svn commit: r53029 - head/share/security/advisories
Gordon Tetlow
gordon at FreeBSD.org
Wed May 15 18:02:17 UTC 2019
Author: gordon (src committer)
Date: Wed May 15 18:02:16 2019
New Revision: 53029
URL: https://svnweb.freebsd.org/changeset/doc/53029
Log:
Update version of MDS advisory
Approved by: so
Modified:
head/share/security/advisories/FreeBSD-SA-19:07.mds.asc
Modified: head/share/security/advisories/FreeBSD-SA-19:07.mds.asc
==============================================================================
--- head/share/security/advisories/FreeBSD-SA-19:07.mds.asc Wed May 15 15:23:23 2019 (r53028)
+++ head/share/security/advisories/FreeBSD-SA-19:07.mds.asc Wed May 15 18:02:16 2019 (r53029)
@@ -24,6 +24,13 @@ For general information regarding FreeBSD Security Adv
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
+0. Revision history
+
+v1.0 2019-05-14 Initial release.
+v1.1 2019-05-15 Fixed date on microcode update package.
+v1.2 2019-05-15 Userland startup microcode update details added.
+ Add language specifying which manufacturers is affected.
+
I. Background
Modern processors make use of speculative execution, an optimization
@@ -45,11 +52,14 @@ IV. Workaround
No workaround is available.
+Only Intel x86 based processors are affected. x86 processors from other
+manufacturers (eg, AMD) are not believed to be vulnerable.
+
Systems with users or processors in different trust domains should disable
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:
# echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf'
-# shutdown
+# shutdown -r +10min "Security update"
V. Solution
@@ -63,15 +73,18 @@ New CPU microcode may be available in a BIOS update fr
or by installing the devcpu-data package or sysutils/devcpu-data port.
Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14.
-If using the package or port the microcode update can be applied at boot time
-by adding the following lines to the system's /boot/loader.conf:
+If using the package or port the Intel microcode update can be applied at
+boot time (only on FreeBSD 12 and later) by adding the following lines to the
+system's /boot/loader.conf:
cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"
-Microcode updates can also be applied while the system is running. See
-cpucontrol(8) for details.
+To automatically load microcode during userland startup (supported on all
+FreeBSD versions), add the following to /etc/rc.conf:
+microcode_update_enable="YES"
+
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
@@ -180,19 +193,19 @@ The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:07.mds.asc>
-----BEGIN PGP SIGNATURE-----
-iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzcFgRfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzcU9dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
-5cLmcw//cAwFw1SkYL3uFd0nTTnIltrzwTkMkxAFRjsxN5XxOJDEVJfygFHzlFhr
-TxiFRN+QdE5NQt7HWDB7d1BXnmnIRiL6dqrrL+odPNeh9Wsh3Ft6NUxn8I6/wC4g
-O77VYLj5OdhYT6D9PnbIucDBSdNH555Tfmz0eTDY24iVmWw7c1GfYozpl1cEk/Bh
-+jgMH5rQZ30v7dKANGTeF0pQeAZaK9NZBWb86NlSy+FYyDu7KS1oEms4hGdQosYU
-ZEBVV4uxBVFx3RRQuZM3z/+M9GrpliyHKGmNBX97u975oQ1k66pK6r1lxp+odVoa
-UO0YROQ/pepOVmutNHz+8Y953qLaaolNwy+SxpqkEDhjlD6sbwV+ErqbfoCuEnsb
-N0a7t52VEqkd3Cnivrd6dJpGtNsYPhruSXIXjRrKhI1fOnJbC/cw1as7WwXx5TdM
-471ErTqZuNAcwAUT7Ve7kxNpWk+Lii2lprf+YfrZRk7pqcgmiMurIBAcKys7Skb/
-dCGMckAU9hiUZMmiNuxV33m233zmRB7otHnHSXmmm9/SKCGeUw/OSKugtHGQ/6gJ
-2ZQkWCPrL71CRwMzBRtwSCvG6YfTYIZ1gw48r2JzUGg11Urj2pXqRlYGNT7YGHGF
-EOKQqSsU9I4CBfI9munJkNJI+Fpghnjpx2lK5w3rbcnkJI9CDzc=
-=jH3H
+5cKG7Q//XEf1kFc8JABZtSQT5XEP+J/CKMF+W+CqVmV6vLNimOeWVaw5BBWbtbhI
+7BENuQRw2NcUbwrhwR+KYKWUN0rF0VQOk+m8JMYQxTu1WQfI9J8HDTXjmp1mfrx4
+CbEjHuHCvGjezdURR0GIfAfkMjfDUEPEq05svPrEFIh2s4QagF7V2gunwNgprXJV
+ZzlA2IEUCx2KFbgbPjIJDY7ED0/VXrNeZU9G4R4t9+QSD2r21cF4kax8DLi5Rtz4
+ducXhT5dG+reZXye6c+eryJvjBPEwI9zHth0xLMGHDJUeLAOUkZpNsciuEeNu96O
+1EkGqYBKpJGcvsYBnYM0mD2Z23khqxEHWArIluJeVkdezlvREB42nLHQ9oin3opH
+ojdh57lkppQqVZ9GTHqQLRVbawiC7oNNWzoYq+ANSReqiIkpPCC3z3NsGDo1oYLK
+suMOAtxwPe6qq2Q9voN5lgHNR5w/x2uKxdYx8G8C40ynoFb1W1dQNdGVtmfRpvO5
+lvZGWNsmxWBrlYlm8onpulw1WsPgOp9TmhIAO1IZHVhgsaoF9i1hu/BumOTjiQo0
+Md4IiGAdPkU7nC3MjDm9jsD+bC6GaXwXkyryi1bpNE2feXVg4lvznyah2wQR2VVq
++R3H0+iTHCOS9fEvWWpRIZWL2AfU78O+c/go9ZqqQvGAxVR/UwM=
+=pDA1
-----END PGP SIGNATURE-----
More information about the svn-doc-all
mailing list