xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high This update contains the mitigations for the Microarchitectural Data Sampling speculative side channel attacks. Only Intel based processors are affected. Note that these fixes will only have effect when also loading updated cpu microcode with MD_CLEAR functionality. When using the intel-microcode package to include microcode in the dom0 initrd, it has to be loaded by Xen. Please refer to the hypervisor command line documentation about the 'ucode=scan' option. For the fixes to be fully effective, it is currently also needed to disable hyper-threading, which can be done in BIOS settings, or by using smt=no on the hypervisor command line. Additional information is available in the upstream Xen security advisory: https://xenbits.xen.org/xsa/advisory-297.html -- Hans van Kranenburg Tue, 18 Jun 2019 09:50:19 +0200