-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2057
                      intel-microcode security update
                               15 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           intel-microcode
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-0549 CVE-2020-0548 CVE-2020-0543

Reference:         ESB-2020.2048
                   ESB-2020.2039
                   ESB-2020.2018
                   ESB-2020.2005

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2248

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : intel-microcode
Version        : 3.20200609.2~deb8u1
CVE ID         : CVE-2020-0543 CVE-2020-0548 CVE-2020-0549


The following CVE(s) were reported against src:intel-microcode.

CVE-2020-0543

    A new domain bypass transient execution attack known as Special
    Register Buffer Data Sampling (SRBDS) has been found. This flaw
    allows data values from special internal registers to be leaked
    by an attacker able to execute code on any core of the CPU. An
    unprivileged, local attacker can use this flaw to infer values
    returned by affected instructions known to be commonly used
    during cryptographic operations that rely on uniqueness, secrecy,
    or both.

CVE-2020-0548

    A flaw was found in Intel processors where a local attacker is
    able to gain information about registers used for vector
    calculations by observing register states from other processes
    running on the system. This results in a race condition where
    store buffers, which were not cleared, could be read by another
    process or a CPU sibling. The highest threat from this
    vulnerability is data confidentiality where an attacker could
    read arbitrary data as it passes through the processor.

CVE-2020-0549

    A microarchitectural timing flaw was found on some Intel
    processors. A corner case exists where data in-flight during the
    eviction process can end up in the “fill buffers” and not properly
    cleared by the MDS mitigations. The fill buffer contents (which
    were expected to be blank) can be inferred using MDS or TAA style
    attack methods to allow a local attacker to infer fill buffer
    values.

For Debian 8 "Jessie", these problems have been fixed in version
3.20200609.2~deb8u1.

We recommend that you upgrade your intel-microcode packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl7k8OUACgkQgj6WdgbD
S5Y7mw//QpSny0v3MhSFem+X6FKRFQ4TQgzlEp7pE0KJgp8Xnpd5K/iQLhgGLWLh
jQqp8Hx55N4GwL/p0nB40ARMbKDahMVxi4aty2o72hYho1TF1xQyMXGNzYjadw0J
bWsZF4N6XvUG35i5Ai0o3rvEHEBH5K2tB3eLP9esXGF0py8okXS2598ta17fTvq4
ES99Kh6x+AP6WNfKS92Z01KRcZ7P8cXZ8nnojhl7Z7hvpBqMtrJ+c/MyTMHjjnPz
8bueR8PK4FMk08Xokq7aBD2N3Aw1HZVr9smiOto1XTXd+P0pV9OnLo9KFvD8r+HQ
4VlCFcdJEaTHwk6UrkGvFp936e9KUzwscmr/CCuEb2lZHcKAaH4a/ujWKGrPyZLE
xXdib4TKF/qE0JgPqS+F0KtM0ucHcfDegEgDtNBha9/rLjAg99KN3cT4QU/Pjfpz
GQpmvrdbeJUhjiADMIdP24PwWC6ze6FRjgCIbA39eaNUYOuolvdC2lj7mPWFMHXI
nbxMcrGhcNzxrAdg4R9wIr/3j8k0xwZy8GOrHLq/mO3lwXO1w4R/aic6HsUgdLyS
y7fsbTakq7IQI/8sTvGOhxkW5wFGcvjbvzaYtZAcfngo+FaTVY2CYFhji6+B6eY1
G3ZPdVBraeXQBGUZ8pS19abw9LOV0qVVA0pSS1zRnLrAJ/6ZGAA=
=cqVo
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXua46+NLKJtyKPYoAQjroBAAlQcE8xlNDVEMmLg4AnqtLvzA+dwjLT/I
Aqo9SqJ9pGw1/MVvHd8tf1E4ypzva0166mlVRY2nGBO9Zc9Q6FWWjuWZQprX8At0
Sif7hw0vtJtw9045d++bjyW3vRFnFjW8avbd+AWC+HDJg4km7nt4xpmBz6U8Ji9y
aQwuyUoVJCsTLfLnTxckr32pkYFjlwwpt5gPLmfLTGE7MnYdStdgL7Xn8A6bAYzf
jOV2j/4Rspkb+M1Haa2k+AncwCtYDKJY6czOiDcL0xnslMcVyRd30D7AZkK7Y1U5
nJ/HraQJjf/mKpLfcCDQxskxCld/geUxF0TmNfpRBV5Hcbm38T/PT+KbRcW7oRXX
XUrG0IvNmncdp9yFk0iM3Bz9vz0ejQPuvu1I756fDiFDz4uVscZUfM+Zk0U0mBt7
MSG2bsnJZvGWpfUiH6xqjrU3JPWf4qw4G5NDeUM1MnkCmtslr3yHVu0s00RzJBoS
88ax1l7aNHyCgFVXgWuBWZEwmgg/OCEx48ouso8Kn7nP7z83sUtlXiJNaCNunPhl
g/seYRZ4F8EIDptRbRYGTYHgg1YNS1yWAQgRi5I3VomJdeE1A+pfEGgHiJnYHwY0
BzzwqO5w1anTuv4YHAQ5KhxP2jx95qOv3Ec2DOZtE3p5ALsFXD1jO78ir7FlA4C3
etf+jHXLaq8=
=GoRT
-----END PGP SIGNATURE-----