Bug 1075262

Summary:	VUL-0: microcode_ctl,ucode-intel: new Intel microcode with Spectre fixes
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	astieger, bpetkov, fkrueger, hvdheuvel, jcheung, lin.x.wang, meissner, saweber, ursula.brueckner
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	maint:released:sle10-sp3:63926 maint:released:oes11-sp2:63936
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Deadline:	2018-01-19

Description Marcus Meissner 2018-01-09 21:30:55 UTC

https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t

version 20180108

of Intel CPU Microcode now available.

we need to refresh

ucode-intel SLE12 , openSUSE Leap 42.2, 42.3, openSUSE Tumblewee4d

microcode_ctl sle11 sp1 , sle11 sp3 , sle10 sp3

this obsoletes the CVE tarball override I used I think

Comment 2 Marcus Meissner 2018-01-09 21:32:43 UTC

https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t

Comment 4 Thomas Renninger 2018-01-10 15:11:21 UTC

Beside SLE12, package submissions against SLE11/SLE10:
SUSE:SLE-10-SP3:Update:Test/microcode_ctl
SUSE:SLE-11-SP1:Update/microcode_ctl
SUSE:SLE-11-SP3:Update/microcode_ctl
SUSE:SLE-11:Update/microcode_ctl

should show up as well.
-> Done from my side, handing bug back to security.

Yes, factory is missing, doing this now.

Comment 5 Thomas Renninger 2018-01-10 15:37:06 UTC

https://build.suse.de/project/show/home:trenn:branches:SUSE:SLE-10-SP3:Update:Test


SUSE:SLE-11:Update
https://build.suse.de/request/show/150860

SUSE:SLE-11-SP1:Update
https://build.suse.de/request/show/150859

SUSE:SLE-11-SP3:Update
https://build.suse.de/request/show/150864

Base:System
https://build.opensuse.org/request/show/563345

Comment 7 Swamp Workflow Management 2018-01-11 10:26:32 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-01-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63925

Comment 8 Swamp Workflow Management 2018-01-11 14:08:15 UTC

openSUSE-SU-2018:0066-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1075262
CVE References: CVE-2017-5715
Sources used:
openSUSE Leap 42.3 (src):    ucode-intel-20180108-16.1
openSUSE Leap 42.2 (src):    ucode-intel-20180108-7.12.1

Comment 9 Swamp Workflow Management 2018-01-11 17:09:39 UTC

SUSE-SU-2018:0067-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1075262
CVE References: CVE-2017-5715
Sources used:
SUSE OpenStack Cloud 6 (src):    ucode-intel-20180108-13.11.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ucode-intel-20180108-13.11.1
SUSE Linux Enterprise Server 12-SP3 (src):    ucode-intel-20180108-13.11.1
SUSE Linux Enterprise Server 12-SP2 (src):    ucode-intel-20180108-13.11.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ucode-intel-20180108-13.11.1
SUSE Linux Enterprise Server 12-LTSS (src):    ucode-intel-20180108-13.11.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ucode-intel-20180108-13.11.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ucode-intel-20180108-13.11.1

Comment 10 Swamp Workflow Management 2018-01-11 17:10:10 UTC

SUSE-SU-2018:0068-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1075262
CVE References: CVE-2017-5715
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    microcode_ctl-1.17-102.83.9.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    microcode_ctl-1.17-102.83.9.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    microcode_ctl-1.17-102.83.9.1

Comment 11 Swamp Workflow Management 2018-01-12 05:31:50 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-01-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63930

Comment 12 Josef Möllers 2018-01-16 12:58:01 UTC

*** Bug 1075299 has been marked as a duplicate of this bug. ***

Comment 13 Frank Krüger 2018-01-19 18:24:50 UTC

(In reply to Swamp Workflow Management from comment #8)
> openSUSE-SU-2018:0066-1: An update that fixes one vulnerability is now
> available.
> 
> Category: security (important)
> Bug References: 1075262
> CVE References: CVE-2017-5715
> Sources used:
> openSUSE Leap 42.3 (src):    ucode-intel-20180108-16.1
> openSUSE Leap 42.2 (src):    ucode-intel-20180108-7.12.1

Update repo for openSUSE Leap 42.3 (http://download.opensuse.org/update/leap/42.3/oss/) currently provides ucode-intel-20170707-10.1.x86_64.rpm. Is this on purpose? Thx.

Comment 14 Marcus Meissner 2018-01-19 19:33:29 UTC

Yes.

We had some customer reports on instabilities caused by these updates, MCE errors and similar.

Also Intel confirms some issues:

https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/

Until we have more stable firmware, we have retracted it.

We are at the same time working on retpolines, this should hit Leap next week to fix Variant 2 of Spectre.

Comment 15 Frank Krüger 2018-01-19 19:56:19 UTC

(In reply to Marcus Meissner from comment #14)
> Yes.
> 
> We had some customer reports on instabilities caused by these updates, MCE
> errors and similar.
> 
> Also Intel confirms some issues:
> 
> https://newsroom.intel.com/news/firmware-updates-and-initial-performance-
> data-for-data-center-systems/
> 
> Until we have more stable firmware, we have retracted it.
> 
> We are at the same time working on retpolines, this should hit Leap next
> week to fix Variant 2 of Spectre.

Do you mean minimal generic ASM retpoline through the kernel? Thank you for the clarification and your efforts.

Comment 16 Marcus Meissner 2018-01-19 20:51:06 UTC

The kernel will be built with retpoline support by gcc. probbly not what "minimal" means

Comment 17 Frank Krüger 2018-03-18 09:37:54 UTC

I am not sure whether this is the right place, but could you please update ucode-intel to version 20180312 for Leap 15.0 as well? Thx.

Comment 18 Andreas Stieger 2018-03-18 10:35:05 UTC

(In reply to Frank Kruger from comment #17)
> I am not sure whether this is the right place, but could you please update
> ucode-intel to version 20180312 for Leap 15.0 as well? Thx.

It will be imported into openSUSE:Leap:15.0/ucode-intel in due time.

Comment 20 Marcus Meissner 2018-05-02 15:30:24 UTC

released

Comment 21 Swamp Workflow Management 2018-07-28 13:27:41 UTC

openSUSE-SU-2018:2119-1: An update that solves 23 vulnerabilities and has 283 fixes is now available.

Category: security (important)
Bug References: 1022476,1046303,1046305,1046306,1046307,1046540,1046542,1046543,1048129,1050242,1050252,1050529,1050536,1050538,1050545,1050549,1050662,1051510,1052766,1055117,1055186,1055968,1056427,1056643,1056651,1056653,1056657,1056658,1056662,1056686,1056787,1058115,1058513,1058659,1058717,1059336,1060463,1061024,1061840,1062897,1064802,1065600,1065729,1066110,1066129,1068032,1068054,1068546,1071218,1071995,1072829,1072856,1073513,1073765,1073960,1074562,1074578,1074701,1074741,1074873,1074919,1074984,1075006,1075007,1075262,1075419,1075748,1075876,1076049,1076115,1076372,1076830,1077338,1078248,1078353,1079152,1079747,1080039,1080157,1080542,1081599,1082485,1082504,1082869,1082962,1083647,1083684,1083900,1084001,1084570,1084721,1085308,1085341,1085400,1085539,1085626,1085933,1085936,1085937,1085938,1085939,1085941,1086224,1086282,1086283,1086286,1086288,1086319,1086323,1086400,1086467,1086652,1086739,1087084,1087088,1087092,1087205,1087210,1087213,1087214,1087284,1087405,1087458,1087939,1087978,1088273,1088354,1088374,1088690,1088704,1088713,1088722,1088796,1088804,1088821,1088866,1088872,1089074,1089086,1089115,1089141,1089198,1089268,1089271,1089467,1089608,1089644,1089663,1089664,1089667,1089669,1089752,1089753,1089762,1089878,1089889,1089977,1090098,1090150,1090457,1090522,1090534,1090535,1090605,1090643,1090646,1090658,1090717,1090734,1090818,1090888,1090953,1091101,1091158,1091171,1091264,1091424,1091532,1091543,1091594,1091666,1091678,1091686,1091781,1091782,1091815,1091860,1091960,1092100,1092289,1092472,1092566,1092710,1092772,1092888,1092904,1092975,1093023,1093027,1093035,1093118,1093148,1093158,1093184,1093205,1093273,1093290,1093604,1093641,1093649,1093653,1093655,1093657,1093663,1093721,1093728,1093904,1093990,1094244,1094356,1094420,1094541,1094575,1094751,1094825,1094840,1094978,1095042,1095094,1095104,1095115,1095155,1095265,1095321,1095337,1095467,1095573,1095735,1095893,1096065,1096480,1096529,1096696,1096705,1096728,1096753,1096790,1096793,1097034,1097105,1097234,1097356,1097373,1097439,1097465,1097468,1097470,1097471,1097472,1097551,1097780,1097796,1097800,1097941,1097961,1098016,1098043,1098050,1098174,1098176,1098236,1098401,1098425,1098435,1098599,1098626,1098706,1098983,1098995,1099029,1099041,1099109,1099142,1099183,1099715,1099792,1099918,1099924,1099966,1100132,1100209,1100340,1100362,1100382,1100416,1100418,1100491,1100602,1100633,1100734,1100843,1101296,1101315,1101324,971975,975772
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2018-1000200,CVE-2018-1000204,CVE-2018-10087,CVE-2018-10124,CVE-2018-10323,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-1108,CVE-2018-1118,CVE-2018-1120,CVE-2018-1130,CVE-2018-12233,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-5803,CVE-2018-5848,CVE-2018-7492,CVE-2018-8781,CVE-2018-9385
Sources used:
openSUSE Leap 15.0 (src):    kernel-debug-4.12.14-lp150.12.7.1, kernel-default-4.12.14-lp150.12.7.1, kernel-docs-4.12.14-lp150.12.7.1, kernel-kvmsmall-4.12.14-lp150.12.7.1, kernel-obs-build-4.12.14-lp150.12.7.1, kernel-obs-qa-4.12.14-lp150.12.7.1, kernel-source-4.12.14-lp150.12.7.1, kernel-syms-4.12.14-lp150.12.7.1, kernel-vanilla-4.12.14-lp150.12.7.1