[Git][security-tracker-team/security-tracker][master] disassociate one microcode issue from intel-microcode

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Feb 23 13:28:09 GMT 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
508da566 by Moritz Muehlenhoff at 2022-02-23T14:27:22+01:00
disassociate one microcode issue from intel-microcode
one PHP issue n/a for older suites

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -77135,8 +77135,8 @@ CVE-2021-21708
 	{DSA-5082-1}
 	- php8.1 <unfixed>
 	- php7.4 <removed>
-	- php7.3 <removed>
-	- php7.0 <removed>
+	- php7.3 <not-affected> (Vulnerable code introduced in 7.4)
+	- php7.0 <not-affected> (Vulnerable code introduced in 7.4)
 	NOTE: Fixed in 8.1.3, 7.4.28
 	NOTE: PHP Bug: https://bugs.php.net/81708
 CVE-2021-21707 (In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below ...)
@@ -94132,9 +94132,12 @@ CVE-2021-0148 (Insertion of information into log file in firmware for some Intel
 CVE-2021-0147 (Improper locking in the Power Management Controller (PMC) for some Int ...)
 	NOT-FOR-US: Intel
 CVE-2021-0146 (Hardware allows activation of test or debug logic at runtime for some  ...)
-	- intel-microcode <unfixed>
-	[bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release)
-	[buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release)
+	NOT-FOR-US: Intel CPU microcode
+	NOTE: This vulnerability cannot be fixed via the intel-microcode package since it
+	NOTE: needs to be present before the CPU is even initialised fully:
+	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145
+	NOTE: As such, updates need to be shipped via board vendors and not tracking it as
+	NOTE: a fixable bug in intel-microcode
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html
 	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207
 CVE-2021-0145 (Improper initialization of shared resources in some Intel(R) Processor ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/508da566b416d6ea98860217493548f52452949f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/508da566b416d6ea98860217493548f52452949f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220223/09b0c98c/attachment.htm>

More information about the debian-security-tracker-commits mailing list