Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.4658 linux-5.10 security update 14 August 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux-5.10 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2023-20569 CVE-2022-40982 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html Comment: CVSS (Max): 6.5 CVE-2022-40982 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) CVSS Source: Red Hat, [Intel Corporation] Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3525-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Ben Hutchings August 11, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : linux-5.10 Version : 5.10.179-5~deb10u1 CVE ID : CVE-2022-40982 CVE-2023-20569 CVE-2022-40982 Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware vulnerability for Intel CPUs which allows unprivileged speculative access to data which was previously stored in vector registers. This mitigation requires updated CPU microcode provided in the intel-microcode package. For details please refer to <https://downfall.page/> and <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html>. CVE-2023-20569 Daniel Trujillo, Johannes Wikner and Kaveh Razavi discovered INCEPTION, also known as Speculative Return Stack Overflow (SRSO), a transient execution attack that leaks arbitrary data on all AMD Zen CPUs. An attacker can mis-train the CPU BTB to predict non- architectural CALL instructions in kernel space and use this to control the speculative target of a subsequent kernel RET, potentially leading to information disclosure via a speculative side-channel. For details please refer to <https://comsec.ethz.ch/research/microarch/inception/> and <https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005>. For Debian 10 buster, these problems have been fixed in version 5.10.179-5~deb10u1. We recommend that you upgrade your linux-5.10 packages. For the detailed security status of linux-5.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-5.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmTWbfwACgkQ57/I7JWG EQn5rQ//blE1JIS9UDvWI/HaYLau++RnA6hrojTGRE0xGkB6/5ujujJ/Ka1BrcF0 Yj8rQosRRJaIwJtj8bp8YSJkMME7BT0OrHT6RVestW6x7jLOqQ6ZDjOimpBQ35eN 3hhcOsXSbwZlIVIRhiCkdDLzJK1izVjP+a1dHlOfrkWn4f7WxTvfGtYrvOQgaqMR nARuLVLdlIU9P01snJEVfUDHsGwnC6mcKqg+vxTgwbzTcivuYZK403HybxhyFRaW 8cFDPTLK4Yhvqfl22RNzZFPP3Ao3IHBiCfUcIfmJgStf5udIfVkytC+Wk4rffRXC u+EPiY5h6VKY9bc9yDMpOLXel9keo9xxCbYXMk4d3w4euPy93CQDh5ss0+x2JsLr a69VDE4pHi3dCq+ZCuUOv3guVcgG56Ypvd8nzFx/ZXRXvWB0qURYdDfzKibiGpAy QYzyummXW1lMU5HHUX4Fz7Winwudewl+MavPyubh7emD/bOwjxmIfY4gZfbfOmdd oZcQGYzUseICvlpywSn9veul5tmVkknjAWvPXkUq9rWDNTl7H/svYf1EIC5uzf35 6UxAKTghfbKRvWDKbTT9BUbjXhwZRV3iYqNMX0aB+wpn9hRCaiZ69GNlKOQyNTN4 oHLYNSFVbpgxXnEjpfQkS04CCDjRWydjqEAuOzoBazUv3Co07GI= =1w+2 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZNmPFMkNZI30y1K9AQhRcA//X7wW5aZHbpnKH3zISU83CDq7cIe3lAxQ wAz5JDCMH13fk3GZlumaMlcEpTQ08hBFu0aq1xIUvfMGnxZYTByvR7LlJe0Lu1YN OVDNgrNvxdVmFusp6JUCFjvc4h/D9sNDklJNCY4J5wjxEn0tCS/xEl0w12DAHCRq 9wUW95Pa7DfaiwHK6oPI3oBfARlX62TOVOdk39c6Q4kFZTYXjKjD7s8di5ICJfE1 Sz8kEdsxoLjwymcczKf0rkVXu5sGbpDR5/DFnXN9YIAptfVPcfMe7NDIR2YU/CoJ l+E3HjHdchYHPKR5y/SEq6/wlFU7pjhGnfYlDv6MS5zESdrKN78y1YUE5MdgE+KI xBMwmpCf014gVIu4/L69GCFUVMsiJ5EnO8r4z0BJDKvVrxdRrTR4ulaMVwj2GXFZ R/OsEGDA7v6iLOMCvAdgm9q3HIcmeD9au2IzI1GwbTwJ7R7ofmfwrogIkK18PLzx cqN/b1UwVFnSRsfHz5Bc5Qe6x5EuwuVCiI9UGWu0lUzFd5+JR2TpNoyiRD23ZmZL 7K5gUaG24GjJaOnuqqhBg4u2B7rHhAzwO1DBeNhcGPLToGTmfJIuYlyx5gyoEDKW psazAr8XHzGCUR1jRKq03UYLIuLbeFxV8MKdZLAzWFaQnwEoSC+DtTvRd7iftV7V QUGZJZL/56I= =wWPY -----END PGP SIGNATURE-----