CVE-2018-3639

Name	CVE-2018-3639
Description	Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1423-1, DLA-1446-1, DLA-1529-1, DLA-1715-1, DLA-1731-1, DSA-4210-1, DSA-4273-1, DSA-4273-2, ELA-111-1, ELA-18-1, ELA-50-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
intel-microcode (PTS)	jessie/non-free	3.20240813.1~deb8u1	fixed
	jessie/non-free (lts)	3.20230214.1~deb8u1	fixed
	stretch/non-free	3.20240813.1~deb9u1	fixed
	stretch/non-free (security)	3.20210608.2~deb9u2	fixed
	stretch/non-free (lts)	3.20230214.1~deb9u1	fixed
	buster/non-free	3.20240813.1~deb10u1	fixed
	buster/non-free (security)	3.20240312.1~deb10u1	fixed
	bullseye/non-free	3.20240813.1~deb11u1	fixed
	bullseye/non-free (security)	3.20231114.1~deb11u1	fixed
	bookworm/non-free-firmware	3.20240910.1~deb12u1	fixed
	bookworm/non-free-firmware (security)	3.20231114.1~deb12u1	fixed
	sid/non-free-firmware, trixie/non-free-firmware	3.20241112.1	fixed
linux (PTS)	jessie, jessie (lts)	3.16.84-1	fixed
	stretch (security)	4.9.320-2	fixed
	stretch (lts), stretch	4.9.320-3	fixed
	buster (security), buster, buster (lts)	4.19.316-1	fixed
	bullseye	5.10.223-1	fixed
	bullseye (security)	5.10.226-1	fixed
	bookworm	6.1.115-1	fixed
	bookworm (security)	6.1.112-1	fixed
	trixie	6.11.7-1	fixed
	sid	6.11.9-1	fixed
linux-4.9 (PTS)	jessie, jessie (lts)	4.9.303-1~deb8u3	fixed
xen (PTS)	jessie, jessie (lts)	4.4.4lts5-0+deb8u1	vulnerable
	stretch (security), stretch (lts), stretch	4.8.5.final+shim4.10.4-1+deb9u12	fixed
	buster (security), buster, buster (lts)	4.11.4+107-gef32c7afa2-1	fixed
	bullseye	4.14.6-1	fixed
	bullseye (security)	4.14.5+94-ge49571868d-1	fixed
	bookworm	4.17.3+10-g091466ba55-1~deb12u1	fixed
	sid, trixie	4.17.3+36-g54dacb5c02-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
intel-microcode	source	wheezy	3.20180703.2~bpo8+1~deb7u1		ELA-18-1
intel-microcode	source	jessie	3.20180703.2~deb8u1		DLA-1446-1
intel-microcode	source	stretch	3.20180807a.1~deb9u1		DSA-4273-2
intel-microcode	source	(unstable)	3.20180703.1
linux	source	wheezy	3.16.64-2~deb7u1		ELA-111-1
linux	source	jessie	3.16.64-1		DLA-1731-1
linux	source	stretch	4.9.107-1
linux	source	(unstable)	4.16.12-1
linux-4.9	source	jessie	4.9.144-3.1~deb8u1		DLA-1715-1
xen	source	wheezy	(unfixed)	end-of-life
xen	source	stretch	4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7		DSA-4210-1
xen	source	(unstable)	4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7

Notes

[wheezy] - linux <ignored> (Too much work to backport)
[jessie] - xen <ignored> (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
https://xenbits.xen.org/xsa/advisory-263.html
https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
The 3.20180703.1 release for intel-microcode was the first batch of updates which targeted
most server type CPUs, additional models were supported in the 3.20180807a.1 release
Qemu part of the mitigations for the speculative store buffer bypass
vulnerabilities on x86 are needed: #908682
https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da
https://git.qemu.org/?p=qemu.git;a=commit;h=cfeea0c021db6234c154dbc723730e81553924ff
https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd