Bug#1078742: intel-microcode: CVE-2024-25939 CVE-2024-24980 CVE-2024-24853 CVE-2023-49141 CVE-2023-42667

[Salvatore Bonaccorso]

Source: intel-microcode
Version: 3.20240531.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 3.20240514.1~deb12u1
Control: found -1 3.20240514.1~deb11u1

Hi,

The following vulnerabilities were published for intel-microcode.

CVE-2024-25939[0]:
| Mirrored regions with different values in 3rd Generation Intel(R)
| Xeon(R) Scalable Processors may allow a privileged user to
| potentially enable denial of service via local access.


CVE-2024-24980[1]:
| Protection mechanism failure in some 3rd, 4th, and 5th Generation
| Intel(R) Xeon(R) Processors may allow a privileged user to
| potentially enable escalation of privilege via local access.


CVE-2024-24853[2]:
| Incorrect behavior order in transition between executive monitor and
| SMI transfer monitor (STM) in some Intel(R) Processor may allow a
| privileged user to potentially enable escalation of privilege via
| local access.


CVE-2023-49141[3]:
| Improper isolation in some Intel(R) Processors stream cache
| mechanism may allow an authenticated user to potentially enable
| escalation of privilege via local access.


CVE-2023-42667[4]:
| Improper isolation in the Intel(R) Core(TM) Ultra Processor stream
| cache mechanism may allow an authenticated user to potentially
| enable escalation of privilege via local access.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25939
    https://www.cve.org/CVERecord?id=CVE-2024-25939
[1] https://security-tracker.debian.org/tracker/CVE-2024-24980
    https://www.cve.org/CVERecord?id=CVE-2024-24980
[2] https://security-tracker.debian.org/tracker/CVE-2024-24853
    https://www.cve.org/CVERecord?id=CVE-2024-24853
[3] https://security-tracker.debian.org/tracker/CVE-2023-49141
    https://www.cve.org/CVERecord?id=CVE-2023-49141
[4] https://security-tracker.debian.org/tracker/CVE-2023-42667
    https://www.cve.org/CVERecord?id=CVE-2023-42667
[5] 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813

Regards,
Salvatore