According to the security advisory published on Monday, the new kernel security update addresses both CVE-2018-3620 and CVE-2018-3646 vulnerabilities, which are known as L1 Terminal Fault (L1TF) or Foreshadow. These vulnerabilities had an impact on normal systems, as well as virtualized operating systems, allowing a local attacker to expose sensitive information from the host OS or other guests.
The Debian Project urges all Debian GNU/Linux 9 “Stretch” users to update their installations to the 4.9.110-3+deb9u3 kernel, which is now available from the main software repositories. However, to fully mitigate the L1 Terminal Fault (L1TF) vulnerabilities, the Debian Project recommends users to also install the latest microcode firmware update for Intel CPUs.
Users must install the intel-microcode 3.20180703.2~deb9u1 release from the Debian non-free repositories, which also includes Speculative Store Bypass Disable (SSBD) support to mitigate both the Spectre Variant 4 and Variant 3a security vulnerabilities. Keep in mind that you need to reboot your computer after installing the new kernel and intel-microcode versions.
Submitted by: Arnfried Walbrecht