lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <55f6d350-27e8-45b9-bd45-db225aea436e@citrix.com>
Date: Thu, 14 Nov 2024 02:09:08 +0000
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: alex.murray@...onical.com
Cc: bp@...en8.de, dave.hansen@...ux.intel.com, linux-kernel@...r.kernel.org,
 tglx@...utronix.de, x86@...nel.org
Subject: Re: [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to
 be a vulnerability

>> == Microcode Revision Discussion == The microcode versions in the
>> table were generated from the Intel microcode git repo: 29f82f7429c
>> ("microcode-20241029 Release")
> This upstream microcode release only contained an update for a
> functional issue[1] - not any fixes for security issues.

Now I can point at them, see the release notes for 8ac9378a8487
("microcode-20241112 Release").

Note how it's admitting to have fixed security issues silently in prior
drops.  If I were you, I wouldn't make assumptions based on what's not
said in the release notes.

I can count on one hand the number of drops in that repo which I know
(or reasonably suspect) to be "functional issues only", but the one you
happened to reference is a fix for "this CPU overvolts itself to an
early grave".  Many would consider this a denial of service, against
ones wallet if nothing else.

~Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ