| Name | CVE-2023-20593 |
| Description | An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3508-1, DLA-3511-1, DLA-3512-1, DSA-5459-1, DSA-5461-1, DSA-5462-1 |
| Debian Bugs | 1041863 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| amd64-microcode (PTS) | buster/non-free | 3.20181128.1 | vulnerable |
| buster/non-free (security) | 3.20230719.1~deb10u1 | fixed |
| bullseye/non-free | 3.20230808.1.1~deb11u1 | fixed |
| bullseye/non-free (security) | 3.20230719.1~deb11u1 | fixed |
| bookworm/non-free-firmware | 3.20230808.1.1~deb12u1 | fixed |
| bookworm/non-free-firmware (security) | 3.20230719.1~deb12u1 | fixed |
| trixie/non-free-firmware, sid/non-free-firmware | 3.20240116.2 | fixed |
| linux (PTS) | buster | 4.19.249-2 | vulnerable |
| buster (security) | 4.19.304-1 | fixed |
| bullseye | 5.10.209-2 | fixed |
| bullseye (security) | 5.10.205-2 | fixed |
| bookworm | 6.1.76-1 | fixed |
| bookworm (security) | 6.1.85-1 | fixed |
| trixie | 6.6.15-2 | fixed |
| sid | 6.7.12-1 | fixed |
| linux-5.10 (PTS) | buster (security) | 5.10.209-2~deb10u1 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://www.openwall.com/lists/oss-security/2023/07/24/1
https://lock.cmpxchg8b.com/zenbleed.html
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8
https://xenbits.xen.org/xsa/advisory-433.html
Technically not an issue in src:linux but track as well the kernel side mitigation
under the CVE entry.
3.20230719.1 ships the first batch of fixes, only for 2nd gen Epyc CPUs, further
CPUs to follow in later releases