RedHat has issued an advisory today (November 11): https://access.redhat.com/errata/RHSA-2020:5085 The issues are fixed upstream in 20201027. Mageia 7 is also affected. We should make sure the fix in Bug 26995 is applied to Mageia 7 as well.
Whiteboard: (none) => MGA7TOO
Suggested advisory: ======================== The updated package fixes a packaging issue and security vulnerabilities: Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8694) Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. (CVE-2020-8695) Improper removal of sensitive information before storage or transfer in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8696) Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8698) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8696 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8698 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html https://access.redhat.com/errata/RHSA-2020:5085 https://bugs.mageia.org/show_bug.cgi?id=26995 ======================== Updated package in nonfree/updates_testing: ======================== microcode-0.20201110-1.mga7.nonfree from SRPM: microcode-0.20201110-1.mga7.nonfree.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsSummary: microcode new security issues CVE-2020-869[568] => microcode new security issues CVE-2020-869[4568]Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Source RPM: microcode-0.2020616-2.mga8.nonfree.src.rpm => microcode-0.2020616-1.mga7.nonfree.src.rpm
CC: (none) => nicolas.salguero
No problem here a couple hours on my workstation, with BOINC exercising the CPU and GPU full wile I surf bugs, edit photos, etc... That said i do not know why journal say microcode date = 2019-02-13 - i guess my CPU i7-3770 is old and no patch later than that for it? nov 12 21:08:53 svarten.tribun kernel: microcode: microcode updated early to revision 0x21, date = 2019-02-13 nov 12 21:08:53 svarten.tribun kernel: SRBDS: Vulnerable: No microcode nov 12 21:08:53 svarten.tribun kernel: microcode: sig=0x306a9, pf=0x2, revision=0x21 nov 12 21:08:53 svarten.tribun kernel: microcode: Microcode Update Driver: v2.2.
CC: (none) => fri
MGA7-64 MATE on Peaq C1011 No installation issues Doing normal things, reading documents, viewing photos, net access, etc.... All seems normal
CC: (none) => herman.viaene
Mageia 7 x86_64 Intel Core i5 6600K Skylake. Update to microcode-0.20201110-1.mga7.nonfree is OK. Reboot is OK Basic computer use is OK. No thermal issue. $ journalctl -b | grep microcode nov. 13 17:07:47 mageia.local kernel: microcode: microcode updated early to revision 0xe2, date = 2020-07-14 nov. 13 17:07:47 mageia.local kernel: microcode: sig=0x506e3, pf=0x2, revision=0xe2 nov. 13 17:07:47 mageia.local kernel: microcode: Microcode Update Driver: v2.2. This system does not seem to be vulnerable according to Intel Advisories. Tested case of a M7 new installation under a VM with Classic ISO, for bug 26995: Installer can't let me choose updates_testing repo. Validating update. Package and advisory in Comment 1. Advisory pushed to SVN.
CC: (none) => ouaurelien
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA7-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0422.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Does this regression affect us? https://ubuntu.com/security/notices/USN-4628-2
(In reply to David Walser from comment #6) > Does this regression affect us? > https://ubuntu.com/security/notices/USN-4628-2 Yes, the broken microcode is in the 20201110 firmware release. There is also now an upstream 20201112 release that adds another microcode (but no fix for this yet)