The security team at FreeBSD has made a patch available for the Spectre & Meltdown vulnerability. Please take the steps necessary to make sure your system is protected. Below you will find the link to the full security announcement.


I.   Background

Many modern processors have implementation issues that allow unprivileged
attackers to bypass user-kernel or inter-process memory access restrictions
by exploiting speculative execution and shared resources (for example,
caches).

II.  Problem Description

A number of issues relating to speculative execution were found last year
and publicly announced January 3rd.  Two of these, known as Meltdown and
Spectre V2, are addressed here.

CVE-2017-5754 (Meltdown)
- ------------------------

This issue relies on an affected CPU speculatively executing instructions
beyond a faulting instruction.  When this happens, changes to architectural
state are not committed, but observable changes may be left in micro-
architectural state (for example, cache).  This may be used to infer
privileged data.

CVE-2017-5715 (Spectre V2)
- --------------------------

Spectre V2 uses branch target injection to speculatively execute kernel code
at an address under the control of an attacker.

III.  Impact

An attacker may be able to read secret data from the kernel or from a
process when executing untrusted code (for example, in a web browser).

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility, followed
by a reboot into the new kernel:

# freebsd-update fetch
# freebsd-update install
# shutdown -r now

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.1]
# fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch
# fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch.asc
# gpg --verify speculative_execution-amd64-11.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

Official announcement: https://lists.freebsd.org/pipermail/freebsd-announce/2018-March/001824.html