CVE-2023-20593

NameCVE-2023-20593
DescriptionAn issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3508-1, DLA-3511-1, DLA-3512-1, DSA-5459-1, DSA-5461-1, DSA-5462-1
Debian Bugs1041863

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
amd64-microcode (PTS)buster/non-free3.20181128.1vulnerable
buster/non-free (security)3.20230719.1~deb10u1fixed
bullseye/non-free3.20230808.1.1~deb11u1fixed
bullseye/non-free (security)3.20230719.1~deb11u1fixed
bookworm/non-free-firmware3.20230808.1.1~deb12u1fixed
bookworm/non-free-firmware (security)3.20230719.1~deb12u1fixed
trixie/non-free-firmware3.20240116.2fixed
sid/non-free-firmware3.20240116.2+nmu1fixed
linux (PTS)buster4.19.249-2vulnerable
buster (security)4.19.304-1fixed
bullseye5.10.209-2fixed
bullseye (security)5.10.218-1fixed
bookworm6.1.76-1fixed
bookworm (security)6.1.90-1fixed
trixie6.7.12-1fixed
sid6.8.12-1fixed
linux-5.10 (PTS)buster (security)5.10.216-1~deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
amd64-microcodesourcebuster3.20230719.1~deb10u1DLA-3511-1
amd64-microcodesourcebullseye3.20230719.1~deb11u1DSA-5459-1
amd64-microcodesourcebookworm3.20230719.1~deb12u1DSA-5459-1
amd64-microcodesource(unstable)3.20230719.11041863
linuxsourcebuster4.19.289-1DLA-3508-1
linuxsourcebullseye5.10.179-3DSA-5461-1
linuxsourcebookworm6.1.38-2DSA-5462-1
linuxsource(unstable)6.4.4-2
linux-5.10sourcebuster5.10.179-3~deb10u1DLA-3512-1

Notes

https://www.openwall.com/lists/oss-security/2023/07/24/1
https://lock.cmpxchg8b.com/zenbleed.html
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8
https://xenbits.xen.org/xsa/advisory-433.html
Technically not an issue in src:linux but track as well the kernel side mitigation
under the CVE entry.
3.20230719.1 ships the first batch of fixes, only for 2nd gen Epyc CPUs, further
CPUs to follow in later releases

Search for package or bug name: Reporting problems