From nobody Mon Apr 15 13:56:03 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VJ7xX6xtQz5GdQH for ; Mon, 15 Apr 2024 13:56:16 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 4VJ7xW72y0z4SDD for ; Mon, 15 Apr 2024 13:56:15 +0000 (UTC) (envelope-from martin@lispworks.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=lispworks.com header.s=default header.b=h7BAQGrU; dmarc=pass (policy=none) header.from=lispworks.com; spf=pass (mx1.freebsd.org: domain of martin@lispworks.com designates 46.17.166.21 as permitted sender) smtp.mailfrom=martin@lispworks.com Received: from lwfs1-cam.cam.lispworks.com (localhost [[UNIX: localhost]]) by lwfs1-cam.cam.lispworks.com (8.17.1/8.17.1) with ESMTP id 43FDu8UY022526 for ; Mon, 15 Apr 2024 14:56:08 +0100 (BST) (envelope-from martin@lispworks.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lispworks.com; s=default; t=1713189368; bh=W9YGJ8DVtCQ+Aw/z2laIOAjmW1z+APST+HYhwNvfCpU=; h=Date:From:To:CC:In-reply-to:Subject:References; b=h7BAQGrUUe2b7r6yL9C6UI+a8lueqkH0LYhEhlbtF/TqPIfxMc39UOqQPvnRE6tev P88HHdsAAKWzQHf/aykvcH+L+1MzDoCw22aroV2+LRwaP9MPTG1cQYoCo3tcIbyns0 AdU1nbpl3HBhY5WV4Y6JJGTFTI6rqRNtUo55wGbfLeaSYqwmJaVpyr0QMTnVqAvA0V QJs+7gXBtB1a5AVyX1fUvo9CorcQQ4g8Pm+S1koAPza7VHJsrL6l3jrulNVhFwkYo3 u8NdPAtntHHTUWHXyAP9NL+I3bL8ViAHBuEW5SD4eE1eyytNK/PKYLtHPP1Ii9Nkl7 f4yEuK93+k7pQ== Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.17.1/8.17.1) with ESMTP id 43FDu3B1022447; Mon, 15 Apr 2024 14:56:03 +0100 (BST) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 43FDu3mX023048; Mon, 15 Apr 2024 14:56:03 +0100 Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 43FDu3d7023044; Mon, 15 Apr 2024 14:56:03 +0100 Date: Mon, 15 Apr 2024 14:56:03 +0100 Message-Id: <202404151356.43FDu3d7023044@higson.cam.lispworks.com> From: Martin Simmons To: =?iso-8859-2?Q?Marek_Anio=B3a?= CC: freebsd-security@freebsd.org In-reply-to: (message from =?iso-8859-2?Q?Marek_Anio=B3a?= on Mon, 15 Apr 2024 09:09:57 +0000) Subject: Re: cpu-microcode-intel-20231114 References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.10 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.996]; DMARC_POLICY_ALLOW(-0.50)[lispworks.com,none]; R_DKIM_ALLOW(-0.20)[lispworks.com:s=default]; R_SPF_ALLOW(-0.20)[+mx]; RWL_MAILSPIKE_VERYGOOD(-0.20)[46.17.166.21:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_NO_TLS_LAST(0.10)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[martin]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:51055, ipnet:46.17.160.0/21, country:GB]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; FREEMAIL_TO(0.00)[outlook.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_THREE(0.00)[4]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[lispworks.com:+] X-Rspamd-Queue-Id: 4VJ7xW72y0z4SDD >>>>> On Mon, 15 Apr 2024 09:09:57 +0000, =?iso-8859-2?Q?Marek Anio=B3a?= said: > > As of 13 March 2024. "pkg audit" reports the following vulnerabilities in FreeBSD 13.3-RELEASE-p1: > > cpu-microcode-intel-20231114 is vulnerable: >   Intel processors - multiple vulnerabilities >   CVE: CVE-2023-43490 >   CVE: CVE-2023-22655 >   CVE: CVE-2023-28746 >   CVE: CVE-2023-38575 >   CVE: CVE-2023-39368 >   WWW: https://vuxml.FreeBSD.org/freebsd/b6dd9d93-e09b-11ee-92fc-1c697a616631.html > > Found 1 issue(s) in 1 installed package(s). > > The website https://www.freshports.org/sysutils/cpu-microcode-intel/ shows that an update to the package appeared the day before (2024-03-12), but the BINARY package providing THE UPDATE IS STILL NOT AVAILABLE! > > Should this be the case? > Or, should I update the microcode in some other way? pkg search cpu-microcode-intel says the latest version is called cpu-microcode-intel-20240312. I don't know why these packages have dates in their names so they don't upgrade automatically.