From owner-freebsd-security@freebsd.org Thu Jul 11 12:16:29 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 863ED15D13E1 for ; Thu, 11 Jul 2019 12:16:29 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from smtpq5.tb.mail.iss.as9143.net (smtpq5.tb.mail.iss.as9143.net [212.54.42.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A441B74FD9 for ; Thu, 11 Jul 2019 12:16:27 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from [212.54.42.136] (helo=smtp12.tb.mail.iss.as9143.net) by smtpq5.tb.mail.iss.as9143.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hlXzm-0007Fl-PF; Thu, 11 Jul 2019 14:16:18 +0200 Received: from 94-209-122-217.cable.dynamic.v4.ziggo.nl ([94.209.122.217] helo=wan0.bsd4all.org) by smtp12.tb.mail.iss.as9143.net with esmtp (Exim 4.90_1) (envelope-from ) id 1hlXzm-0006sZ-LD; Thu, 11 Jul 2019 14:16:18 +0200 Received: from newnas (localhost [127.0.0.1]) by wan0.bsd4all.org (Postfix) with ESMTP id 50807100; Thu, 11 Jul 2019 14:16:18 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsd4all.org Received: from wan0.bsd4all.org ([127.0.0.1]) by newnas (newnas.bsd4all.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QLWMQgOoZhuA; Thu, 11 Jul 2019 14:16:17 +0200 (CEST) Received: from [192.168.1.65] (unknown [192.168.1.65]) by wan0.bsd4all.org (Postfix) with ESMTPSA id C1834F8; Thu, 11 Jul 2019 14:16:17 +0200 (CEST) From: peter.blok@bsd4all.org Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: FreeBSD MDS Mitigation Date: Thu, 11 Jul 2019 14:16:17 +0200 References: <1-e0UcMiG_xiNHOUE9o3duPx3uN6Loigx376zYIhPFYNE-khNPR1vB-gu5TAG-L_V9AL7gNrWsyurZ8bBcW1zMayEPgkl2SpalOGkrGfTEE=@protonmail.ch> To: Kevin , freebsd-security@freebsd.org In-Reply-To: <1-e0UcMiG_xiNHOUE9o3duPx3uN6Loigx376zYIhPFYNE-khNPR1vB-gu5TAG-L_V9AL7gNrWsyurZ8bBcW1zMayEPgkl2SpalOGkrGfTEE=@protonmail.ch> Message-Id: X-Mailer: Apple Mail (2.3445.104.11) X-SourceIP: 94.209.122.217 X-Ziggo-spambar: / X-Ziggo-spamscore: 0.0 X-Ziggo-spamreport: CMAE Analysis: v=2.3 cv=MtAsFFSe c=1 sm=1 tr=0 a=0XONDDbZk2SpjknwKA3Xxg==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=IkcTkHD0fZMA:10 a=0o9FgrsRnhwA:10 a=6I5d2MoRAAAA:8 a=wZSlOVmVAAAA:8 a=dUZnytKWbsqtbj-1HGEA:9 a=QEXdDO2ut3YA:10 a=i3upAsBAIBgA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=IjZwj45LgO3ly-622nXo:22 a=FO9UfTs8MeHBG4X9rGGa:22 X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No X-Rspamd-Queue-Id: A441B74FD9 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of peter.blok@bsd4all.org designates 212.54.42.168 as permitted sender) smtp.mailfrom=peter.blok@bsd4all.org X-Spamd-Result: default: False [-4.18 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[6]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_LAST(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:smtp.ziggo.nl/16]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[bsd4all.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[smtp.bsd4all.org]; RCPT_COUNT_TWO(0.00)[2]; FROM_NO_DN(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; IP_SCORE(-1.28)[ipnet: 212.54.32.0/20(-4.00), asn: 33915(-2.41), country: NL(0.01)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[168.42.54.212.list.dnswl.org : 127.0.5.1]; ASN(0.00)[asn:33915, ipnet:212.54.32.0/20, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[217.122.209.94.zen.spamhaus.org : 127.0.0.11] X-Mailman-Approved-At: Thu, 11 Jul 2019 13:39:57 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jul 2019 12:16:29 -0000 I=E2=80=99m sorry but if you really care about security you have to read = the advisory and stop assuming things. For every complaint why this is disabled by default, there will 10 = complaints why it was enabled by default and broke things. Having said this, I could see the benefit of reporting the fact that a = certain security measure is disabled in the daily security reports, = hoping someone reads it together with the executables that suddenly have = been setuid for root. Peter > On 10 Jul 2019, at 18:37, Kevin via freebsd-security = wrote: >=20 > Hello list. I am reading this page about FreeBSD security [ = https://vez.mrsk.me/freebsd-defaults.html ] and it says the Intel MDS = mitigation is off by default. So I tried. >=20 > % sysctl hw.mds_disable_state > hw.mds_disable_state: inactive >=20 > Now I see the instructions in the advisory, but what about anyone who = didn't? Or who did a new install and didn't read past advisories? >=20 > I have an Intel CPU that is vulnerable. By applying the update and = installing the microcode package, I thought I was safe. >=20 > Why? Why does FreeBSD let its users be vulnerable? > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org"