Bug 25896 - Update request: microcode-0.20191115-1.mga7.nonfree
Summary: Update request: microcode-0.20191115-1.mga7.nonfree
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-19 12:16 CET by Thomas Backlund
Modified: 2019-12-25 23:59 CET (History)
3 users (show)

See Also:
Source RPM: microcode
CVE:
Status comment:


Attachments

Description Thomas Backlund 2019-12-19 12:16:12 CET
This is a refresh of the microcode update in:
https://advisories.mageia.org/MGASA-2019-0334.html

Turns out Intel did a re-release ~3 days after the initial rollout that I missed back then...

(S)RPM:
microcode-0.20191115-1.mga7.nonfree
Comment 1 Thomas Backlund 2019-12-19 14:48:45 CET
Advisory, added to svn:

type: security
subject: Updated microcode packages fix security vulnerabilities
CVE:
 - CVE-2019-0117
 - CVE-2019-11135
 - CVE-2019-11139
 - CVE-2018-12207
src:
  7:
   nonfree:
     - microcode-0.20191115-1.mga7.nonfree
description: |
  NOTE! This is a refresh of the 2019112 security update we released
  as MGASA-2019-0334.
  This update provides the Intel 20191115 microcode release that adds
  more microcode side fixes and mitigations for the Core Gen 6 to Core
  gen 10, some Xeon E series, adressing atleast the following security
  issues:

  A flaw was found in the implementation of SGX around the access control
  of protected memory.  A local attacker of a system with SGX enabled and
  an affected intel GPU with the ability to execute code is able to infer
  the contents of the SGX protected memory (CVE-2019-0117).
 
  TSX Asynchronous Abort condition on some CPUs utilizing speculative
  execution may allow an authenticated user to potentially enable information
  disclosure via a side channel with local access. (CVE-2019-11135).

  Improper conditions check in the voltage modulation interface for some
  Intel(R) Xeon(R) Scalable Processors may allow a privileged user to
  potentially enable denial of service via local access (CVE-2019-11139).

  Improper invalidation for page table updates by a virtual guest operating
  system for multiple Intel(R) Processors may allow an authenticated user to
  potentially enable denial of service of the host system via local access
  (CVE-2018-12207).

  TA Indirect Sharing Erratum (Information Leak)

  Incomplete fixes for previous MDS mitigations (VERW)

  SHUF* instruction implementation flaw (DoS)

  EGETKEY Erratum

  Conditional Jump Macro-fusion (DoS or Privilege Escalation)

  For the software side fixes and mitigations of theese issues, the kernel
  must be updated to 5.3.13-1.mga7 (mga¤25686) or later.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=25896
 - https://bugs.mageia.org/show_bug.cgi?id=25686
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00164.html
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00210.html
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html
 - https://www.intel.com/content/www/us/en/support/articles/000055650/processors/intel-xeon-processors.html
 - https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/master/releasenote

Keywords: (none) => advisory

Comment 2 Len Lawrence 2019-12-20 20:50:04 CET
Host: difda Kernel: 5.4.2-desktop-1.mga7 x86_64 bits: 64
Mobo: MSI model: Z97-G43 (MS-7816) v: 3.0
Quad Core: Intel Core i7-4790 type: MT MCP speed: 1699 MHz
microcode: microcode updated early to revision 0x27, date = 2019-02-26
$ rpm -q microcode
microcode-0.20191112-1.mga7.nonfree
date: 2019-12-20
After update:
Smooth reboot.
$ rpm -q microcode
microcode-0.20191115-1.mga7.nonfree
# journalctl -xb | grep microcode
Dec 20 08:29:19 difda kernel: microcode: microcode updated early to revision 0x27, date = 2019-02-26
Dec 20 08:29:19 difda kernel: microcode: sig=0x306c3, pf=0x2, revision=0x27

Leaving this to run.

Host: canopus Kernel: 5.4.2-desktop-1.mga7 x86_64 bits: 64
Mobo: ASUSTeK model: TUF X299 MARK 2 v: Rev 1.xx
10-Core: Intel Core i9-7900X type: MT MCP speed: 1954 MHz
# journalctl -xb | grep microcode
Dec 20 18:31:36 canopus kernel: microcode: microcode updated early to revision 0x2000065, date = 2019-09-05
Dec 20 18:31:36 canopus kernel: microcode: sig=0x50654, pf=0x4, revision=0x2000065

This looks different from the difda case.  On difda nothing changed after another round of 'dracut -f' and it looks like the microcode has not "taken".

CC: (none) => tarazed25

Comment 3 James Kerr 2019-12-21 12:17:47 CET
on mga7-64

Before update:
$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xd4, date = 2019-08-14
[    0.782061] microcode: sig=0x506e3, pf=0x2, revision=0xd4
[    0.782119] microcode: Microcode Update Driver: v2.2.


package installed cleanly:
- microcode-0.20191115-1.mga7.nonfree.noarch

after executing 'dracut -f' and rebooting:
$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xd6, date = 2019-10-03
[    0.785212] microcode: sig=0x506e3, pf=0x2, revision=0xd6
[    0.785311] microcode: Microcode Update Driver: v2.2.

No regressions observed

OK for mga7-64 on this system:

Mobo: Dell model: 09WH54 v: UEFI [Legacy]: Dell v: 2.13.1 
CPU: Intel Core i7-6700
Graphics: Intel HD Graphics 530 (Skylake GT2)

CC: (none) => jim

Thomas Backlund 2019-12-25 23:34:55 CET

Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Mageia Robot 2019-12-25 23:59:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0413.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.