intel-microcode-20240312 (waiting for more info)

[Xi Ruoyao]

New release.

Security scores/fixes for

• 6.5 CVE-2023-39368 (denial of service via network access),
• 5.5 CVE-2023-38575 (information disclosure via local access),
• 6.5 CVE-2023-28746 (information disclosure via local access on some Atom processors, and E cores of Alder Lake & Raptor Lake processors),
• 6.1 CVE-2023-22655 (local privilege escalation with SGX or TDX), and
• 5.3 CVE-2023-43490 (information disclosure via local access with SGX). Note that SGX and TDX are unsupported on LFS at all.

[Xi Ruoyao]

I've updated the book at r12.1-108-gd4208d0bc8 but some necessary information for the SA (mainly, the affected CPUs and if a kernel update is needed besides the microcode update) is not disclosed yet. Leaving this open for the SA.

[Xi Ruoyao]

CVE-2023-28746 ("RFDS") fix needs a kernel update.

[Xi Ruoyao]

Replying to Xi Ruoyao:

CVE-2023-28746 ("RFDS") fix needs a kernel update.

And oops, it also affects the E cores of Alder Lake and Raptor Lake.

[Bruce Dubbs]

Updated description format and added initial security scores there.

[Xi Ruoyao]

I'll issue an advisory for RFDS once we update to Linux 6.8.1 (​lfs:#5453). Not sure about others...

[Xi Ruoyao]

SA 12.1-009 for RFDS.

For other vulnerabilities waiting for Intel to release more info.

[Xi Ruoyao]

The affected processor lists are long, thus I'll list them in "models" from lscpu output.

CVE-2023-39368 (INTEL-SA-00972) is affecting models 191, 190, 183 (only stepping 1, and except Xeon E processors), 154 (except Atom processors), 151, 143 (except "Sapphire Rapids Edge Enhanced" processors).

[Xi Ruoyao]

CVE-2023-38575 (INTEL-SA-00982) is affecting models 191, 183 (all), 154, 151, 143 (except "Sapphire Rapids Edge Enhanced" processors).

[Xi Ruoyao]

SA 12.1-017.