Source: intel-microcode
Version: 3.20250211.1
Severity: grave
Tags: upstream security
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for intel-microcode.

Henrique, choosing RC but feel free to downgrade if you do not agree.
There are two INTEL-SA-01244 and INTEL-SA-01247 which are not yet
published.

CVE-2024-28956[0]:
| x86: Indirect Target Selection


CVE-2025-24495[1]:
| INTEL-SA-01322


CVE-2025-20012[2]:
| INTEL-SA-01322


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-28956
https://www.cve.org/CVERecord?id=CVE-2024-28956
[1] https://security-tracker.debian.org/tracker/CVE-2025-24495
https://www.cve.org/CVERecord?id=CVE-2025-24495
[2] https://security-tracker.debian.org/tracker/CVE-2025-20012
https://www.cve.org/CVERecord?id=CVE-2025-20012
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250512

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format...

Your message dated Sat, 17 May 2025 13:19:00 +0000
with message-id <E1uGHRM-00BbMe-0E@fasolo.debian.org>
and subject line Bug#1105172: fixed in intel-microcode 3.20250512.1
has caused the Debian Bug report #1105172,
regarding intel-microcode: CVE-2024-28956 CVE-2025-24495 CVE-2025-20012 CVE-2024-43420 CVE-2025-20623 CVE-2024-45332 CVE-2025-20103 CVE-2025-20054
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


--
1105172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105172
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

Received: (at submit) by bugs.debian.org; 12 May 2025 19:18:05 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
(2021-04-09) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-8.6 required=4.0 tests=BAYES_00,FROMDEVELOPER,
KHOP_HELO_FCRDNS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
RCVD_IN_VALIDITY_RPBL_BLOCKED,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
XMAILER_REPORTBUG autolearn=ham autolearn_force=no
version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 35; hammy, 142; neutral, 40; spammy,
3. spammytokens:0.992-+--Selection, 0.944-+--H*r:bugs.debian.org,
0.930-+--selection hammytokens:0.000-+--H*F:U*carnil,
0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan,
0.000-+--H*M:reportbug
Return-path: <carnil@debian.org>
Received: from c-82-192-244-13.customer.ggaweb.ch ([82

--651af924b1e241c9994542ab12e09e4c
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Fri, May 23, 2025, at 06:45, Niels Hendriks wrote:

I hope this is the correct place to ask this..!
I have been F5-ing the CVE page ( https://security-tracker.debian.org/tracker/CVE-2024-45332 ) for a week now since this seemed a very serious vulnerability.

It is available, and it looks like it happenwd a few hours after you sent your message. Delay reasons were, as far as I know, testing the microcode and kernel update, and a minor issue with the kernel update.

For the record: bookworm will remain listed as vulnerable in the security tracker until the next point release. It is listed as fixed in bookworm-security, which will be folded into the base distro at the next point release.

Systems update from both the base repository as well its security repository by default.

--
Henrique de Moraes Holschuh <hmh@debian.org>

--651af924b1e241c9994542ab12e09e4c
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html><head><title></title></head><body><div style="font-family:Arial;">On Fri, May 23, 2025, at 06:45, Niels Hendriks wrote:<br></div><blockquote type="cite" id="qt" style=""><div dir="ltr"><div>I hope this is the correct place to ask
this..!</div><div>I have been F5-ing the CVE page (&nbsp;<a href="https://security-tracker.debian.org/tracker/CVE-2024-45332" class="">https://security-tracker.debian.org/tracker/CVE-2024-45332</a> ) for a week now since this seemed a very serious
vulnerability.</div></div></blockquote><div style="font-family:Arial;"><br></div><div style="font-family:Arial;">It is available, and it looks like it happenwd a few hours after you sent your message.&nbsp; Delay reasons were, as far as I know, testing
the microcode and kernel update, and a minor issue with the kernel update.<br></div><div style="font-family:Arial;"><br></div><div style="font-family:Arial;">For the record:&nbsp; bookworm will remain listed as vulnerable in the security tracker until
the next point release.&nbsp; It is listed as fixed in bookworm-security, which will be folded into the base distro at the next point release.</div><div style="font-family:Arial;"><br></div><div style="font-family:Arial;">Systems update from both the
base repository as well its security repository by default.</div><div style="font-family:Arial;"><br></div><div id="sig1082268"><div class="signature">--</div><div class="signature">&nbsp; Henrique de Moraes Holschuh &lt;hmh@debian.org&gt;</div></div><
div style="font-family:Arial;"><br></div></body></html> --651af924b1e241c9994542ab12e09e4c--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format...

Your message dated Sun, 25 May 2025 18:32:08 +0000
with message-id <E1uJG8m-005Bco-NS@fasolo.debian.org>
and subject line Bug#1105172: fixed in intel-microcode 3.20250512.1~deb12u1
has caused the Debian Bug report #1105172,
regarding intel-microcode: CVE-2024-28956 CVE-2025-24495 CVE-2025-20012 CVE-2024-43420 CVE-2025-20623 CVE-2024-45332 CVE-2025-20103 CVE-2025-20054
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


--
1105172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105172
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

Received: (at submit) by bugs.debian.org; 12 May 2025 19:18:05 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
(2021-04-09) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-8.6 required=4.0 tests=BAYES_00,FROMDEVELOPER,
KHOP_HELO_FCRDNS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
RCVD_IN_VALIDITY_RPBL_BLOCKED,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
XMAILER_REPORTBUG autolearn=ham autolearn_force=no
version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 35; hammy, 142; neutral, 40; spammy,
3. spammytokens:0.992-+--Selection, 0.944-+--H*r:bugs.debian.org,
0.930-+--selection hammytokens:0.000-+--H*F:U*carnil,
0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan,
0.000-+--H*M:reportbug
Return-path: <carnil@debian.org>
Received: from c-82-192-244-13.customer.ggaweb.ch ([82