Merging debian version 3.20240910.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

3 files changed, 141 insertions, 15 deletions

diff --git a/debian/changelog b/debian/changelog
index cfd59c3..917643f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,106 @@
+intel-microcode (3.20240910.1) unstable; urgency=medium
+
+  * New upstream microcode datafile 20240910 (closes: #1081363)
+    - Mitigations for INTEL-SA-01103 (CVE-2024-23984)
+      A potential security vulnerability in the Running Average Power Limit
+      (RAPL) interface for some Intel Processors may allow information
+      disclosure.
+    - Mitigations for INTEL-SA-01097 (CVE-2024-24968)
+      A potential security vulnerability in some Intel Processors may allow
+      denial of service.
+    - Fixes for unspecified functional issues on several processor models
+    - The processor voltage limit issue on Core 13rd/14th gen REQUIRES A
+      FIRMWARE UPDATE.  It is present in this release for sig 0xb0671, but
+      THE VOLTAGE ISSUE FIX ONLY WORKS WHEN THE MICROCODE UPDATE IS LOADED
+      THROUGH THE FIT TABLE IN FIRMWARE.  Contact your system vendor for a
+      firmware update that includes the appropriate microcode update for
+      your processor.
+  * Updated Microcodes:
+    sig 0x00090672, pf_mask 0x07, 2024-02-22, rev 0x0036, size 224256
+    sig 0x00090675, pf_mask 0x07, 2024-02-22, rev 0x0036
+    sig 0x000b06f2, pf_mask 0x07, 2024-02-22, rev 0x0036
+    sig 0x000b06f5, pf_mask 0x07, 2024-02-22, rev 0x0036
+    sig 0x000906a3, pf_mask 0x80, 2024-02-22, rev 0x0434, size 222208
+    sig 0x000906a4, pf_mask 0x80, 2024-02-22, rev 0x0434
+    sig 0x000a06a4, pf_mask 0xe6, 2024-06-17, rev 0x001f, size 137216
+    sig 0x000b0671, pf_mask 0x32, 2024-07-18, rev 0x0129, size 215040
+    sig 0x000b06a2, pf_mask 0xe0, 2024-02-22, rev 0x4122, size 220160
+    sig 0x000b06a3, pf_mask 0xe0, 2024-02-22, rev 0x4122
+    sig 0x000b06a8, pf_mask 0xe0, 2024-02-22, rev 0x4122
+    sig 0x000b06e0, pf_mask 0x19, 2024-03-25, rev 0x001a, size 138240
+  * Update changelog for 3.20240813.1 with new information
+  * Update changelog for 3.20240514.1 with new information
+  * source: update symlinks to reflect id of the latest release, 20240910
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 21 Sep 2024 16:40:07 -0300
+
+intel-microcode (3.20240813.2) unstable; urgency=high
+
+  * Merge changes from intel-microcode/3.20240531.1+nmu1, which were left out
+    from 3.20240813.1 by an oversight, regressing merged-usr. Closes: #1060200
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 17 Aug 2024 11:31:32 -0300
+
+intel-microcode (3.20240813.1) unstable; urgency=medium
+
+  * New upstream microcode datafile 20240813 (closes: #1078742)
+    - Mitigations for INTEL-SA-01083 (CVE-2024-24853)
+      Incorrect behavior order in transition between executive monitor and SMI
+      transfer monitor (STM) in some Intel Processors may allow a privileged
+      user to potentially enable escalation of privilege via local access.
+    - Mitigations for INTEL-SA-01118 (CVE-2024-25939)
+      Mirrored regions with different values in 3rd Generation Intel Xeon
+      Scalable Processors may allow a privileged user to potentially enable
+      denial of service via local access.
+    - Mitigations for INTEL-SA-01100 (CVE-2024-24980)
+      Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel
+      Xeon Processors may allow a privileged user to potentially enable
+      escalation of privilege via local access.
+    - Mitigations for INTEL-SA-01038 (CVE-2023-42667)
+      Improper isolation in the Intel Core Ultra Processor stream cache
+      mechanism may allow an authenticated user to potentially enable
+      escalation of privilege via local access.  Intel disclosed that some
+      processor models were already fixed by the previous microcode update.
+    - Mitigations for INTEL-SA-01046 (CVE-2023-49141)
+      Improper isolation in some Intel Processors stream cache mechanism may
+      allow an authenticated user to potentially enable escalation of
+      privilege via local access.  Intel disclosed that some processor models
+      were already fixed by the previous microcode update.
+    - Fix for unspecified functional issues on several processor models
+    - Fix for errata TGL068/ADL075/ICL088/... "Processor may hang during a
+      microcode update".  It is not clear which processors were fixed by this
+      release, or by one of the microcode updates from 2024-05.
+  * Updated microcodes:
+    sig 0x00050657, pf_mask 0xbf, 2024-03-01, rev 0x5003707, size 39936
+    sig 0x0005065b, pf_mask 0xbf, 2024-04-01, rev 0x7002904, size 30720
+    sig 0x000606a6, pf_mask 0x87, 2024-04-01, rev 0xd0003e7, size 308224
+    sig 0x000606c1, pf_mask 0x10, 2024-04-03, rev 0x10002b0, size 300032
+    sig 0x000706e5, pf_mask 0x80, 2024-02-15, rev 0x00c6, size 114688
+    sig 0x000806c1, pf_mask 0x80, 2024-02-15, rev 0x00b8, size 112640
+    sig 0x000806c2, pf_mask 0xc2, 2024-02-15, rev 0x0038, size 99328
+    sig 0x000806d1, pf_mask 0xc2, 2024-02-15, rev 0x0052, size 104448
+    sig 0x000806e9, pf_mask 0xc0, 2024-02-01, rev 0x00f6, size 106496
+    sig 0x000806e9, pf_mask 0x10, 2024-02-01, rev 0x00f6, size 106496
+    sig 0x000806ea, pf_mask 0xc0, 2024-02-01, rev 0x00f6, size 105472
+    sig 0x000806eb, pf_mask 0xd0, 2024-02-01, rev 0x00f6, size 106496
+    sig 0x000806ec, pf_mask 0x94, 2024-02-05, rev 0x00fc, size 106496
+    sig 0x00090661, pf_mask 0x01, 2024-04-05, rev 0x001a, size 20480
+    sig 0x000906ea, pf_mask 0x22, 2024-02-01, rev 0x00f8, size 105472
+    sig 0x000906eb, pf_mask 0x02, 2024-02-01, rev 0x00f6, size 106496
+    sig 0x000906ec, pf_mask 0x22, 2024-02-01, rev 0x00f8, size 106496
+    sig 0x000906ed, pf_mask 0x22, 2024-02-05, rev 0x0100, size 106496
+    sig 0x000a0652, pf_mask 0x20, 2024-02-01, rev 0x00fc, size 97280
+    sig 0x000a0653, pf_mask 0x22, 2024-02-01, rev 0x00fc, size 98304
+    sig 0x000a0655, pf_mask 0x22, 2024-02-01, rev 0x00fc, size 97280
+    sig 0x000a0660, pf_mask 0x80, 2024-02-01, rev 0x00fe, size 97280
+    sig 0x000a0661, pf_mask 0x80, 2024-02-01, rev 0x00fc, size 97280
+    sig 0x000a0671, pf_mask 0x02, 2024-03-07, rev 0x0062, size 108544
+    sig 0x000a06a4, pf_mask 0xe6, 2024-04-15, rev 0x001e, size 137216
+  * source: update symlinks to reflect id of the latest release, 20240813
+  * postinst, postrm: switch to dpkg-trigger to run update-initramfs
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Thu, 15 Aug 2024 14:41:50 -0300
+
 intel-microcode (3.20240531.1+nmu1-0.0~progress7.99u1) graograman-backports; urgency=medium
 
   * Uploading to graograman-backports, remaining changes:
@@ -71,6 +174,25 @@ intel-microcode (3.20240514.1) unstable; urgency=medium
       Improper input validation in some Intel TDX module software before
       version 1.5.05.46.698 may allow a privileged user to potentially enable
       escalation of privilege via local access.
+    * Mitigations for INTEL-SA-01046 (CVE-2023-49141)
+      Improper isolation in some Intel Processors stream cache mechanism may
+      allow an authenticated user to potentially enable escalation of
+      privilege via local access (time-travel entry, added after Intel
+      released this information during the full disclosure for the 20240813
+      update)
+    * Mitigations for INTEL-SA-01046 (CVE-2023-49141)
+      Improper isolation in some Intel Processors stream cache mechanism may
+      allow an authenticated user to potentially enable escalation of
+      privilege via local access (time-travel entry, added after Intel
+      released this information during the full disclosure for the 20240813
+      update).  Processor signatures 0x806f4-0x806f8, 0xb0671, 0x90672, and
+      0x90675
+    * Mitigations for INTEL-SA-01100 (CVE-2024-24980) for the Intel
+      Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel
+      Xeon Processors may allow a privileged user to potentially enable
+      escalation of privilege via local access (time-travel entry, added after
+      Intel released this information during the full disclosure for the
+      20240813 update).  Processor signatures 0xc06f1 and 0xc06f2.
     * Fix for unspecified functional issues on 4th gen and 5th gen Xeon
       Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for
       Core i3 N-series processors.
diff --git a/debian/intel-microcode.postinst b/debian/intel-microcode.postinst
index 71f667a..a62c0a7 100644
--- a/debian/intel-microcode.postinst
+++ b/debian/intel-microcode.postinst
@@ -19,18 +19,21 @@ set -e
 
 case "$1" in
     configure)
-	# do it like udev and firmware-linux-*
-	if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then
-	    update-initramfs -u && {
-		echo "intel-microcode: microcode will be updated at next boot" >&2
-		ls /usr/share/misc/intel-microcode* >/dev/null 2>&1 && {
-		    echo "intel-microcode: possibly old microcode files from /usr/share/misc were used" >&2
-		    echo "intel-microcode: remove them if this is not desired and run 'update-initramfs -u'" >&2
-		}
-	    }
-	else
-	    echo "intel-microcode: initramfs support missing" >&2
-	fi
+        RC=0
+        dpkg-trigger --no-await update-initramfs || RC=$?
+        [ "$RC" -ne 0 ] && [ -e /etc/initramfs-tools/initramfs.conf ] && {
+            RC=0
+            update-initramfs -u || RC=$?
+        }
+        if [ "$RC" -eq 0 ] ; then
+            echo "intel-microcode: microcode will be updated at next boot" >&2
+            ls /usr/share/misc/intel-microcode* >/dev/null 2>&1 && {
+                echo "intel-microcode: possibly old microcode files from /usr/share/misc were used" >&2
+                echo "intel-microcode: remove them if this is not desired and run 'dpkg-reconfigure intel-microcode'" >&2
+            }
+        else
+            echo "intel-microcode: initramfs support missing" >&2
+        fi
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/intel-microcode.postrm b/debian/intel-microcode.postrm
index 57791c8..425c182 100644
--- a/debian/intel-microcode.postrm
+++ b/debian/intel-microcode.postrm
@@ -20,9 +20,10 @@ set -e
 
 case "$1" in
     purge|remove)
-	if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then
-	    update-initramfs -u
-	fi
+        dpkg-trigger --no-await update-initramfs || {
+            #shellcheck disable=SC2015
+            [ -e /etc/initramfs-tools/initramfs.conf ] && update-initramfs -u || :
+        }
     ;;
 
     upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)