Debian 10262 Published by

Debian GNU/Linux has received two security updates: [DLA 4002-1] intel-microcode security update for Debian 11 (Bullseye) LTS and ELA-1276-1 intel-microcode security update for Debian 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS

[DLA 4002-1] intel-microcode security update
ELA-1276-1 intel-microcode security update




[SECURITY] [DLA 4002-1] intel-microcode security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4002-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 23, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : intel-microcode
Version : 3.20241112.1~deb11u1
CVE ID : CVE-2024-23918 CVE-2024-21853 CVE-2024-21820 CVE-2024-23984
Debian Bug : 1087532

A microcode update has been released for Intel processors, addressing multiple
vulnerabilties which potentially could cause local privileged escalation or
local DoS.

CVE-2024-23918

Improper conditions check in some Intel(R) Xeon(R) processor memory controller
configurations when using Intel(R) SGX may allow a privileged user to
potentially enable escalation of privilege via local access. (INTEL-SA-01079)

CVE-2024-21853

Improper finite state machines (FSMs) in the hardware logic in some 4th and 5th
Generation Intel(R) Xeon(R) Processors may allow an authorized user to
potentially enable denial of service via local access. (INTEL-SA-01101)

CVE-2024-21820

Incorrect default permissions in some Intel(R) Xeon(R) processor memory
controller configurations when using Intel(R) SGX may allow a privileged user
to potentially enable escalation of privilege via local access.
(INTEL-SA-01079)

CVE-2024-23984 (already adressed in a previous upload, this upload adds more processor models.)

Observable discrepancy in RAPL interface for some Intel(R) Processors may allow
a privileged user to potentially enable information disclosure via local
access.

For Debian 11 bullseye, this problem has been fixed in version
3.20241112.1~deb11u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1276-1 intel-microcode security update

Package : intel-microcode
Version : 3.20241112.1~deb8u1 (jessie), 3.20241112.1~deb9u1 (stretch), 3.20241112.1~deb10u1 (buster)

Related CVEs :
CVE-2024-21820
CVE-2024-21853
CVE-2024-23918
CVE-2024-23984

A microcode update has been released for Intel processors, addressing multiple
vulnerabilties which potentially could cause local privileged escalation or
local DoS.

CVE-2024-21820
Incorrect default permissions in some Intel(R) Xeon(R) processor memory
controller configurations when using Intel(R) SGX may allow a privileged user
to potentially enable escalation of privilege via local access.
(INTEL-SA-01079)

CVE-2024-21853
Improper finite state machines (FSMs) in the hardware logic in some 4th and 5th
Generation Intel(R) Xeon(R) Processors may allow an authorized user to
potentially enable denial of service via local access. (INTEL-SA-01101)

CVE-2024-23918
Improper conditions check in some Intel(R) Xeon(R) processor memory controller
configurations when using Intel(R) SGX may allow a privileged user to
potentially enable escalation of privilege via local access. (INTEL-SA-01079)

CVE-2024-23984 (already adressed in a previous upload, this upload adds more processor models.)
Observable discrepancy in RAPL interface for some Intel(R) Processors may allow
a privileged user to potentially enable information disclosure via local
access.

ELA-1276-1 intel-microcode security update