Change logs for amd64-microcode source package in Xenial

  • amd64-microcode (3.20191021.1+really3.20180524.1~ubuntu0.16.04.2) xenial-security; urgency=medium
    
      * Revert to 3.20180524.1 version of microcode because of regressions on
        certain hardware. (LP: #1853614)
    
     -- Marc Deslauriers <email address hidden>  Mon, 25 Nov 2019 14:55:10 -0500
  • amd64-microcode (3.20191021.1ubuntu0.16.04.1) xenial; urgency=medium
    
      * Backport to Ubuntu 16.04 LTS (LP: #1850752)
    
    amd64-microcode (3.20191021.1ubuntu1) focal; urgency=low
    
      * Merge from Debian unstable (LP: #1850752). Remaining changes:
        - initramfs-tools hook (debian/initramfs.hook):
          + Default to 'early' instead of 'auto' when building with
            MODULES=most
          + Do not override preset defaults from auto-exported conf
            snippets loaded by initramfs-tools.
    
    amd64-microcode (3.20191021.1) unstable; urgency=medium
    
      * New microcode update packages from AMD upstream:
        + New Microcodes:
          sig 0x00830f10, patch id 0x08301025, 2019-07-11
        + Updated Microcodes:
          sig 0x00800f12, patch id 0x08001250, 2019-04-16
          sig 0x00800f82, patch id 0x0800820d, 2019-04-16
      * README: update for new release
    
     -- Steve Beattie <email address hidden>  Thu, 31 Oct 2019 14:59:01 -0700
  • amd64-microcode (3.20180524.1~ubuntu0.16.04.2) xenial; urgency=medium
    
      * Default to 'early' instead of 'auto' in the initramfs-tools hook
        when building with MODULES=most (LP: #1778738)
    
     -- Julian Andres Klode <email address hidden>  Tue, 26 Jun 2018 16:32:22 +0200
  • amd64-microcode (3.20180524.1~ubuntu0.16.04.1) xenial-security; urgency=medium
    
      * SECURITY UPDATE: Add Spectre Variant 2 protection for family 17h AMD
        processors (CVE-2017-5715)
        - Backport to xenial.
    
    amd64-microcode (3.20180524.1) unstable; urgency=high
    
      * New microcode update packages from AMD upstream:
        + Re-added Microcodes:
          sig 0x00610f01, patch id 0x06001119, 2012-07-13
      * This update avoids regressing sig 0x610f01 processors on systems with
        outdated firmware by adding back exactly the same microcode patch that was
        present before [for these processors].  It does not implement Spectre-v2
        mitigation for these processors.
      * README: update for new release
    
    amd64-microcode (3.20180515.1) unstable; urgency=high
    
      * New microcode update packages from AMD upstream:
        + New Microcodes:
          sig 0x00800f12, patch id 0x08001227, 2018-02-09
        + Updated Microcodes:
          sig 0x00600f12, patch id 0x0600063e, 2018-02-07
          sig 0x00600f20, patch id 0x06000852, 2018-02-06
        + Removed Microcodes:
          sig 0x00610f01, patch id 0x06001119, 2012-07-13
      * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support,
        plus other unspecified fixes/updates.
      * README, debian/copyright: update for new release
    
    amd64-microcode (3.20171205.2) unstable; urgency=medium
    
      * debian/control: update Vcs-* fields for salsa.debian.org
    
    amd64-microcode (3.20171205.1) unstable; urgency=high
    
      * New microcode updates (closes: #886382):
        sig 0x00800f12, patch id 0x08001213, 2017-12-05
        Thanks to SuSE for distributing these ahead of AMD's official release!
      * Add IBPB support for family 17h AMD processors (CVE-2017-5715)
      * README: describe source for faml17h microcode update
      * Upload to unstable to match IBPB microcode support on Intel in Debian
        unstable.
      * WARNING: requires at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 (or a
        backport of commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf
        "x86/microcode/AMD: Add support for fam17h microcode loading") otherwise
        it will not be applied to the processor.
    
    amd64-microcode (3.20160316.3) unstable; urgency=medium
    
      * initramfs: Make the early initramfs reproducible (closes: #845194)
      * rules: switch to simplified dh-based build (debhelper v9)
    
    amd64-microcode (3.20160316.2) unstable; urgency=medium
    
      * NEWS.debian: fix minor typo
      * debian/control, debian/compat: bump debhelper compat mode to 9
      * debian/control: bump standards version to 3.9.8 (no changes needed)
      * debian/: prefix binary-package control files with package name
      * debian/control: recommend tiny-initramfs as an alternative to
        initramfs-tools tiny-initramfs specifically supports early microcode
        updates, so it is a viable alternative to initramfs-tools
        (closes: #839882)
    
    amd64-microcode (3.20160316.1) unstable; urgency=low
    
      * Bump major version number to 3: early-initramfs support
      * Support is now restricted to Linux kernel 3.14 and later.  For older
        kernels, please use the version 2 (older) branch of the package.
      * Implement early-initramfs mode, and remove normal mode
        * debian/control: add versioned recommends for initramfs-tools and
          dracut.  Note that dracut 044 is required for Linux 4.4 and later,
          otherwise dracut 040 would be enough
        * debian/default: add early mode, remove normal mode from comments
        * initramfs hook: use cpio to generate an early-initramfs with
          microcode for all processors, blacklist kernels older than 3.14,
          and remove normal mode support.
        * initramfs.init-premount: remove, not needed for early-initramfs
        * debian/rules: don't install init-premount initramfs script.
      * initramfs.hook: detect a missing microcode.ko and don't attempt to
        force_load() it.  In verbose mode, log when the microcode driver is
        modular.  For Linux 4.4 and later, skip the module loading logic
        (closes: #809444)
      * README.Debian: update for early initramfs support, and add information
        on how to disable early updates using the dis_ucode_ldr kernel boot
        parameter
      * Support for x32 was enabled in debian/control for the 2.20160316.1
        upload, but the changelog did not record this by mistake.  The missing
        entry was retroactively added to debian/changelog by this upload
    
     -- Steve Beattie <email address hidden>  Tue, 29 May 2018 15:16:39 -0700
  • amd64-microcode (2.20160316.1) unstable; urgency=critical
    
      * Upstream release 20160316 built from linux-firmware:
        + Updated Microcodes:
          sig 0x00600f20, patch id 0x0600084f, 2016-01-25
        + This microcode updates fixes a critical erratum on NMI handling
          introduced by microcode patch id 0x6000832 from the 20141028 update.
          The erratum is also present on microcode patch id 0x6000836.
        + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER
          AMD PILEDRIVER PROCESSORS, including:
          + AMD Opteron 3300, 4300, 6300
          + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx)
          + AMD processors with family 21, model 2, stepping 0
      * Robert Święcki, while fuzzing the kernel using the syzkaller tool,
        uncovered very strange behavior on an AMD FX-8320, later reproduced on
        other AMD Piledriver model 2, stepping 0 processors including the Opteron
        6300.  Robert discovered, using his proof-of-concept exploit code, that
        the incorrect behavior allows an unpriviledged attacker on an unpriviledged
        VM to corrupt the return stack of the host kernel's NMI handler.  At best,
        this results in unpredictable host behavior.  At worst, it allows for an
        unpriviledged user on unpriviledged VM to carry a sucessful host-kernel
        ring 0 code injection attack.
      * The erratum is timing-dependant, easily triggered by workloads that cause
        a high number of NMIs, such as running the "perf" tool.
    
     -- Henrique de Moraes Holschuh <email address hidden>  Sat, 19 Mar 2016 14:02:44 -0300
  • amd64-microcode (2.20141028.1) unstable; urgency=medium
    
    
      * Upstream release 20141028 built from linux-firmware:
        + Updated microcode patches for family 0x15 processors
        + Added microcode patches for family 0x16 processors
      * AMD did not update the relevant microcode documentation (errata fixed,
        microcode patch levels, etc), so there is no documentation for the
        family 0x16 microcode patches, and the documentation for family 0x15 is
        stale.
      * postinst: do not update microcode on upgrades:
        Remove code that triggers a microcode update on package upgrade.  The
        resulting postinst script is now identical to the one in Debian jessie's
        intel-microcode, and thus known-good.
        NOTE: this code was already disabled for the majority of the users due
        to Debian bug #723975 (closes: #723975, #723081)
      * kpreinst: remove, we don't update microcode on postinst anymore
      * blacklist automated loading of the microcode module:
        This is in line with the desired behavior of only updating microcode
        *automatically* during system boot, when it is safer to do so.  The
        local admin can still load the microcode module and update the microcode
        manually at any time, of course.  This is in sync with the intel-microcode
        packages in Debian jessie, which will also blacklist the microcode module.
        Note that the initramfs will force-load the microcode module in a safe
        condition, the blacklist avoids module autoloading outside the initramfs
      * control: bump standards version (no changes required)
      * copyright: update upstream URL and upstream copyright date
        (closes: #753593)
      * docs: future-proof by using a glob pattern for per-family README files
      * initramfs hook: support forced installation of amd64-microcode:
        Add a config file (/etc/default/amd64-microcode) to select the mode of
        operation: do nothing, force install to initramfs, install only when
        running on an amd64 processor (closes: #726854)
      * initramfs hook: fix (likely unexploitable) issues found by shellcheck
      * Add a NEWS.Debian file to warn users we will no longer update the
        microcode on package upgrade (note that we were not doing it on any
        Debian kernels anyway).  Also document the existence of the new
        /etc/default/amd64-microcode file
    
     -- Henrique de Moraes Holschuh <email address hidden>  Thu, 18 Dec 2014 13:36:27 -0200