freebsd security - Jul 2019 - FreeBSD MDS Mitigation

Hello list. I am reading this page about FreeBSD security [
https://vez.mrsk.me/freebsd-defaults.html ] and it says the Intel MDS mitigation
is off by default. So I tried.

% sysctl hw.mds_disable_state
hw.mds_disable_state: inactive

Now I see the instructions in the advisory, but what about anyone who
didn't? Or who did a new install and didn't read past advisories?

I have an Intel CPU that is vulnerable. By applying the update and installing
the microcode package, I thought I was safe.

Why? Why does FreeBSD let its users be vulnerable?

I?m sorry but if you really care about security you have to read the advisory
and stop assuming things.

For every complaint why this is disabled by default, there will 10 complaints
why it was enabled by default and broke things.

Having said this, I could see the benefit of reporting the fact that a certain
security measure is disabled in the daily security reports, hoping someone reads
it together with the executables that suddenly have been setuid for root.

Peter
> On 10 Jul 2019, at 18:37, Kevin via freebsd-security <freebsd-security
at freebsd.org> wrote:
> 
> Hello list. I am reading this page about FreeBSD security [
https://vez.mrsk.me/freebsd-defaults.html ] and it says the Intel MDS mitigation
is off by default. So I tried.
> 
> % sysctl hw.mds_disable_state
> hw.mds_disable_state: inactive
> 
> Now I see the instructions in the advisory, but what about anyone who
didn't? Or who did a new install and didn't read past advisories?
> 
> I have an Intel CPU that is vulnerable. By applying the update and
installing the microcode package, I thought I was safe.
> 
> Why? Why does FreeBSD let its users be vulnerable?
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org"