system via local access
(CVE-2018-12207).
TA Indirect Sharing Erratum (Information Leak)
Incomplete fixes for previous MDS mitigations (VERW)
SHUF* instruction implementation flaw (DoS)
EGETKEY Erratum
Conditional Jump Macro-fusion (DoS or Privilege Escalation)
For the software side fixes and mitigations of theese issues, the kernel
must be updated to 5.3.13-1.mga7 (mga¤25686) or later.
references:
- https://bugs.mageia.org/show_bug.cgi?id=25896
- https://bugs.mageia.org/show_bug.cgi?id=25686
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00164.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00210.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html
- https://www.intel.com/content/www/us/en/support/articles/000055650/processors/intel-xeon-processors.html
- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/master/releasenoteKeywords:
(none) =>
advisory Host: difda Kernel: 5.4.2-desktop-1.mga7 x86_64 bits: 64 Mobo: MSI model: Z97-G43 (MS-7816) v: 3.0 Quad Core: Intel Core i7-4790 type: MT MCP speed: 1699 MHz microcode: microcode updated early to revision 0x27, date = 2019-02-26 $ rpm -q microcode microcode-0.20191112-1.mga7.nonfree date: 2019-12-20 After update: Smooth reboot. $ rpm -q microcode microcode-0.20191115-1.mga7.nonfree # journalctl -xb | grep microcode Dec 20 08:29:19 difda kernel: microcode: microcode updated early to revision 0x27, date = 2019-02-26 Dec 20 08:29:19 difda kernel: microcode: sig=0x306c3, pf=0x2, revision=0x27 Leaving this to run. Host: canopus Kernel: 5.4.2-desktop-1.mga7 x86_64 bits: 64 Mobo: ASUSTeK model: TUF X299 MARK 2 v: Rev 1.xx 10-Core: Intel Core i9-7900X type: MT MCP speed: 1954 MHz # journalctl -xb | grep microcode Dec 20 18:31:36 canopus kernel: microcode: microcode updated early to revision 0x2000065, date = 2019-09-05 Dec 20 18:31:36 canopus kernel: microcode: sig=0x50654, pf=0x4, revision=0x2000065 This looks different from the difda case. On difda nothing changed after another round of 'dracut -f' and it looks like the microcode has not "taken". CC:
(none) =>
tarazed25 on mga7-64 Before update: $ dmesg | grep microcode [ 0.000000] microcode: microcode updated early to revision 0xd4, date = 2019-08-14 [ 0.782061] microcode: sig=0x506e3, pf=0x2, revision=0xd4 [ 0.782119] microcode: Microcode Update Driver: v2.2. package installed cleanly: - microcode-0.20191115-1.mga7.nonfree.noarch after executing 'dracut -f' and rebooting: $ dmesg | grep microcode [ 0.000000] microcode: microcode updated early to revision 0xd6, date = 2019-10-03 [ 0.785212] microcode: sig=0x506e3, pf=0x2, revision=0xd6 [ 0.785311] microcode: Microcode Update Driver: v2.2. No regressions observed OK for mga7-64 on this system: Mobo: Dell model: 09WH54 v: UEFI [Legacy]: Dell v: 2.13.1 CPU: Intel Core i7-6700 Graphics: Intel HD Graphics 530 (Skylake GT2) CC:
(none) =>
jim
Thomas Backlund
2019-12-25 23:34:55 CET
Whiteboard:
(none) =>
MGA7-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0413.html Resolution:
(none) =>
FIXED |