[ubuntu/resolute-proposed] intel-microcode 3.20250812.1ubuntu1 (Accepted)
Rodrigo Figueiredo Zaiden
rodrigo.zaiden at canonical.com
Thu Oct 30 12:37:16 UTC 2025
intel-microcode (3.20250812.1ubuntu1) resolute; urgency=medium
* SECURITY UPDATE: Merge from Debian unstable; remaining changes:
- debian/control: Add dracut and tiny-initramfs as alternative
recommends
- debian/tests/initramfs: update test for location of GenuineIntel.bin
since in Ubuntu this lives under the cpio2 initramfs so test for
its presence in any cpio
- debian/tests/control: update generic kernel dep as an alternative to
the original one from Debian
- debian/tests/initramfs: invoke update-initramfs with -c to ensure an
initrd is generated if one does not already exist so that the rest
of the test can proceed as expected
intel-microcode (3.20250812.1) unstable; urgency=medium
[ Henrique de Moraes Holschuh ]
* New upstream microcode datafile 20250812 (closes: #1110983, #1112168)
- Mitgations for INTEL-SA-01249 (processor Stream Cache):
CVE-2025-20109: Improper Isolation or Compartmentalization in the
stream cache mechanism for some Intel Processors may allow an
authenticated user to potentially enable escalation of privilege via
local access. Intel also disclosed that several processors models
had already received this mitigation on the previous microcode
release, 20250512.
- Mitigations for INTEL-SA-01308:
CVE-2025-22840: Sequence of processor instructions leads to
unexpected behavior for some Intel Xeon 6 Scalable processors may
allow an authenticated user to potentially enable escalation of
privilege via local access.
- Mitigations for INTEL-SA-01310 (OOBM services module):
CVE-2025-22839: Insufficient granularity of access control in the
OOB-MSM for some Intel Xeon 6 Scalable processors may allow a
privileged user to potentially enable escalation of privilege via
adjacent access.
- Mitigations for INTEL-SA-01311 (Intel TDX):
CVE-2025-22889: Improper handling of overlap between protected
memory ranges for some Intel Xeon 6 processors with Intel TDX may
allow a privileged user to potentially enable escalation of
privilege via local access.
- Mitigations for INTEL-SA-01313:
CVE-2025-20053: Improper buffer restrictions for some Intel Xeon
Processor firmware with SGX enabled may allow a privileged user to
potentially enable escalation of privilege via local access.
CVE-2025-21090: Missing reference to active allocated resource for
some Intel Xeon processors may allow an authenticated user to
potentially enable denial of service via local access.
CVE-2025-24305: Insufficient control flow management in the Alias
Checking Trusted Module (ACTM) firmware for some Intel Xeon
processors may allow a privileged user to potentially enable
escalation of privilege via local access.
- Mitigations for INTEL-SA-01367 (Intel SGX, TDX):
CVE-2025-26403: Out-of-bounds write in the memory subsystem for some
Intel Xeon 6 processors when using Intel SGX or Intel TDX may allow
a privileged user to potentially enable escalation of privilege via
local access.
CVE-2025-32086: Improperly implemented security check for standard
in the DDRIO configuration for some Intel Xeon 6 Processors when
using Intel SGX or Intel TDX may allow a privileged user to
potentially enable escalation of privilege via local access.
- Fixes for unspecified functional issues on several Intel Core and
Intel Xeon processor models.
* Updated microcodes:
sig 0x000606a6, pf_mask 0x87, 2025-03-11, rev 0xd000410, size 309248
sig 0x000606c1, pf_mask 0x10, 2025-03-06, rev 0x10002e0, size 301056
sig 0x000806f8, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896
sig 0x000806f7, pf_mask 0x87, 2025-04-04, rev 0x2b000643
sig 0x000806f6, pf_mask 0x87, 2025-04-04, rev 0x2b000643
sig 0x000806f5, pf_mask 0x87, 2025-04-04, rev 0x2b000643
sig 0x000806f4, pf_mask 0x87, 2025-04-04, rev 0x2b000643
sig 0x000806f8, pf_mask 0x10, 2025-04-08, rev 0x2c000401, size 625664
sig 0x000806f6, pf_mask 0x10, 2025-04-08, rev 0x2c000401
sig 0x000806f5, pf_mask 0x10, 2025-04-08, rev 0x2c000401
sig 0x000806f4, pf_mask 0x10, 2025-04-08, rev 0x2c000401
sig 0x000a06a4, pf_mask 0xe6, 2025-03-19, rev 0x0025, size 140288
sig 0x000a06d1, pf_mask 0x95, 2025-05-15, rev 0x10003d0, size 1667072
sig 0x000a06d1, pf_mask 0x20, 2025-05-15, rev 0xa000100, size 1638400
sig 0x000a06f3, pf_mask 0x01, 2025-05-03, rev 0x3000362, size 1530880
sig 0x000b06a2, pf_mask 0xe0, 2025-02-24, rev 0x4129, size 224256
sig 0x000b06a3, pf_mask 0xe0, 2025-02-24, rev 0x4129
sig 0x000b06a8, pf_mask 0xe0, 2025-02-24, rev 0x4129
sig 0x000b06d1, pf_mask 0x80, 2025-05-21, rev 0x0123, size 80896
sig 0x000c0662, pf_mask 0x82, 2025-05-14, rev 0x0119, size 90112
sig 0x000c06a2, pf_mask 0x82, 2025-05-14, rev 0x0119
sig 0x000c0652, pf_mask 0x82, 2025-05-14, rev 0x0119
sig 0x000c0664, pf_mask 0x82, 2025-05-14, rev 0x0119
sig 0x000c06f2, pf_mask 0x87, 2025-04-15, rev 0x210002b3, size 564224
sig 0x000c06f1, pf_mask 0x87, 2025-04-15, rev 0x210002b3
* update entry for 3.20250512.1 with new information
* source: update symlinks to reflect id of the latest release, 20250812
[ Ben Hutchings ]
* debian/tests/initramfs: Update to work with forky's initramfs-tools.
In version 0.149 of initramfs-tools, unmkinitramfs was changed to no
longer create early/ and main/ subdirectories. Update the microcode
file check to work with both old and new behaviours.
Date: Mon, 27 Oct 2025 19:32:19 -0300
Changed-By: Rodrigo Figueiredo Zaiden <rodrigo.zaiden at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/intel-microcode/3.20250812.1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Mon, 27 Oct 2025 19:32:19 -0300
Source: intel-microcode
Built-For-Profiles: noudeb
Architecture: source
Version: 3.20250812.1ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Rodrigo Figueiredo Zaiden <rodrigo.zaiden at canonical.com>
Closes: 1110983 1112168
Changes:
intel-microcode (3.20250812.1ubuntu1) resolute; urgency=medium
.
* SECURITY UPDATE: Merge from Debian unstable; remaining changes:
- debian/control: Add dracut and tiny-initramfs as alternative
recommends
- debian/tests/initramfs: update test for location of GenuineIntel.bin
since in Ubuntu this lives under the cpio2 initramfs so test for
its presence in any cpio
- debian/tests/control: update generic kernel dep as an alternative to
the original one from Debian
- debian/tests/initramfs: invoke update-initramfs with -c to ensure an
initrd is generated if one does not already exist so that the rest
of the test can proceed as expected
.
intel-microcode (3.20250812.1) unstable; urgency=medium
.
[ Henrique de Moraes Holschuh ]
* New upstream microcode datafile 20250812 (closes: #1110983, #1112168)
- Mitgations for INTEL-SA-01249 (processor Stream Cache):
CVE-2025-20109: Improper Isolation or Compartmentalization in the
stream cache mechanism for some Intel Processors may allow an
authenticated user to potentially enable escalation of privilege via
local access. Intel also disclosed that several processors models
had already received this mitigation on the previous microcode
release, 20250512.
- Mitigations for INTEL-SA-01308:
CVE-2025-22840: Sequence of processor instructions leads to
unexpected behavior for some Intel Xeon 6 Scalable processors may
allow an authenticated user to potentially enable escalation of
privilege via local access.
- Mitigations for INTEL-SA-01310 (OOBM services module):
CVE-2025-22839: Insufficient granularity of access control in the
OOB-MSM for some Intel Xeon 6 Scalable processors may allow a
privileged user to potentially enable escalation of privilege via
adjacent access.
- Mitigations for INTEL-SA-01311 (Intel TDX):
CVE-2025-22889: Improper handling of overlap between protected
memory ranges for some Intel Xeon 6 processors with Intel TDX may
allow a privileged user to potentially enable escalation of
privilege via local access.
- Mitigations for INTEL-SA-01313:
CVE-2025-20053: Improper buffer restrictions for some Intel Xeon
Processor firmware with SGX enabled may allow a privileged user to
potentially enable escalation of privilege via local access.
CVE-2025-21090: Missing reference to active allocated resource for
some Intel Xeon processors may allow an authenticated user to
potentially enable denial of service via local access.
CVE-2025-24305: Insufficient control flow management in the Alias
Checking Trusted Module (ACTM) firmware for some Intel Xeon
processors may allow a privileged user to potentially enable
escalation of privilege via local access.
- Mitigations for INTEL-SA-01367 (Intel SGX, TDX):
CVE-2025-26403: Out-of-bounds write in the memory subsystem for some
Intel Xeon 6 processors when using Intel SGX or Intel TDX may allow
a privileged user to potentially enable escalation of privilege via
local access.
CVE-2025-32086: Improperly implemented security check for standard
in the DDRIO configuration for some Intel Xeon 6 Processors when
using Intel SGX or Intel TDX may allow a privileged user to
potentially enable escalation of privilege via local access.
- Fixes for unspecified functional issues on several Intel Core and
Intel Xeon processor models.
* Updated microcodes:
sig 0x000606a6, pf_mask 0x87, 2025-03-11, rev 0xd000410, size 309248
sig 0x000606c1, pf_mask 0x10, 2025-03-06, rev 0x10002e0, size 301056
sig 0x000806f8, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896
sig 0x000806f7, pf_mask 0x87, 2025-04-04, rev 0x2b000643
sig 0x000806f6, pf_mask 0x87, 2025-04-04, rev 0x2b000643
sig 0x000806f5, pf_mask 0x87, 2025-04-04, rev 0x2b000643
sig 0x000806f4, pf_mask 0x87, 2025-04-04, rev 0x2b000643
sig 0x000806f8, pf_mask 0x10, 2025-04-08, rev 0x2c000401, size 625664
sig 0x000806f6, pf_mask 0x10, 2025-04-08, rev 0x2c000401
sig 0x000806f5, pf_mask 0x10, 2025-04-08, rev 0x2c000401
sig 0x000806f4, pf_mask 0x10, 2025-04-08, rev 0x2c000401
sig 0x000a06a4, pf_mask 0xe6, 2025-03-19, rev 0x0025, size 140288
sig 0x000a06d1, pf_mask 0x95, 2025-05-15, rev 0x10003d0, size 1667072
sig 0x000a06d1, pf_mask 0x20, 2025-05-15, rev 0xa000100, size 1638400
sig 0x000a06f3, pf_mask 0x01, 2025-05-03, rev 0x3000362, size 1530880
sig 0x000b06a2, pf_mask 0xe0, 2025-02-24, rev 0x4129, size 224256
sig 0x000b06a3, pf_mask 0xe0, 2025-02-24, rev 0x4129
sig 0x000b06a8, pf_mask 0xe0, 2025-02-24, rev 0x4129
sig 0x000b06d1, pf_mask 0x80, 2025-05-21, rev 0x0123, size 80896
sig 0x000c0662, pf_mask 0x82, 2025-05-14, rev 0x0119, size 90112
sig 0x000c06a2, pf_mask 0x82, 2025-05-14, rev 0x0119
sig 0x000c0652, pf_mask 0x82, 2025-05-14, rev 0x0119
sig 0x000c0664, pf_mask 0x82, 2025-05-14, rev 0x0119
sig 0x000c06f2, pf_mask 0x87, 2025-04-15, rev 0x210002b3, size 564224
sig 0x000c06f1, pf_mask 0x87, 2025-04-15, rev 0x210002b3
* update entry for 3.20250512.1 with new information
* source: update symlinks to reflect id of the latest release, 20250812
.
[ Ben Hutchings ]
* debian/tests/initramfs: Update to work with forky's initramfs-tools.
In version 0.149 of initramfs-tools, unmkinitramfs was changed to no
longer create early/ and main/ subdirectories. Update the microcode
file check to work with both old and new behaviours.
Checksums-Sha1:
9ec99d8349f80b62345e1001d4bc57f7299ac3ac 2007 intel-microcode_3.20250812.1ubuntu1.dsc
ac19ec42decd5f3ca9f2b8a71069d8efb30bc1b4 12008200 intel-microcode_3.20250812.1ubuntu1.tar.xz
97be402e090ed7251fac7d7bfb7254da244b0f53 6174 intel-microcode_3.20250812.1ubuntu1_source.buildinfo
Checksums-Sha256:
9d9ba32575ac18fea401df3d74e343f8f726f6eaf609638f46a7c52615834613 2007 intel-microcode_3.20250812.1ubuntu1.dsc
4ead83bb5d34e788c365109bc9551b473723ce8b4fac4a6d9bfe50502046e151 12008200 intel-microcode_3.20250812.1ubuntu1.tar.xz
039527e5d5cf1bf93717af59dfda78b7c6898d24613c66cf5f841fb1d1fec41f 6174 intel-microcode_3.20250812.1ubuntu1_source.buildinfo
Files:
82f07e38dd2b3225cf70f578b1be0123 2007 non-free-firmware/admin standard intel-microcode_3.20250812.1ubuntu1.dsc
1d0ba5154d24987e9dabfcfc01a1f1e4 12008200 non-free-firmware/admin standard intel-microcode_3.20250812.1ubuntu1.tar.xz
6658e4a97a02028b6bd25cf691d18334 6174 non-free-firmware/admin standard intel-microcode_3.20250812.1ubuntu1_source.buildinfo
Original-Maintainer: Henrique de Moraes Holschuh <hmh at debian.org>
More information about the Resolute-changes
mailing list