Zenbleed vulnerability: is Rocky Linux working on it?

Rocky Linux General
1

Hi all.

Since July 25th a vulnerability in specific families of the AMD CPUs, known as Zenbleed
was made know.

Discovery is credited to Tavis Ormandy and here is his full report, which also include a link to a PoC
for this security flaw.

There are now patches available, in the form of binary microcode ‘blobs’, added by AMD
and distributed via linux-firmware package.

My question: so far I did not find any mention in the RL errata about this problem.
Is someone working on it to package and redistribute a newer version of linux-firmware?

AlmaLinux has also published an and they are looking for testers. Sorry, as a new poster
I cannot include more than two links.

Thanks in advance!

Regards,
Matteo

1 Like
2

Greetings and welcome to the forums.
Rocky is sticking to the promise to stay 1:1 with RH. Alma has made the choice to go a different path.

Thus, it is important to see what RH is doing to know if Rocky will get the patch. It seems they’ve classified it as “not affected” but I don’t understand their logic. This has nothing to do with the kernel but rather the linux-firmware and microcode packages.
https://access.redhat.com/security/cve/cve-2023-20593

However, there are active discussions on the bug report for it:
https://bugzilla.redhat.com/show_bug.cgi?id=2217845

If RH patches upstream, then Rocky will publish the patch as well.

Hope that helps.

3

Greetings and welcome to the forums.

Thank you.

It seems they’ve classified it as “not affected” but I don’t understand their logic.

Indeed, I have also stumbled on that report and it’s actually quite strange.

The discussion in the bugzilla report also indicates that this is actually
blocking another bug (Bug Access Denied),
which is unfortunately not accessible without a Bugzilla login but that
makes me hope that eventually RH will release a fix (sooner than later,
hopefully).

Alma has made the choice to go a different path.

Yes, I did not clarify but I have posted that link because I was hoping to get
some opinions from other users who have applied the workaround, based
on this ‘chicken bit’. There’s currently zero (public) information around on
how this may affect the CPUs performances (if ever).

4

If you have hardware that is affected, I suggest you use ELRepo’s kernel-ml or kernel-lt as a temporary workaround. Both kernel sets have been patched with the fix.

In fact, the microcode (linux-firmware) currently only fixes a small subset of AMD CPUs while the kernel patch fixes all of them.

1 Like