[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <55f6d350-27e8-45b9-bd45-db225aea436e@citrix.com>
Date: Thu, 14 Nov 2024 02:09:08 +0000
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: alex.murray@...onical.com
Cc: bp@...en8.de, dave.hansen@...ux.intel.com, linux-kernel@...r.kernel.org,
tglx@...utronix.de, x86@...nel.org
Subject: Re: [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to
be a vulnerability
>> == Microcode Revision Discussion == The microcode versions in the
>> table were generated from the Intel microcode git repo: 29f82f7429c
>> ("microcode-20241029 Release")
> This upstream microcode release only contained an update for a
> functional issue[1] - not any fixes for security issues.
Now I can point at them, see the release notes for 8ac9378a8487
("microcode-20241112 Release").
Note how it's admitting to have fixed security issues silently in prior
drops. If I were you, I wouldn't make assumptions based on what's not
said in the release notes.
I can count on one hand the number of drops in that repo which I know
(or reasonably suspect) to be "functional issues only", but the one you
happened to reference is a fix for "this CPU overvolts itself to an
early grave". Many would consider this a denial of service, against
ones wallet if nothing else.
~Andrew
Powered by blists - more mailing lists