CVE-2023-20593

Name	CVE-2023-20593
Description	An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3508-1, DLA-3511-1, DLA-3512-1, DSA-5459-1, DSA-5461-1, DSA-5462-1, ELA-907-1, ELA-910-1, ELA-915-1
Debian Bugs	1041863

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
amd64-microcode (PTS)	jessie/non-free	3.20230719.1~deb8u1	fixed
	jessie/non-free (lts)	3.20181128.1~deb8u1	vulnerable
	stretch/non-free	3.20230719.1~deb9u1	fixed
	stretch/non-free (security), stretch/non-free (lts)	3.20181128.1~deb9u2	vulnerable
	buster/non-free	3.20181128.1	vulnerable
	buster/non-free (security)	3.20230719.1~deb10u1	fixed
	bullseye/non-free	3.20230808.1.1~deb11u1	fixed
	bullseye/non-free (security)	3.20230719.1~deb11u1	fixed
	bookworm/non-free-firmware	3.20230808.1.1~deb12u1	fixed
	bookworm/non-free-firmware (security)	3.20230719.1~deb12u1	fixed
	trixie/non-free-firmware, sid/non-free-firmware	3.20240116.2	fixed
linux (PTS)	jessie, jessie (lts)	3.16.84-1	vulnerable
	stretch (security)	4.9.320-2	vulnerable
	stretch (lts), stretch	4.9.320-3	vulnerable
	buster	4.19.249-2	vulnerable
	buster (security)	4.19.304-1	fixed
	bullseye	5.10.209-2	fixed
	bullseye (security)	5.10.205-2	fixed
	bookworm	6.1.76-1	fixed
	bookworm (security)	6.1.85-1	fixed
	trixie	6.6.15-2	fixed
	sid	6.7.12-1	fixed
linux-4.19 (PTS)	jessie, jessie (lts)	4.19.304-1~deb8u1	fixed
	stretch (security)	4.19.232-1~deb9u1	vulnerable
	stretch (lts), stretch	4.19.304-1~deb9u1	fixed
linux-5.10 (PTS)	stretch (lts), stretch	5.10.209-2~deb9u1	fixed
	buster (security)	5.10.209-2~deb10u1	fixed
xen (PTS)	jessie, jessie (lts)	4.4.4lts5-0+deb8u1	vulnerable
	stretch (security), stretch (lts), stretch	4.8.5.final+shim4.10.4-1+deb9u12	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
amd64-microcode	source	jessie	3.20230719.1~deb8u1		ELA-910-1
amd64-microcode	source	stretch	3.20230719.1~deb9u1		ELA-910-1
amd64-microcode	source	buster	3.20230719.1~deb10u1		DLA-3511-1
amd64-microcode	source	bullseye	3.20230719.1~deb11u1		DSA-5459-1
amd64-microcode	source	bookworm	3.20230719.1~deb12u1		DSA-5459-1
amd64-microcode	source	(unstable)	3.20230719.1			1041863
linux	source	jessie	(unfixed)	end-of-life
linux	source	stretch	(unfixed)	end-of-life
linux	source	buster	4.19.289-1		DLA-3508-1
linux	source	bullseye	5.10.179-3		DSA-5461-1
linux	source	bookworm	6.1.38-2		DSA-5462-1
linux	source	(unstable)	6.4.4-2
linux-4.19	source	jessie	4.19.289-1~deb8u1		ELA-907-1
linux-4.19	source	stretch	4.19.289-1~deb9u1		ELA-907-1
linux-5.10	source	stretch	5.10.179-3~deb9u1		ELA-915-1
linux-5.10	source	buster	5.10.179-3~deb10u1		DLA-3512-1
xen	source	jessie	(unfixed)	end-of-life
xen	source	stretch	(unfixed)	end-of-life

Notes

https://www.openwall.com/lists/oss-security/2023/07/24/1
https://lock.cmpxchg8b.com/zenbleed.html
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8
https://xenbits.xen.org/xsa/advisory-433.html
Technically not an issue in src:linux but track as well the kernel side mitigation
under the CVE entry.
3.20230719.1 ships the first batch of fixes, only for 2nd gen Epyc CPUs, further
CPUs to follow in later releases