CVE-2018-3639

NameCVE-2018-3639
DescriptionSystems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4210-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
intel-microcode (PTS)stretch/non-free3.20170707.1~deb9u1vulnerable
jessie/non-free3.20180425.1~deb8u1vulnerable
buster/non-free, sid/non-free3.20180425.1vulnerable
linux (PTS)jessie (security), jessie3.16.56-1+deb8u1vulnerable
stretch4.9.82-1+deb9u3vulnerable
stretch (security)4.9.88-1+deb9u1vulnerable
buster4.16.12-1fixed
sid4.16.16-2fixed
xen (PTS)jessie (security), jessie4.4.1-9+deb8u10vulnerable
stretch (security)4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8fixed
buster, stretch, sid4.8.3+comet2+shim4.10.0+comet3-1+deb9u5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
intel-microcodesource(unstable)(unfixed)
linuxsource(unstable)4.16.12-1
xensource(unstable)(unfixed)
xensourcestretch4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7DSA-4210-1

Notes

[wheezy] - linux <ignored> (Too much work to backport)
https://xenbits.xen.org/xsa/advisory-263.html
https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Search for package or bug name: Reporting problems