Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

linux/intel-microcode security upgrades

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
User avatar
sunrat
Administrator
Administrator
Posts: 6412
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 116 times
Been thanked: 462 times

linux/intel-microcode security upgrades

#1 Post by sunrat »

There have been security upgrades to linux and intel-microcode this week. Does anyone know if this applies to all Intel processors? The advisory mentions "Common server class CPUs".
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4279-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 20, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2018-3620 CVE-2018-3646

Multiple researchers have discovered a vulnerability in the way the
Intel processor designs have implemented speculative execution of
instructions in combination with handling of page-faults. This flaw
could allow an attacker controlling an unprivileged process to read
memory from arbitrary (non-user controlled) addresses, including from
the kernel and all other processes running on the system or cross
guest/host boundaries to read host memory.

To fully resolve these vulnerabilities it is also necessary to install
updated CPU microcode (only available in Debian non-free). Common server
class CPUs are covered in the update released as DSA 4273-1.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.110-3+deb9u3.
https://www.debian.org/security/2018/dsa-4279
https://www.debian.org/security/2018/dsa-4273
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: linux/intel-microcode security upgrades

#2 Post by None1975 »

sunrat wrote:There have been security upgrades to linux and intel-microcode this week. Does anyone know if this applies to all Intel processors?
No, not all processors. For example my processor

Code: Select all

Intel i7 920 (8) @ 2.7GHz
is not in the list.
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: linux/intel-microcode security upgrades

#3 Post by stevepusser »

None1975 wrote:
sunrat wrote:There have been security upgrades to linux and intel-microcode this week. Does anyone know if this applies to all Intel processors?
No, not all processors. For example my processor

Code: Select all

Intel i7 920 (8) @ 2.7GHz
is not in the list.
Ummmm....that list you linked to is for a microcode update from 2009. I wouldn't expect any newer processors to be on it, either.

The Security Now podcast usually has clear explanations as to what hardware is affected by these new exploits...and transcripts can easily downloaded and searched from here: https://www.grc.com/securitynow.htm
MX Linux packager and developer

pcalvert
Posts: 1939
Joined: 2006-04-21 11:19
Location: Sol Sector
Has thanked: 1 time
Been thanked: 2 times

Re: linux/intel-microcode security upgrades

#4 Post by pcalvert »

Freespoke is a new search engine that respects user privacy and does not engage in censorship.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: linux/intel-microcode security upgrades

#5 Post by stevepusser »

Basically, all Intel processors from the last decade (or even earlier) use speculative execution, and that's where the exploits have been discovered.
MX Linux packager and developer

User avatar
sunrat
Administrator
Administrator
Posts: 6412
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 116 times
Been thanked: 462 times

Re: linux/intel-microcode security upgrades

#6 Post by sunrat »

Here's the current list, appears to be for almost all Intel processors. Including my i5 6500, Core2Duo E8500, and Celeron <something> in a netbook. Just had to scroll down on None1975's linked page to "Other Versions".

https://downloadcenter.intel.com/downlo ... -Data-File
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
4D696B65
Site admin
Site admin
Posts: 2696
Joined: 2009-06-28 06:09
Been thanked: 85 times

Re: linux/intel-microcode security upgrades

#7 Post by 4D696B65 »

Licence issue in the latest microcode
https://bugs.debian.org/cgi-bin/bugrepo ... um=website

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: linux/intel-microcode security upgrades

#8 Post by Head_on_a_Stick »

For those who need the fixes now, download the Arch intel-ucode package from this link:

https://www.archlinux.org/packages/extr ... /download/

Unpack the tarball and copy the initrd image to /boot:

Code: Select all

tar xf intel-ucode-20180807-1-any.pkg.tar.xz
# cp boot/intel-ucode.img /boot/intel-ucode.img
Now add a custom GRUB boot entry at the end of /etc/grub/40_custom:

Code: Select all

menuentry 'Debian ucode' {
    set root 'hdX,Y'
    linux /vmlinuz root=/dev/sdZY ro quiet # add other kernel parameters here
    initrd /boot/intel-ucode.img /initrd.img
}
^ Change the "set root" line so the X is replaced by the hard drive index (where sda is represented by "0", sdb="1", sdc="2", etc) and the Y is the partition number of the root filesystem; remember to run `update-grub` (as root) to generate the entry afterwards.

EDIT: Z=X+1
deadbang

User avatar
sunrat
Administrator
Administrator
Posts: 6412
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 116 times
Been thanked: 462 times

Re: linux/intel-microcode security upgrades

#9 Post by sunrat »

intel-microcode was always non-free.
An upgrade was released on August 16 as linked in my OP. Is that not the current release from Intel?
https://www.debian.org/security/2018/dsa-4273

Debian Security Advisory
DSA-4273-1 intel-microcode -- security update

Date Reported:
16 Aug 2018
Affected Packages:
intel-microcode
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2018-3639, CVE-2018-3640.
More information:

This update ships updated CPU microcode for some types of Intel CPUs and provides SSBD support (needed to address "Spectre v4") and fixes for "Spectre v3a".

For the stable distribution (stretch), these problems have been fixed in version 3.20180703.2~deb9u1.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: linux/intel-microcode security upgrades

#10 Post by None1975 »

stevepusser wrote:The Security Now podcast usually has clear explanations as to what hardware is affected by these new exploits...and transcripts can easily downloaded and searched from here: https://www.grc.com/securitynow.htm
Thank you for the link.
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

User avatar
4D696B65
Site admin
Site admin
Posts: 2696
Joined: 2009-06-28 06:09
Been thanked: 85 times

Re: linux/intel-microcode security upgrades

#11 Post by 4D696B65 »

4D696B65 wrote:Licence issue in the latest microcode
https://bugs.debian.org/cgi-bin/bugrepo ... um=website
Licence issue is settled and new microcode is in sid
https://bugs.debian.org/cgi-bin/bugrepo ... website#88

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: linux/intel-microcode security upgrades

#12 Post by stevepusser »

FWIW, it is safe to manually download and install the Sid deb in Stretch in terms of not making a FrankenDebian, or one could just wait until it's a security update in Stretch.
MX Linux packager and developer

Post Reply