Hi folks, Today Intel and security researchers published a number of security issues covering various Intel hardware and software components. These cover half a year of collected fixes, only some of them are relevant to the Operating System vendors. Two main relevant security issues are in there: 1. Machine Check Error on Page Size Changes / CVE-2018-12207 A race condition during instruction decoding and extended pagetable management on Intel CPUs could lead to Machine Check Errors (crashes of a CPU), a denial of service attack. This issue could be used by an attacker with full access to a guest VM to crash the host. This race condition exists in all current Intel CPUs, except Intel Atom and Knights Landing. There is a Intel Whitepaper: https://software.intel.com/security-software-guidance/insights/deep-dive-mac... SUSE provides a software mitigation for this issue in updates to its Hypervisors, both for KVM in the Linux Kernel and for XEN. The mitigations are not needed in guests. The mitigation is enabled by default, our TID https://www.suse.com/support/kb/doc/?id=7023735 has details on how to check its status and configuration. Updated packages are linked from https://www.suse.com/security/cve/CVE-2018-12207/ 2. Transactional Asynchronous Abort (TAA) / CVE-2019-11135 Researchers from TU Graz, KU Leuven, CISPA Helmholtz Center, VUSec group at VU Amsterdam have identified an additional CPU based information leak attack, similar to the "Microarchitectural Data Sampling" (MDS) attack published in May 2019. They showed that during an asynchronous abort of a Transactional Execution, various microarchitectural buffers might be speculatively accessed that could cause side effects similar to the MDS attack, leaking small amounts of recently or currently used data on the same CPU core. Intel has provided Microcode updates, and SUSE provides fixed Kernel and XEN packages to help mitigate this problem. Intels whitepaper is available at https://software.intel.com/security-software-guidance/insights/deep-dive-int... Depending on the environment, administrators also need to consider disabling Hyperthreading and/or disabling TSX support. Disabling TSX is only possible with the help of CPU Microcode updates on Cascade Lake and newer systems. We have not enabled the TSX disablement and the HT disablement, only the buffer clearing, to avoid performance losses. The options to control the mitigations are available and documented in our TID https://www.suse.com/support/kb/doc/?id=7024251 . Updated packages are linked from our https://www.suse.com/security/cve/CVE-2019-11135/ page SUSE has supplied online updates for the Linux Kernel, XEN, Intel CPU Microcode, and qemu to mitigate these issues. We will release openSUSE Leap and Tumbleweed fixes for this in the next day(s). Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org