[Bug 1977701] Re: Update to latest upstream release 20220510 / IPU 2022.1 to fix multiple security vulnerabilities

[Alex Murray]

FYI to clarify - these were tested by enabling -proposed as per
https://wiki.ubuntu.com/Testing/EnableProposed

# enable proposed so we can install intel-microcode from there
# https://wiki.ubuntu.com/Testing/EnableProposed

cat <<EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

cat <<EOF | sudo tee /etc/apt/preferences.d/proposed-updates
# Configure apt to allow selective installs of packages from proposed
Package: *
Pin: release a=$(lsb_release -cs)-proposed
Pin-Priority: 400
EOF

sudo apt update


Then installed as:

sudo apt install intel-microcode/$(lsb_release -cs)-proposed

And rebooted to test the machine boots correctly.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to intel-microcode in Ubuntu.
https://bugs.launchpad.net/bugs/1977701

Title:
  Update to latest upstream release 20220510 / IPU 2022.1 to fix
  multiple security vulnerabilities

Status in intel-microcode package in Ubuntu:
  New
Status in intel-microcode source package in Bionic:
  Fix Committed
Status in intel-microcode source package in Focal:
  Fix Committed
Status in intel-microcode source package in Impish:
  Fix Committed
Status in intel-microcode source package in Jammy:
  Fix Committed

Bug description:
  [Impact]

   * Users are vulnerable to multiple security issues, including MMIO
  stale data
  (https://www.intel.com/content/www/us/en/developer/articles/technical/software-
  security-guidance/advisory-guidance/processor-mmio-stale-data-
  vulnerabilities.html)
  (https://www.intel.com/content/www/us/en/security-
  center/advisory/intel-sa-00615.html)

   * Normally the security team would release updates direct to the
  -security pocket but since the associated kernels are being published
  via -updates *and* to allow phased updates to be used, it is preferred
  to publish these via -updates first, then they can be synced to
  -security once fully phased.

  [Test Plan]

   * install the updated intel-microcode packages and reboot the system

  [Where problems could occur]

   * Historically there have been issues where intel-microcode updates
  resulted in machines that fail to boot. This has usually been the case
  when a machine is using an old BIOS and the microcode which is loaded
  in early boot is much newer. Intel have increased their own internal
  testing to try and ensure this is detected before releasing to
  production.

  Also these updates have now been in -proposed for over a week without
  any mention of issues *plus* they have been tested extensively via
  testflinger on the Canonical certification lab's suite of machines
  too.

  Finally, in this unlikely case, users can boot via the '(recovery
  mode)' menu entries in grub which disables early microcode loading
  from the initrd to workaround this and then rollback the microcode
  update directly.

  [Other Info]
   
  Intel released version 20220510 / IPU 2022.1 earlier in May to address multiple vulnerabilities, including:

      - CVE-2022-21151, INTEL-SA-00617
      - CVE-2021-0146,  INTEL-SA-00528
      - CVE-2021-0127,  INTEL-SA-00532

  This version is already packaged in Ubuntu 22.10 (kinetic).

  Earlier today Intel disclosed another set of vulnerabilities (MMIO
  stale data) which are also fixed by these updates.

  
  Whilst this is a security update, to allow for increased testing before being more widely deployed the Ubuntu Security team are wishing to publish this first via -proposed and then to -updates so they can be phased along with the associated kernel updates for MMIO stale data as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1977701/+subscriptions