Re: cpu-microcode-intel-20231114

From: Marek_Anioła <man130117_at_outlook.com>
Date: Mon, 15 Apr 2024 14:19:01 UTC
No, it only shows the old version:

  ~ # pkg search cpu-microcode-intel
  cpu-microcode-intel-20231114   Intel CPU microcode updates
  ~ #

The latest version (20240312) is not available.



From: Martin Simmons <martin@lispworks.com>
Sent: Monday, April 15, 2024 15:56
To: Marek Anioła <man130117@outlook.com>
Cc: freebsd-security@freebsd.org <freebsd-security@freebsd.org>
Subject: Re: cpu-microcode-intel-20231114
 
>>>>> On Mon, 15 Apr 2024 09:09:57 +0000, =?iso-8859-2?Q?Marek Anio=B3a?= said:
>
> As of 13 March 2024. "pkg audit" reports the following vulnerabilities in FreeBSD 13.3-RELEASE-p1:
>
> cpu-microcode-intel-20231114 is vulnerable:
>   Intel processors - multiple vulnerabilities
>   CVE: CVE-2023-43490
>   CVE: CVE-2023-22655
>   CVE: CVE-2023-28746
>   CVE: CVE-2023-38575
>   CVE: CVE-2023-39368
>   WWW: https://vuxml.FreeBSD.org/freebsd/b6dd9d93-e09b-11ee-92fc-1c697a616631.html
>
> Found 1 issue(s) in 1 installed package(s).
>
> The website https://www.freshports.org/sysutils/cpu-microcode-intel/ shows that an update to the package appeared the day before (2024-03-12), but the BINARY package providing THE UPDATE IS STILL NOT AVAILABLE!
>
> Should this be the case?
> Or, should I update the microcode in some other way?

pkg search cpu-microcode-intel says the latest version is called
cpu-microcode-intel-20240312.  I don't know why these packages have dates in
their names so they don't upgrade automatically.