svn commit: r53029 - head/share/security/advisories

Gordon Tetlow gordon at FreeBSD.org
Wed May 15 18:02:17 UTC 2019 

Author: gordon (src committer)
Date: Wed May 15 18:02:16 2019
New Revision: 53029
URL: https://svnweb.freebsd.org/changeset/doc/53029

Log:
  Update version of MDS advisory
  
  Approved by:	so

Modified:
  head/share/security/advisories/FreeBSD-SA-19:07.mds.asc

Modified: head/share/security/advisories/FreeBSD-SA-19:07.mds.asc
==============================================================================
--- head/share/security/advisories/FreeBSD-SA-19:07.mds.asc	Wed May 15 15:23:23 2019	(r53028)
+++ head/share/security/advisories/FreeBSD-SA-19:07.mds.asc	Wed May 15 18:02:16 2019	(r53029)
@@ -24,6 +24,13 @@ For general information regarding FreeBSD Security Adv
 including descriptions of the fields above, security branches, and the
 following sections, please visit <URL:https://security.FreeBSD.org/>.
 
+0.   Revision history
+
+v1.0   2019-05-14  Initial release.
+v1.1   2019-05-15  Fixed date on microcode update package.
+v1.2   2019-05-15  Userland startup microcode update details added.
+                   Add language specifying which manufacturers is affected.
+
 I.   Background
 
 Modern processors make use of speculative execution, an optimization
@@ -45,11 +52,14 @@ IV.  Workaround
 
 No workaround is available.
 
+Only Intel x86 based processors are affected.  x86 processors from other
+manufacturers (eg, AMD) are not believed to be vulnerable.
+
 Systems with users or processors in different trust domains should disable
 Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:
 
 # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf'
-# shutdown
+# shutdown -r +10min "Security update"
 
 V.   Solution
 
@@ -63,15 +73,18 @@ New CPU microcode may be available in a BIOS update fr
 or by installing the devcpu-data package or sysutils/devcpu-data port.
 Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14.
 
-If using the package or port the microcode update can be applied at boot time
-by adding the following lines to the system's /boot/loader.conf:
+If using the package or port the Intel microcode update can be applied at
+boot time (only on FreeBSD 12 and later) by adding the following lines to the
+system's /boot/loader.conf:
 
 cpu_microcode_load="YES"
 cpu_microcode_name="/boot/firmware/intel-ucode.bin"
 
-Microcode updates can also be applied while the system is running.  See
-cpucontrol(8) for details.
+To automatically load microcode during userland startup (supported on all
+FreeBSD versions), add the following to /etc/rc.conf:
 
+microcode_update_enable="YES"
+
 1) To update your vulnerable system via a binary patch:
 
 Systems running a RELEASE version of FreeBSD on the i386 or amd64
@@ -180,19 +193,19 @@ The latest revision of this advisory is available at
 <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:07.mds.asc>
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzcFgRfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzcU9dfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
 MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
-5cLmcw//cAwFw1SkYL3uFd0nTTnIltrzwTkMkxAFRjsxN5XxOJDEVJfygFHzlFhr
-TxiFRN+QdE5NQt7HWDB7d1BXnmnIRiL6dqrrL+odPNeh9Wsh3Ft6NUxn8I6/wC4g
-O77VYLj5OdhYT6D9PnbIucDBSdNH555Tfmz0eTDY24iVmWw7c1GfYozpl1cEk/Bh
-+jgMH5rQZ30v7dKANGTeF0pQeAZaK9NZBWb86NlSy+FYyDu7KS1oEms4hGdQosYU
-ZEBVV4uxBVFx3RRQuZM3z/+M9GrpliyHKGmNBX97u975oQ1k66pK6r1lxp+odVoa
-UO0YROQ/pepOVmutNHz+8Y953qLaaolNwy+SxpqkEDhjlD6sbwV+ErqbfoCuEnsb
-N0a7t52VEqkd3Cnivrd6dJpGtNsYPhruSXIXjRrKhI1fOnJbC/cw1as7WwXx5TdM
-471ErTqZuNAcwAUT7Ve7kxNpWk+Lii2lprf+YfrZRk7pqcgmiMurIBAcKys7Skb/
-dCGMckAU9hiUZMmiNuxV33m233zmRB7otHnHSXmmm9/SKCGeUw/OSKugtHGQ/6gJ
-2ZQkWCPrL71CRwMzBRtwSCvG6YfTYIZ1gw48r2JzUGg11Urj2pXqRlYGNT7YGHGF
-EOKQqSsU9I4CBfI9munJkNJI+Fpghnjpx2lK5w3rbcnkJI9CDzc=
-=jH3H
+5cKG7Q//XEf1kFc8JABZtSQT5XEP+J/CKMF+W+CqVmV6vLNimOeWVaw5BBWbtbhI
+7BENuQRw2NcUbwrhwR+KYKWUN0rF0VQOk+m8JMYQxTu1WQfI9J8HDTXjmp1mfrx4
+CbEjHuHCvGjezdURR0GIfAfkMjfDUEPEq05svPrEFIh2s4QagF7V2gunwNgprXJV
+ZzlA2IEUCx2KFbgbPjIJDY7ED0/VXrNeZU9G4R4t9+QSD2r21cF4kax8DLi5Rtz4
+ducXhT5dG+reZXye6c+eryJvjBPEwI9zHth0xLMGHDJUeLAOUkZpNsciuEeNu96O
+1EkGqYBKpJGcvsYBnYM0mD2Z23khqxEHWArIluJeVkdezlvREB42nLHQ9oin3opH
+ojdh57lkppQqVZ9GTHqQLRVbawiC7oNNWzoYq+ANSReqiIkpPCC3z3NsGDo1oYLK
+suMOAtxwPe6qq2Q9voN5lgHNR5w/x2uKxdYx8G8C40ynoFb1W1dQNdGVtmfRpvO5
+lvZGWNsmxWBrlYlm8onpulw1WsPgOp9TmhIAO1IZHVhgsaoF9i1hu/BumOTjiQo0
+Md4IiGAdPkU7nC3MjDm9jsD+bC6GaXwXkyryi1bpNE2feXVg4lvznyah2wQR2VVq
++R3H0+iTHCOS9fEvWWpRIZWL2AfU78O+c/go9ZqqQvGAxVR/UwM=
+=pDA1
 -----END PGP SIGNATURE-----

More information about the svn-doc-all mailing list