MGASA-2021-0140 - Updated microcode package fixes security vulnerabilities

Publication date: 17 Mar 2021
URL: https://advisories.mageia.org/MGASA-2021-0140.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2020-8696,
     CVE-2020-8698

This update adds new microcode updates to mitigate CVE-2020-8696 for Intel
Skylake server (50654) and Cascade Lake Server (50656 & 50657) processors.
The new microcode update mitigates an issue when using an active JTAG agent
like In Target Probe (ITP), Direct Connect Interface (DCI) or a Baseboard
Management Controller (BMC) to take the CPU JTAG/TAP out of reset and then
returning it to reset.

Improper isolation of shared resources in some Intel(R) Processors may
allow an authenticated user to potentially enable information disclosure
via local access (CVE-2020-8698).

Improper removal of sensitive information before storage or transfer in
some Intel(R) Processors may allow an authenticated user to potentially
enable information disclosure via local access (CVE-2020-8696).

References:
- https://bugs.mageia.org/show_bug.cgi?id=28579
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8696
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8698

SRPMS:
- 8/nonfree/microcode-0.20210216-1.mga8.nonfree
- 7/nonfree/microcode-0.20210216-1.mga7.nonfree