linux/intel-microcode security upgrades

Here you can discuss every aspect of Debian. Note: not for support requests!

linux/intel-microcode security upgrades

Postby sunrat » 2018-08-22 06:47

There have been security upgrades to linux and intel-microcode this week. Does anyone know if this applies to all Intel processors? The advisory mentions "Common server class CPUs".

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4279-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 20, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2018-3620 CVE-2018-3646

Multiple researchers have discovered a vulnerability in the way the
Intel processor designs have implemented speculative execution of
instructions in combination with handling of page-faults. This flaw
could allow an attacker controlling an unprivileged process to read
memory from arbitrary (non-user controlled) addresses, including from
the kernel and all other processes running on the system or cross
guest/host boundaries to read host memory.

To fully resolve these vulnerabilities it is also necessary to install
updated CPU microcode (only available in Debian non-free). Common server
class CPUs are covered in the update released as DSA 4273-1.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.110-3+deb9u3.


https://www.debian.org/security/2018/dsa-4279
https://www.debian.org/security/2018/dsa-4273
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!
User avatar
sunrat
 
Posts: 2461
Joined: 2006-08-29 09:12
Location: Melbourne, Australia

Re: linux/intel-microcode security upgrades

Postby None1975 » 2018-08-22 15:33

sunrat wrote:There have been security upgrades to linux and intel-microcode this week. Does anyone know if this applies to all Intel processors?

No, not all processors. For example my processor
Code: Select all
Intel i7 920 (8) @ 2.7GHz
is not in the list.
OS: Debian 9.5 / WM: Xmonad
Debian Wiki | DontBreakDebian, My config files in github
Linux User #607425
User avatar
None1975
 
Posts: 669
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: linux/intel-microcode security upgrades

Postby stevepusser » 2018-08-22 16:36

None1975 wrote:
sunrat wrote:There have been security upgrades to linux and intel-microcode this week. Does anyone know if this applies to all Intel processors?

No, not all processors. For example my processor
Code: Select all
Intel i7 920 (8) @ 2.7GHz
is not in the list.


Ummmm....that list you linked to is for a microcode update from 2009. I wouldn't expect any newer processors to be on it, either.

The Security Now podcast usually has clear explanations as to what hardware is affected by these new exploits...and transcripts can easily downloaded and searched from here: https://www.grc.com/securitynow.htm
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Quod Libet 4.2.0, Pale Moon 28.2.0, wine-staging 3.20, GIMP 2.10.8, Liquorix kernel 4.18-22, Midori 6.0
User avatar
stevepusser
 
Posts: 10126
Joined: 2009-10-06 05:53

Re: linux/intel-microcode security upgrades

Postby pcalvert » 2018-08-22 22:37

“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln
pcalvert
 
Posts: 1803
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: linux/intel-microcode security upgrades

Postby stevepusser » 2018-08-22 22:40

Basically, all Intel processors from the last decade (or even earlier) use speculative execution, and that's where the exploits have been discovered.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Quod Libet 4.2.0, Pale Moon 28.2.0, wine-staging 3.20, GIMP 2.10.8, Liquorix kernel 4.18-22, Midori 6.0
User avatar
stevepusser
 
Posts: 10126
Joined: 2009-10-06 05:53

Re: linux/intel-microcode security upgrades

Postby sunrat » 2018-08-23 00:00

Here's the current list, appears to be for almost all Intel processors. Including my i5 6500, Core2Duo E8500, and Celeron <something> in a netbook. Just had to scroll down on None1975's linked page to "Other Versions".

https://downloadcenter.intel.com/downlo ... -Data-File
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!
User avatar
sunrat
 
Posts: 2461
Joined: 2006-08-29 09:12
Location: Melbourne, Australia


Re: linux/intel-microcode security upgrades

Postby Head_on_a_Stick » 2018-08-23 06:02

For those who need the fixes now, download the Arch intel-ucode package from this link:

https://www.archlinux.org/packages/extr ... /download/

Unpack the tarball and copy the initrd image to /boot:
Code: Select all
tar xf intel-ucode-20180807-1-any.pkg.tar.xz
# cp boot/intel-ucode.img /boot/intel-ucode.img

Now add a custom GRUB boot entry at the end of /etc/grub/40_custom:
Code: Select all
menuentry 'Debian ucode' {
    set root 'hdX,Y'
    linux /vmlinuz root=/dev/sdZY ro quiet # add other kernel parameters here
    initrd /boot/intel-ucode.img /initrd.img
}

^ Change the "set root" line so the X is replaced by the hard drive index (where sda is represented by "0", sdb="1", sdc="2", etc) and the Y is the partition number of the root filesystem; remember to run `update-grub` (as root) to generate the entry afterwards.

EDIT: Z=X+1
I suffer from depression and may lash out occasionally, try not to take it personally.
User avatar
Head_on_a_Stick
 
Posts: 8170
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: linux/intel-microcode security upgrades

Postby sunrat » 2018-08-23 07:31

intel-microcode was always non-free.
An upgrade was released on August 16 as linked in my OP. Is that not the current release from Intel?

https://www.debian.org/security/2018/dsa-4273

Debian Security Advisory
DSA-4273-1 intel-microcode -- security update

Date Reported:
16 Aug 2018
Affected Packages:
intel-microcode
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2018-3639, CVE-2018-3640.
More information:

This update ships updated CPU microcode for some types of Intel CPUs and provides SSBD support (needed to address "Spectre v4") and fixes for "Spectre v3a".

For the stable distribution (stretch), these problems have been fixed in version 3.20180703.2~deb9u1.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!
User avatar
sunrat
 
Posts: 2461
Joined: 2006-08-29 09:12
Location: Melbourne, Australia

Re: linux/intel-microcode security upgrades

Postby None1975 » 2018-08-23 12:35

stevepusser wrote:The Security Now podcast usually has clear explanations as to what hardware is affected by these new exploits...and transcripts can easily downloaded and searched from here: https://www.grc.com/securitynow.htm

Thank you for the link.
OS: Debian 9.5 / WM: Xmonad
Debian Wiki | DontBreakDebian, My config files in github
Linux User #607425
User avatar
None1975
 
Posts: 669
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius


Re: linux/intel-microcode security upgrades

Postby stevepusser » 2018-08-25 16:42

FWIW, it is safe to manually download and install the Sid deb in Stretch in terms of not making a FrankenDebian, or one could just wait until it's a security update in Stretch.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Quod Libet 4.2.0, Pale Moon 28.2.0, wine-staging 3.20, GIMP 2.10.8, Liquorix kernel 4.18-22, Midori 6.0
User avatar
stevepusser
 
Posts: 10126
Joined: 2009-10-06 05:53


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable