------------------------------------------------------------------------- Debian LTS Advisory DLA-3511-1 [email protected] https://www.debian.org/lts/security/ Jochen Sprickerhof July 31, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : amd64-microcode Version : 3.20230719.1+deb10u1 CVE ID : CVE-2023-20593 Debian Bug : 1041863 Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak register contents across concurrent processes, hyper threads and virtualized guests. For details please refer to https://lock.cmpxchg8b.com/zenbleed.html https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8 The initial microcode release by AMD only provides updates for second generation EPYC CPUs: Various Ryzen CPUs are also affected, but no updates are available yet. Fixes will be provided in a later update once they are released. For more specific details and target dates please refer to the AMD advisory at https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html For Debian 10 buster, this problem has been fixed in version 3.20230719.1+deb10u1. Additionally the update contains a fix for CVE-2019-9836. We recommend that you upgrade your amd64-microcode packages. For the detailed security status of amd64-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/amd64-microcode Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Debian LTS: DLA-3511-1: amd64-microcode security update
July 31, 2023
Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in "Zen 2" CPUs may not be written to 0 correctly
Summary
For details please refer to
https://lock.cmpxchg8b.com/zenbleed.html
https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8
The initial microcode release by AMD only provides updates for second
generation EPYC CPUs: Various Ryzen CPUs are also affected, but no
updates are available yet. Fixes will be provided in a later update once
they are released.
For more specific details and target dates please refer to the AMD
advisory at
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
For Debian 10 buster, this problem has been fixed in version
3.20230719.1+deb10u1. Additionally the update contains a fix
for CVE-2019-9836.
We recommend that you upgrade your amd64-microcode packages.
For the detailed security status of amd64-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/amd64-microcode
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Severity
Package : amd64-microcode
Version : 3.20230719.1+deb10u1
CVE ID : CVE-2023-20593
Debian Bug : 1041863
News
HOWTOs
Features
About Us
Powered By
