moderate: microcode_ctl/perl security update
moderate
An update for microcode_ctl/perl is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
microcode_ctl: This package provides microcode update files for Intel x86 and x86_64 CPUs. The microcode update is volatile and needs to be uploaded on each system boot i.e. it isn't stored on a CPU permanently; reboot and it reverts back to the old microcode. Package name "microcode_ctl" is historical, as the binary with the same name is no longer used for microcode upload and, as a result, no longer provided.
perl: This package provides debug information for package perl-libs. Debug information is useful when developing applications that use this package or when debugging this package.
Security Fix(es):
microcode_ctl: A flaw was found in the Intel Advanced Vector Extensions (AVX) implementation, where a local authenticated attacker with the ability to execute AVX instructions can gather the AVX register state from previous AVX executions. This vulnerability allows information disclosure of the AVX register state.(CVE-2020-8696)
microcode_ctl: bugfix
perl: Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.(CVE-2020-10543)
perl: Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.(CVE-2020-10878)
perl: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.70B3.