Get:1 http://changelogs.ubuntu.com amd64-microcode 2.20160316.1 Changelog [9680 B] amd64-microcode (2.20160316.1) unstable; urgency=critical * Upstream release 20160316 built from linux-firmware: + Updated Microcodes: sig 0x00600f20, patch id 0x0600084f, 2016-01-25 + This microcode updates fixes a critical erratum on NMI handling introduced by microcode patch id 0x6000832 from the 20141028 update. The erratum is also present on microcode patch id 0x6000836. + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER AMD PILEDRIVER PROCESSORS, including: + AMD Opteron 3300, 4300, 6300 + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx) + AMD processors with family 21, model 2, stepping 0 * Robert Święcki, while fuzzing the kernel using the syzkaller tool, uncovered very strange behavior on an AMD FX-8320, later reproduced on other AMD Piledriver model 2, stepping 0 processors including the Opteron 6300. Robert discovered, using his proof-of-concept exploit code, that the incorrect behavior allows an unpriviledged attacker on an unpriviledged VM to corrupt the return stack of the host kernel's NMI handler. At best, this results in unpredictable host behavior. At worst, it allows for an unpriviledged user on unpriviledged VM to carry a sucessful host-kernel ring 0 code injection attack. * The erratum is timing-dependant, easily triggered by workloads that cause a high number of NMIs, such as running the "perf" tool. -- Henrique de Moraes Holschuh Sat, 19 Mar 2016 14:02:44 -0300 amd64-microcode (2.20141028.1) unstable; urgency=medium * Upstream release 20141028 built from linux-firmware: + Updated microcode patches for family 0x15 processors + Added microcode patches for family 0x16 processors * AMD did not update the relevant microcode documentation (errata fixed, microcode patch levels, etc), so there is no documentation for the family 0x16 microcode patches, and the documentation for family 0x15 is stale. * postinst: do not update microcode on upgrades: Remove code that triggers a microcode update on package upgrade. The resulting postinst script is now identical to the one in Debian jessie's intel-microcode, and thus known-good. NOTE: this code was already disabled for the majority of the users due to Debian bug #723975 (closes: #723975, #723081) * kpreinst: remove, we don't update microcode on postinst anymore * blacklist automated loading of the microcode module: This is in line with the desired behavior of only updating microcode *automatically* during system boot, when it is safer to do so. The local admin can still load the microcode module and update the microcode manually at any time, of course. This is in sync with the intel-microcode packages in Debian jessie, which will also blacklist the microcode module. Note that the initramfs will force-load the microcode module in a safe condition, the blacklist avoids module autoloading outside the initramfs * control: bump standards version (no changes required) * copyright: update upstream URL and upstream copyright date (closes: #753593) * docs: future-proof by using a glob pattern for per-family README files * initramfs hook: support forced installation of amd64-microcode: Add a config file (/etc/default/amd64-microcode) to select the mode of operation: do nothing, force install to initramfs, install only when running on an amd64 processor (closes: #726854) * initramfs hook: fix (likely unexploitable) issues found by shellcheck * Add a NEWS.Debian file to warn users we will no longer update the microcode on package upgrade (note that we were not doing it on any Debian kernels anyway). Also document the existence of the new /etc/default/amd64-microcode file -- Henrique de Moraes Holschuh Thu, 18 Dec 2014 13:36:27 -0200 amd64-microcode (2.20131007.1+really20130710.1) unstable; urgency=low * Fix M-D-Y issue that leaked to the package version number * The real upstream release date is 2013-07-10 -- Henrique de Moraes Holschuh Sat, 07 Sep 2013 22:22:00 -0300 amd64-microcode (2.20131007.1) unstable; urgency=low * New upstream release, received through linux-firmware and LKML + updated microcode: sig 0x00500F10, id 0x05000029: erratum (+) 784; sig 0x00500F20, id 0x05000119: erratum (+) 784; sig 0x00600F12, id 0x0600063D: errata (-) 668, (+) 759, 778; + new microcode: sig 0x00200F31, id 0x02000032: errata 311, 316; sig 0x00600F20, id 0x06000822: errata 691, 699, 704, 708, 709, 734, 740, 778; + This update fixes important processor bugs that cause data corruption or unpredictable system behaviour. It also fixes a performance issue and several issues that cause system lockup. * Switch to native package, since there is no upstream tarball -- Henrique de Moraes Holschuh Sat, 07 Sep 2013 15:22:09 -0300 amd64-microcode (2.20120910-1) unstable; urgency=high * debian/control: update Breaks for new intel-microcode version scheme * Bump major version number, this will allow us to also update the stable branch of amd64-microcode in the future without clashing with the stable branch of intel-microcode. The real issue is that amd64-microcode 1.20120910-3 and intel-microcode 1.20130222.6 have changed (in lockstep) to a different initramfs cooperation protocol, but I failed to bump the major version at that time * Urgency high to avoid delaying a series of high-priority intel-microcode updates being done at the moment: we need this version in testing before I can upload stable backports of intel-microcode or amd64-microcode -- Henrique de Moraes Holschuh Sun, 18 Aug 2013 16:19:42 -0300 amd64-microcode (1.20120910-3) unstable; urgency=low * control: remove homepage and update standards-version * initramfs: update copyright information * initramfs, postinst: don't do anything on non-AMD systems (Closes: #715518) * initramfs, postinst: blacklist several kernel versions (Closes: #717185) * control: add breaks: intel-microcode (<< 1.20130222.6~) * load microcode module on package install/upgrade -- Henrique de Moraes Holschuh Sat, 20 Jul 2013 12:45:04 -0300 amd64-microcode (1.20120910-2) unstable; urgency=medium * initramfs: work around initramfs-tools bug #688794. Use "_" in place of "+-." for the initramfs script name. This works around a PANIC during boot when the initramfs was created in a system with noexec $TMPDIR. -- Henrique de Moraes Holschuh Tue, 09 Oct 2012 08:18:01 -0300 amd64-microcode (1.20120910-1) unstable; urgency=medium * AMD microcode release 20120910 + updated microcode: sig 0x00600F12, id 0x06000629: errata (+) 691, 709, 740; + new microcode: sig 0x00610F01, id 0x06001119: errata 671, 686, 697, 698, 699, 704, 709, 734, 740; + This update adds critical errata fixes for commonly used features. The hit probability of these errata is unknown to the Debian maintainer. * README.Debian: mention module-init-tools, not just kmod. This is useful when backporting to Debian Squeeze * debian/control: add Vcs-* fields -- Henrique de Moraes Holschuh Fri, 14 Sep 2012 15:39:37 -0300 amd64-microcode (1.20120117-2) unstable; urgency=low * debian/control: priority of this package should be standard, not extra. All AMD-based X86 boxes should install this package * debian/control: update package description -- Henrique de Moraes Holschuh Mon, 09 Jul 2012 21:50:35 -0300 amd64-microcode (1.20120117-1) unstable; urgency=low * Update ABI (first component of package version) to 1, to match the ABI of intel-microcode packages with /lib/firmware support * Update online processor cores and the initramfs image on package upgrade and the initramfs on package removal * Install initramfs-tools helpers to handle boot-time microcode updates * README.Debian: describe supported mod/built-in configs -- Henrique de Moraes Holschuh Mon, 09 Jul 2012 19:31:47 -0300 amd64-microcode (0.20120117-1) unstable; urgency=medium * AMD microcode release 20120117: sig 0x00100F22, id 0x01000083: errata 244, 260, 280, 302, 308, 315, 342; sig 0x00100F23, id 0x01000083: errata 244, 260, 280, 302, 308, 315, 342; sig 0x00100F2A, id 0x01000084: errata 244, 260, 280, 302, 308, 315, 342; sig 0x00100F42, id 0x010000DB: errata 342, 440, 573; sig 0x00100F43, id 0x010000C8: errata 407, 440; sig 0x00100F52, id 0x010000DB: errata 342, 440, 573; sig 0x00100F53, id 0x010000C8: errata 407, 440; sig 0x00100F62, id 0x010000C7: errata 407, 440; sig 0x00100F63, id 0x010000C8: errata 407, 440; sig 0x00100F80, id 0x010000DA: errata 419, 440, 573; sig 0x00100F81, id 0x010000D9: errata 406, 407, 440, 573, 669; sig 0x00100F91, id 0x010000D9: errata 406, 407, 440, 573, 669; sig 0x00100FA0, id 0x010000DC: errata 438, 440, 573; sig 0x00300F10, id 0x03000027: errata 564, 573, 662, 686; sig 0x00500F10, id 0x05000028: errata 461, 564, 594, 595; sig 0x00500F20, id 0x0500010D: errata 461, 564, 594, 639, 662, 686; sig 0x00600F12, id 0x06000624: errata 659, 660, 661, 668, 671, 672, 673; * Initial upload to Debian, urgency medium because we need this in Wheezy to properly support AMD processors. Closes: #676921. -- Henrique de Moraes Holschuh Sun, 10 Jun 2012 12:22:01 -0300 Fetched 9680 B in 0s (14.8 kB/s)