1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109035: amd64-microcode: 2024-36350/TSA-SQ and CVE-2024-36357/TSA-

    From Salvatore Bonaccorso@21:1/5 to All on Thu Jul 10 09:20:01 2025
    Source: amd64-microcode
    Version: 3.20250311.1
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
    Control: found -1 3.20250311.1~deb12u1

    Hi Henrique,

    The following vulnerabilities were published for amd64-microcode.

    CVE-2024-36350[0]:
    | A transient execution vulnerability in some AMD processors may allow
    | an attacker to infer data from previous stores, potentially
    | resulting in the leakage of privileged information.


    CVE-2024-36357[1]:
    | A transient execution vulnerability in some AMD processors may allow
    | an attacker to infer data in the L1D cache, potentially resulting in
    | the leakage of sensitive information across privileged boundaries.

    My understanding from the patch levels in amd-ucode/README is that we
    are not yet covered by the needed updates on microcode side[2] for CVE-2024-36350/TSA-SQ and CVE-2024-36357/TSA-L1 in amd64-microcode/3.20250311.1. Correct?

    If you fix the vulnerabilities please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2024-36350
    https://www.cve.org/CVERecord?id=CVE-2024-36350
    [1] https://security-tracker.debian.org/tracker/CVE-2024-36357
    https://www.cve.org/CVERecord?id=CVE-2024-36357
    [2] https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Henrique de Moraes Holschuh on Thu Jul 31 23:30:01 2025
    Hi Henrique,

    On Thu, Jul 31, 2025 at 05:48:49PM -0300, Henrique de Moraes Holschuh wrote:
    Hello Salvatore,

    I will look into it soon, but I am swamped with work so it could
    take a week or two for me to upload anything .

    As far as I know, we cannot update much of the AMD fleet (computers
    that did not get firmware updates to switch to the new microcode
    signature track) anyway, so I will also need to check if this
    changed somehow, etc.

    Thanks for your reply and yes that is absolutely fine. We should in
    any case anyhow follow an up-down stragegy so with focus on unstable.

    At that time then trixie will be released (on 9th of August), and we
    can have a look at trixie and bookworm either via a DSA or the next
    upcoming point releases.

    Thanks for all your hard and tireless work on this complex front :)

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)