--- wikisrc/security/intel_mds.mdwn	2019/05/14 17:21:06	1.1
+++ wikisrc/security/intel_mds.mdwn	2019/05/14 17:22:54	1.2
@@ -60,3 +60,68 @@ will then determine if it can apply the 
 NetBSD will disable the mitigation.
 
 ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.
+
+
+
+#NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
+
+
+###Description
+Details and mitigation information about a sub-class of speculative execution
+side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
+hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
+well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
+
+Please refer to the Intel Security Advisory 00233 is located at:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
+
+This update is mitigation for the following CVEs:
+
+###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
+* Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
+> CVSS: -6.5 Medium
+
+* Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
+> CVSS: -6.5 Medium
+
+* Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
+> CVSS: - 6.5 Medium
+
+* Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
+> CVSS: – 3.8 Low
+
+
+##Status of the Fix
+**NetBSD-7, and all the anterior releases, have no planned fixes.**
+
+[[!table data="""
+Port		|Vendor/Model	|MDS	|NetBSD-8	|NetBSD-current
+amd64	|Intel		|Vulnerable	|Fixed [VERW][smtoff]	|Fixed [VERW][smtoff]
+"""]]
+
+
+###Mitigation
+The mitigation for MDS depends on the Intel CPU model and available microcode
+or motherboard BIOS revision.
+
+Should a motherboard manufacturer not have a BIOS update with the MDS fix for
+the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
+microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 
+
+You may also want to disable SMT/HyperThreading to address certain aspects of
+the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
+can put **smtoff=YES** in your */etc/rc.conf* file.
+
+###Enabling the mitigation
+
+The two following sysctls are now available:
+	machdep.mds.mitigated = {0/1} user-settable
+	machdep.mds.method = {string} constructed by the kernel
+
+If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
+
+To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD
+will then determine if it can apply the available mitigation.  When set to 0, then
+NetBSD will disable the mitigation.
+
+######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.