From: carnil@debian.org
Source: intel-microcode
Version: 3.20251111.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team
Control: found -1 3.20250812.1~deb13u1
Control: found -1 3.20251111.1~deb13u1
Control: found -1 3.20250812.1~deb12u1
Control: found -1 3.20251111.1~deb12u1
Hi,
The following vulnerability was published for intel-microcode.
CVE-2025-31648[0]:
| Improper handling of values in the microcode flow for some Intel(R)
| Processor Family may allow an escalation of privilege. Startup code
| and smm adversary with a privileged user combined with a high
| complexity attack may enable escalation of privilege. This result
| may potentially occur via local access when attack requirements are
| present with special internal knowledge and requires no user
| interaction. The potential vulnerability may impact the
| confidentiality (low), integrity (low) and availability (none) of
| the vulnerable system, resulting in subsequent system
| confidentiality (low), integrity (low) and availability (none)
| impacts.
I think this one can be fixed via next point releases and does not
need a DSA, but in any case let's follow the usual approach to get
fixes in unstable and exposure there first.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-31648
https://www.cve.org/CVERecord?id=CVE-2025-31648
[1] https://www.intel.com/content/www/us/en/security-center/advi
ory/intel-sa-01396.html
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Dat
-Files/releases/tag/microcode-20260210-rev1
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
