Source: amd64-microcode
Version: 3.20250311.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 3.20250311.1~deb12u1
Hi Henrique,
The following vulnerabilities were published for amd64-microcode.
CVE-2024-36350[0]:
| A transient execution vulnerability in some AMD processors may allow
| an attacker to infer data from previous stores, potentially
| resulting in the leakage of privileged information.
CVE-2024-36357[1]:
| A transient execution vulnerability in some AMD processors may allow
| an attacker to infer data in the L1D cache, potentially resulting in
| the leakage of sensitive information across privileged boundaries.
My understanding from the patch levels in amd-ucode/README is that we
are not yet covered by the needed updates on microcode side[2] for CVE-2024-36350/TSA-SQ and CVE-2024-36357/TSA-L1 in amd64-microcode/3.20250311.1. Correct?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-36350
https://www.cve.org/CVERecord?id=CVE-2024-36350
[1] https://security-tracker.debian.org/tracker/CVE-2024-36357
https://www.cve.org/CVERecord?id=CVE-2024-36357
[2] https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf
Hi Henrique,
On Thu, Jul 10, 2025 at 09:12:23AM +0200, Salvatore Bonaccorso wrote:
Source: amd64-microcode
Version: 3.20250311.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 3.20250311.1~deb12u1
Hi Henrique,
The following vulnerabilities were published for amd64-microcode.
CVE-2024-36350[0]:
| A transient execution vulnerability in some AMD processors may allow
| an attacker to infer data from previous stores, potentially
| resulting in the leakage of privileged information.
CVE-2024-36357[1]:
| A transient execution vulnerability in some AMD processors may allow
| an attacker to infer data in the L1D cache, potentially resulting in
| the leakage of sensitive information across privileged boundaries.
My understanding from the patch levels in amd-ucode/README is that we
are not yet covered by the needed updates on microcode side[2] for CVE-2024-36350/TSA-SQ and CVE-2024-36357/TSA-L1 in amd64-microcode/3.20250311.1. Correct?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-36350
https://www.cve.org/CVERecord?id=CVE-2024-36350
[1] https://security-tracker.debian.org/tracker/CVE-2024-36357
https://www.cve.org/CVERecord?id=CVE-2024-36357
[2] https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf
If not wrong, those updates might be included in https://gitlab.com/kernel-firmware/linux-firmware/-/commit/331eac9144402d6cfa02ff3b2888a40bb9a7a01a
Is this correct?
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 546 |
| Nodes: | 16 (0 / 16) |
| Uptime: | 169:15:41 |
| Calls: | 10,385 |
| Calls today: | 2 |
| Files: | 14,057 |
| Messages: | 6,416,551 |