update: fwdb from v349+i20260512+1cce to v350+i20260512+1cce, 8 microcode changes (#578)

built from commit 44ba92635f
 dated 2026-06-03 14:07:02 +0200
 by github-actions[bot] (41898282+github-actions[bot]@users.noreply.github.com)

 Co-authored-by: speed47 <218502+speed47@users.noreply.github.com>

.github/workflows/autoupdate.yml

@@ -1,41 +0,0 @@
-name: autoupdate
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '42 9 * * *'
-
-permissions:
-  pull-requests: write
-  contents: write
-
-jobs:
-  autoupdate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          ref: source
-      - name: Install prerequisites
-        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip shfmt
-      - name: Update microcode versions
-        run: ./scripts/update_mcedb.sh
-      - name: Update Intel models
-        run: ./scripts/update_intel_models.sh
-      - name: Check git diff
-        id: diff
-        run: |
-          echo change="$(git diff | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT"
-          echo nbdiff="$(git diff | grep -cE -- '^\+# [AI],')" >> "$GITHUB_OUTPUT"
-          git diff
-          cat "$GITHUB_OUTPUT"
-      - name: Create Pull Request if needed
-        if: steps.diff.outputs.nbdiff != '0'
-        uses: peter-evans/create-pull-request@v7
-        with:
-          branch: autoupdate-fwdb
-          commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
-          title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
-          body: |
-            Automated PR to update fwdb from ${{ steps.diff.outputs.change }}
-            Detected ${{ steps.diff.outputs.nbdiff }} microcode changes

.github/workflows/stale.yml

@@ -1,33 +0,0 @@
-name: 'Manage stale issues and PRs'
-
-on:
-  schedule:
-    - cron: '37 7 * * *'
-  workflow_dispatch:
-    inputs:
-      action:
-        description: "dry-run"
-        required: true
-        default: "dryrun"
-        type: choice
-        options:
-          - dryrun
-          - apply
-
-permissions:
-  issues: write
-  pull-requests: write
-
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/stale@v10
-        with:
-          any-of-labels: 'needs-more-info,answered'
-          labels-to-remove-when-unstale: 'needs-more-info,answered'
-          days-before-stale: 30
-          days-before-close: 7
-          stale-issue-label: stale
-          remove-stale-when-updated: true
-          debug-only: ${{ case(inputs.action == 'dryrun', true, false) }}

.github/workflows/vuln-watch.yml

@@ -1,190 +0,0 @@
-name: Online search for vulns
-
-on:
-  schedule:
-    - cron: '42 8 * * *'
-  workflow_dispatch:
-    inputs:
-      model:
-        description: 'Claude model to use (cron runs default to Sonnet)'
-        required: false
-        type: choice
-        default: claude-sonnet-4-6
-        options:
-          - claude-sonnet-4-6
-          - claude-opus-4-7
-          - claude-haiku-4-5-20251001
-      window_hours:
-        description: 'Lookback window in hours (cron runs use 25)'
-        required: false
-        type: string
-        default: '25'
-      reconsider_age_days:
-        description: 'Only reconsider backlog entries last reviewed ≥ N days ago (0 = all, default 7)'
-        required: false
-        type: string
-        default: '7'
-
-permissions:
-  contents: read
-  actions: read           # needed to list/download previous run artifacts
-  id-token: write         # needed by claude-code-action for OIDC auth
-
-concurrency:
-  group: vuln-watch
-  cancel-in-progress: true
-
-jobs:
-  watch:
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-
-    steps:
-      # The scripts driving this workflow live on the `vuln-watch` branch so
-      # they don't clutter master (which is what ships to production). The
-      # workflow file itself MUST stay on the default branch, as GitHub only
-      # honors `schedule:` triggers on the default branch.
-      - name: Checkout vuln-watch branch (scripts + prompt)
-        uses: actions/checkout@v5
-        with:
-          ref: vuln-watch
-          fetch-depth: 1
-          persist-credentials: false
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-
-      - name: Install Python dependencies
-        run: python -m pip install --quiet feedparser
-
-      # ---- Load previous state ---------------------------------------------
-      # Find the most recent successful run of THIS workflow (other than the
-      # current one) and pull its `vuln-watch-state` artifact. On the very
-      # first run there will be none — that's fine, we start empty.
-      - name: Find previous successful run id
-        id: prev
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -e
-          run_id=$(gh run list \
-            --workflow="${{ github.workflow }}" \
-            --status=success \
-            --limit 1 \
-            --json databaseId \
-            --jq '.[0].databaseId // empty')
-          echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
-          if [ -n "$run_id" ]; then
-            echo "Found previous successful run: $run_id"
-          else
-            echo "No previous successful run — starting from empty state."
-          fi
-
-      - name: Download previous state artifact
-        if: steps.prev.outputs.run_id != ''
-        uses: actions/download-artifact@v5
-        continue-on-error: true   # tolerate retention expiry
-        with:
-          name: vuln-watch-state
-          path: state/
-          run-id: ${{ steps.prev.outputs.run_id }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
-      # ---- Fetch + diff (token-free; runs every time) ---------------------
-      # Performs conditional GETs (ETag / If-Modified-Since) against every
-      # source, parses RSS/Atom/HTML, dedups against state.seen + state.aliases,
-      # applies the time-window filter, and emits new_items.json.
-      # Updates state.sources (HTTP cache metadata + per-source high-water
-      # marks) in place so the cache survives even when Claude doesn't run.
-      - name: Fetch + diff all sources
-        id: diff
-        env:
-          SCAN_DATE: ${{ github.run_started_at }}
-          # Cron runs have no `inputs` context, so the fallback kicks in.
-          WINDOW_HOURS:         ${{ inputs.window_hours || '25' }}
-          RECONSIDER_AGE_DAYS:  ${{ inputs.reconsider_age_days || '7' }}
-        run: python -m scripts.vuln_watch.fetch_and_diff
-
-      # ---- Fetch checker code so Claude can grep it for coverage ---------
-      # The orphan vuln-watch branch has none of the actual checker code,
-      # so we pull the `test` branch (the dev branch where coded-but-
-      # unreleased CVE checks live) into ./checker/. The prompt tells
-      # Claude this is the canonical source of truth for "is CVE-X already
-      # implemented?". Only fetched on days with something to classify.
-      - name: Checkout checker code (test branch) for coverage grep
-        if: steps.diff.outputs.new_count != '0' || steps.diff.outputs.reconsider_count != '0'
-        uses: actions/checkout@v5
-        with:
-          ref: test
-          path: checker
-          fetch-depth: 1
-          persist-credentials: false
-
-      # ---- Classify new items with Claude (skipped when nothing is new) ---
-      # Model selection: a manual workflow_dispatch run picks from a dropdown
-      # (defaulting to Sonnet). Scheduled cron runs have no `inputs` context,
-      # so the `|| 'claude-sonnet-4-6'` fallback kicks in — cron always uses
-      # Sonnet to keep the daily cost floor low.
-      - name: Run classifier with Claude
-        id: classify
-        if: steps.diff.outputs.new_count != '0' || steps.diff.outputs.reconsider_count != '0'
-        uses: anthropics/claude-code-action@v1
-        env:
-          SCAN_DATE: ${{ github.run_started_at }}
-        with:
-          prompt: |
-            Read the full task instructions from scripts/daily_vuln_watch_prompt.md
-            and execute them end-to-end. Your input is new_items.json (already
-            deduped, windowed, and pre-filtered — do NOT re-fetch sources).
-            Write the three watch_${TODAY}_*.md files and classifications.json.
-            Use $SCAN_DATE as the canonical timestamp.
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          # model + tool allowlist pass through claude_args (v1 dropped the
-          # dedicated `model:` and `allowed_tools:` inputs). Job-level
-          # `timeout-minutes: 20` above bounds total runtime.
-          claude_args: |
-            --model ${{ inputs.model || 'claude-sonnet-4-6' }}
-            --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
-
-      - name: Upload Claude execution log
-        if: ${{ always() && steps.classify.outputs.execution_file != '' }}
-        uses: actions/upload-artifact@v5
-        with:
-          name: claude-execution-log-${{ github.run_id }}
-          path: ${{ steps.classify.outputs.execution_file }}
-          retention-days: 30
-          if-no-files-found: warn
-
-      # ---- Merge classifications back into state --------------------------
-      # Also writes stub watch_*.md files if the classify step was skipped, so
-      # the report artifact is consistent across runs.
-      - name: Merge classifications into state
-        if: always()
-        env:
-          SCAN_DATE: ${{ github.run_started_at }}
-        run: python -m scripts.vuln_watch.merge_state
-
-      - name: Upload new state artifact
-        if: always()
-        uses: actions/upload-artifact@v5
-        with:
-          name: vuln-watch-state
-          path: state/seen.json
-          retention-days: 90
-          if-no-files-found: error
-
-      - name: Upload daily report
-        if: always()
-        uses: actions/upload-artifact@v5
-        with:
-          name: vuln-watch-report-${{ github.run_id }}
-          path: |
-            watch_*.md
-            current_toimplement.md
-            current_tocheck.md
-            new_items.json
-            classifications.json
-          retention-days: 90
-          if-no-files-found: warn

spectre-meltdown-checker.sh

@@ -13,7 +13,7 @@
 #
 # Stephane Lesimple
 #
-VERSION='26.36.0602723'
+VERSION='26.36.0603505'
 
 # --- Common paths and basedirs ---
 readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -13133,7 +13133,7 @@ exit 0                          # ok
 # with X being either I for Intel, or A for AMD
 # When the date is unknown it defaults to 20000101
 
-# %%% MCEDB v349+i20260512+1cce
+# %%% MCEDB v350+i20260512+1cce
 # I,0x00000611,0xFF,0x00000B27,19961218
 # I,0x00000612,0xFF,0x000000C6,19961210
 # I,0x00000616,0xFF,0x000000C6,19961210
@@ -13552,6 +13552,7 @@ exit 0                          # ok
 # I,0x000A06D0,0xFF,0x10000680,20240818
 # I,0x000A06D1,0x20,0x0A000142,20260129
 # I,0x000A06D1,0x95,0x01000423,20260129
+# I,0x000A06E0,0xFF,0x80000953,20240902
 # I,0x000A06E1,0x97,0x01000307,20260226
 # I,0x000A06F0,0xFF,0x80000360,20240130
 # I,0x000A06F3,0x01,0x030003A3,20260130
@@ -13581,8 +13582,10 @@ exit 0                          # ok
 # I,0x000C06C3,0x90,0x0000011B,20260324
 # I,0x000C06F1,0x87,0x210002E0,20251217
 # I,0x000C06F2,0x87,0x210002E0,20251217
-# I,0x000D0670,0xFF,0x00000003,20250825
+# I,0x000D0650,0xFF,0x00000008,20260208
-# I,0x000D06D0,0xFF,0x00000340,20250807
+# I,0x000D0651,0xFF,0x00000008,20260208
+# I,0x000D0670,0xFF,0x00000137,20260218
+# I,0x000D06D0,0xFF,0x80000370,20250917
 # I,0x00FF0671,0xFF,0x0000010E,20220907
 # I,0x00FF0672,0xFF,0x0000000D,20210816
 # I,0x00FF0675,0xFF,0x0000000D,20210816
@@ -13679,7 +13682,7 @@ exit 0                          # ok
 # A,0x00880F40,0xFF,0x08804005,20210312
 # A,0x00890F00,0xFF,0x08900007,20200921
 # A,0x00890F01,0xFF,0x08900103,20201105
-# A,0x00890F02,0xFF,0x08900203,20230915
+# A,0x00890F02,0xFF,0x08900208,20241219
 # A,0x00890F10,0xFF,0x08901003,20230919
 # A,0x008A0F00,0xFF,0x08A0000B,20241125
 # A,0x00A00F00,0xFF,0x0A000033,20200413
@@ -13724,11 +13727,11 @@ exit 0                          # ok
 # A,0x00B00F00,0xFF,0x0B00004D,20240318
 # A,0x00B00F10,0xFF,0x0B001016,20240318
 # A,0x00B00F20,0xFF,0x0B002032,20241003
-# A,0x00B00F21,0xFF,0x0B002161,20251105
+# A,0x00B00F21,0xFF,0x0B002162,20251105
 # A,0x00B00F80,0xFF,0x0B008011,20241211
 # A,0x00B00F81,0xFF,0x0B008121,20251020
 # A,0x00B10F00,0xFF,0x0B10000F,20240320
-# A,0x00B10F10,0xFF,0x0B101058,20251105
+# A,0x00B10F10,0xFF,0x0B101059,20251105
 # A,0x00B20F40,0xFF,0x0B204037,20251019
 # A,0x00B40F00,0xFF,0x0B400034,20240318
 # A,0x00B40F40,0xFF,0x0B404035,20251020