[ubuntu/plucky-proposed] amd64-microcode 3.20240820.1ubuntu1 (Accepted)
Simon Quigley
tsimonq2 at ubuntu.com
Thu Nov 21 21:22:12 UTC 2024
amd64-microcode (3.20240820.1ubuntu1) plucky; urgency=medium
* Merge from Debian Unstable. Remaining changes:
- initramfs-tools hook (debian/initramfs.hook):
+ Default to 'early' instead of 'auto' when building with
MODULES=most
+ Do not override preset defaults from auto-exported conf
snippets loaded by initramfs-tools.
amd64-microcode (3.20240820.1) unstable; urgency=high
* Update package data from linux-firmware 20240820
* New AMD-SEV firmware from AMD upstream (20240820)
+ Updated SEV firmware:
Family 17h models 30h-3fh: version 0.24 build 20
Family 19h models 00h-0fh: version 1.55 build 21
Family 19h models 10h-1fh: version 1.55 build 37
+ New SEV firmware:
Family 19h models a0h-afh: version 1.55 build 37
* SECURITY UPDATE (AMD-SB-3003):
* Mitigates CVE-2023-20584: IOMMU improperly handles certain special
address ranges with invalid device table entries (DTEs), which may allow
an attacker with privileges and a compromised Hypervisor to induce DTE
faults to bypass RMP checks in SEV-SNP, potentially leading to a loss of
guest integrity.
* Mitigates CVE-2023-31356: Incomplete system memory cleanup in SEV
firmware could allow a privileged attacker to corrupt guest private
memory, potentially resulting in a loss of data integrity.
amd64-microcode (3.20240710.2) unstable; urgency=high
* postrm: activate the update-initramfs dpkg trigger on remove/purge
instead of always executing update-initramfs directly, just like it
was done for postinst in 3.20240710.1: call update-initramfs directly
only if the dpkg-trigger activation call fails.
amd64-microcode (3.20240710.1) unstable; urgency=high
* Update package data from linux-firmware 20240709-141-g59460076
(closes: #1076128)
* SECURITY UPDATE: Mitigates "Sinkclose" CVE-2023-31315 (AMD-SB-7014) on
AMD Epyc processors: SMM lock bypass - Improper validation in a model
specific register (MSR) could allow a malicious program with ring 0
access (kernel) to modify SMM configuration while SMI lock is enabled,
potentially leading to arbitrary code execution.
Note: a firmware update is recommended for AMD Epyc (to protect the
system as early as possible). Many other AMD processor models are
also vulnerable to SinkClose, and can only be fixed by a firmware
update at this time.
* Updated Microcode patches:
+ Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126f
+ Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107c
+ Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a
+ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248
+ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215
+ Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238
+ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148
+ Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5
* README.Debian: "late" microcode updates are unsupported in Debian
(closes: #1074514)
* postinst: use dpkg-trigger to activate update-initramfs, this enables
dracut integration (closes: #1000193)
Date: Thu, 21 Nov 2024 15:20:49 -0600
Changed-By: Simon Quigley <tsimonq2 at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/amd64-microcode/3.20240820.1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 21 Nov 2024 15:20:49 -0600
Source: amd64-microcode
Built-For-Profiles: noudeb
Architecture: source
Version: 3.20240820.1ubuntu1
Distribution: plucky
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Simon Quigley <tsimonq2 at ubuntu.com>
Closes: 1000193 1074514 1076128
Changes:
amd64-microcode (3.20240820.1ubuntu1) plucky; urgency=medium
.
* Merge from Debian Unstable. Remaining changes:
- initramfs-tools hook (debian/initramfs.hook):
+ Default to 'early' instead of 'auto' when building with
MODULES=most
+ Do not override preset defaults from auto-exported conf
snippets loaded by initramfs-tools.
.
amd64-microcode (3.20240820.1) unstable; urgency=high
.
* Update package data from linux-firmware 20240820
* New AMD-SEV firmware from AMD upstream (20240820)
+ Updated SEV firmware:
Family 17h models 30h-3fh: version 0.24 build 20
Family 19h models 00h-0fh: version 1.55 build 21
Family 19h models 10h-1fh: version 1.55 build 37
+ New SEV firmware:
Family 19h models a0h-afh: version 1.55 build 37
* SECURITY UPDATE (AMD-SB-3003):
* Mitigates CVE-2023-20584: IOMMU improperly handles certain special
address ranges with invalid device table entries (DTEs), which may allow
an attacker with privileges and a compromised Hypervisor to induce DTE
faults to bypass RMP checks in SEV-SNP, potentially leading to a loss of
guest integrity.
* Mitigates CVE-2023-31356: Incomplete system memory cleanup in SEV
firmware could allow a privileged attacker to corrupt guest private
memory, potentially resulting in a loss of data integrity.
.
amd64-microcode (3.20240710.2) unstable; urgency=high
.
* postrm: activate the update-initramfs dpkg trigger on remove/purge
instead of always executing update-initramfs directly, just like it
was done for postinst in 3.20240710.1: call update-initramfs directly
only if the dpkg-trigger activation call fails.
.
amd64-microcode (3.20240710.1) unstable; urgency=high
.
* Update package data from linux-firmware 20240709-141-g59460076
(closes: #1076128)
* SECURITY UPDATE: Mitigates "Sinkclose" CVE-2023-31315 (AMD-SB-7014) on
AMD Epyc processors: SMM lock bypass - Improper validation in a model
specific register (MSR) could allow a malicious program with ring 0
access (kernel) to modify SMM configuration while SMI lock is enabled,
potentially leading to arbitrary code execution.
Note: a firmware update is recommended for AMD Epyc (to protect the
system as early as possible). Many other AMD processor models are
also vulnerable to SinkClose, and can only be fixed by a firmware
update at this time.
* Updated Microcode patches:
+ Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126f
+ Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107c
+ Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a
+ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248
+ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215
+ Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238
+ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148
+ Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5
* README.Debian: "late" microcode updates are unsupported in Debian
(closes: #1074514)
* postinst: use dpkg-trigger to activate update-initramfs, this enables
dracut integration (closes: #1000193)
Checksums-Sha1:
90489c23fe68b4e0d93e8073b544b5f6ad526cf3 1802 amd64-microcode_3.20240820.1ubuntu1.dsc
55263559f8520b018d98fa28b0eef38856697d1b 179572 amd64-microcode_3.20240820.1ubuntu1.tar.xz
8d8f82776fb79fff6991ec1cc79c17ae2ee2e8a3 7167 amd64-microcode_3.20240820.1ubuntu1_source.buildinfo
Checksums-Sha256:
9694b2e95cab1f27045bc7f320117ce9b79ba61cf2b54872b30584382e4092bf 1802 amd64-microcode_3.20240820.1ubuntu1.dsc
014fefff4ee69c60de8ec057fb1ee9a0603d3fe7eaca72a5e119d52b425b29d4 179572 amd64-microcode_3.20240820.1ubuntu1.tar.xz
474b0bc555b31cf4ca1dd5c9767739fc9c3137bf657e7c41f88f14e70873c342 7167 amd64-microcode_3.20240820.1ubuntu1_source.buildinfo
Files:
75a76c0d374c742c10822a83fe38625e 1802 non-free-firmware/admin standard amd64-microcode_3.20240820.1ubuntu1.dsc
6b3424c9c83b27525df61916087c62fa 179572 non-free-firmware/admin standard amd64-microcode_3.20240820.1ubuntu1.tar.xz
da5fc5498a8f43b469a6820f82fcc81c 7167 non-free-firmware/admin standard amd64-microcode_3.20240820.1ubuntu1_source.buildinfo
Original-Maintainer: Henrique de Moraes Holschuh <hmh at debian.org>
More information about the plucky-changes
mailing list