diff --git a/.gitignore b/.gitignore
index 54505c1..1e0ee83 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-SOURCES/microcode-20190618.tar.gz
+SOURCES/06-2d-07
+SOURCES/microcode-20190918.tar.gz
diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata
index 9752458..6623deb 100644
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@@ -1 +1,2 @@
-8484c44d39a2700fb568ccc67a8e1ed8877878a5 SOURCES/microcode-20190618.tar.gz
+bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
+bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config
new file mode 100644
index 0000000..23e1d08
--- /dev/null
+++ b/SOURCES/06-2d-07_config
@@ -0,0 +1,3 @@
+model GenuineIntel 06-2d-07
+path intel-ucode/06-2d-07
+disable early late
diff --git a/SOURCES/06-2d-07_disclaimer b/SOURCES/06-2d-07_disclaimer
new file mode 100644
index 0000000..c8d99c4
--- /dev/null
+++ b/SOURCES/06-2d-07_disclaimer
@@ -0,0 +1,4 @@
+MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45,
+stepping 7; CPUID 0x206d7) CPUs is disabled as it may cause system instability.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme
new file mode 100644
index 0000000..bfb8743
--- /dev/null
+++ b/SOURCES/06-2d-07_readme
@@ -0,0 +1,55 @@
+Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, model 45, stepping 7) has issues
+with MDS-related microcode update that may lead to a system hang after
+a microcode update. In order to address this, microcode update
+to the MDS-related revision 0x718 has been disabled, and the previously
+published microcode revision 0x714 is used by default for the OS-driven
+microcode update.
+
+For the reference, SHA1 checksums of 06-2d-07 microcode files containing
+microcode revisions in question are listed below:
+ * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430
+ * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2017-5715 ("Spectre"):
+   https://access.redhat.com/articles/3436091
+ * CVE-2018-3639 ("Speculative Store Bypass"):
+   https://access.redhat.com/articles/3540901
+ * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
+   https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+   ("Microarchitectural Data Sampling"):
+   https://access.redhat.com/articles/4138151
+
+The information regarding enforcing microcode load is provided below.
+
+To enforce usage of this microcode revision, please create a file
+"force-intel-06-2d-07" inside /lib/firmware/<kernel_version> directory,
+run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware
+directory where microcode will be available for late microcode update,
+and run "dracut -f --kver 3.10.0-862.9.1", so initramfs for this version
+is regenerated and the microcode can be loaded early:
+
+    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --kver 3.10.0-862.9.1
+
+After that, it is possible to perform a late microcode update by executing
+"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/sys/devices/system/cpu/microcode/reload" directly.
+
+To enforce addition of this microcode for all kernels, please create a file
+"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run
+"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
+and "dracut -f --regenerate-all" for enabling early microcode updates:
+
+    mkdir -p /etc/microcode_ctl/ucode_with_caveats
+    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --regenerate-all
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.
diff --git a/SOURCES/06-4f-01_disclaimer b/SOURCES/06-4f-01_disclaimer
new file mode 100644
index 0000000..d5bc60d
--- /dev/null
+++ b/SOURCES/06-4f-01_disclaimer
@@ -0,0 +1,4 @@
+microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79,
+stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme
index 740ad18..962c7a6 100644
--- a/SOURCES/06-4f-01_readme
+++ b/SOURCES/06-4f-01_readme
@@ -49,6 +49,7 @@ kernels, please create a file
 "/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01"
 and run "/usr/libexec/microcode_ctl/update_ucode":
 
+    mkdir -p /etc/microcode_ctl/ucode_with_caveats
     touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01
     /usr/libexec/microcode_ctl/update_ucode
 
@@ -64,10 +65,11 @@ For enforcing early load of this microcode for all kernels, please
 create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01"
 and run dracut -f --regenerate-all:
 
+    mkdir -p /etc/microcode_ctl/ucode_with_caveats
     touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01
     dracut -f --regenerate-all
 
-If you want avoid removal of the microcode file during cleanup performed by
+If you want to avoid removal of the microcode file during cleanup performed by
 /usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme
 file (/lib/firmware/<kernel_version>/readme-intel-06-4f-01).
 
diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats
index 6f98122..0111843 100644
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@@ -389,8 +389,8 @@ when a microcode update performed on a kernel that contains those changes.
 As a result, microcode update for this CPU model is disabled by default;
 the microcode file, however, is still shipped as a part of microcode_ctl
 package and can be used for performing a microcode update if it is enforced
-via the aforementioned overridden. (See sections "check_caveats script"
-and "reload_microcode script" for details).
+via the aforementioned overriddes. (See sections "check_caveats script"
+and "reload_microcode script" for details.)
 
 Affected microcode: intel-ucode/06-4f-01.
 
@@ -431,12 +431,28 @@ Minimum versions of the kernel package that contain the fix:
  - RHEL 7.2: 3.10.0-327.73.1
 
 
+Intel Sandy Bridge-E/EN/EP caveat
+---------------------------------
+MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP
+(SNB-EP, family 6, model 45, stepping 7) may lead to system instability.
+In order to address this, this microcode update is not used and the previous
+microcode revision is provided instead by default; the microcode file, however,
+is still shipped as part of microcode_ctl package and can be used for performing
+a microcode update if it is enforced via the aforementioned overriddes. (See
+sections "check_caveats script" and "reload_microcode script" for details.)
+
+Affected microcode: intel-ucode/06-2d-07.
+
+Mitigation: previously published microcode revision 0x714 is used by default.
+
+
+
 Additional information
 ======================
-Red Hat provides updated microcode, developed by our microprocessor
-partners, as a customer convenience.  Please contact your hardware vendor
-to determine whether more recent BIOS/firmware updates are recommended
-because additional improvements may be available.
+Red Hat provides updated microcode, developed by its microprocessor partners,
+as a customer convenience.  Please contact your hardware vendor to determine
+whether more recent BIOS/firmware updates are recommended because additional
+improvements may be available.
 
 Information regarding microcode revisions required for mitigating specific
 microarchitectural side-channel attacks is available in the following
diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats
index 93c7406..462d541 100755
--- a/SOURCES/check_caveats
+++ b/SOURCES/check_caveats
@@ -10,8 +10,10 @@
 : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
 
 usage() {
-	echo 'Usage: check_caveats [-e] [-k TARGET_KVER] [-c CONFIG] [-m] [-v]'
+	echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
+	echo '                     [-m] [-v]'
 	echo
+	echo '   -d - enables disclaimer printing mode'
 	echo '   -e - check for early microcode load possibility (instead of'
 	echo '        late microcode load)'
 	echo '   -k - target version to check against, $(uname -r) is used'
@@ -178,6 +180,9 @@ fail()
 
 	fail_cfgs="$fail_cfgs $cfg"
 	fail_paths="$fail_paths $cfg_path"
+
+	[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
+		|| cat "${dir}/disclaimer"
 }
 
 #check_kver "$@"
@@ -188,11 +193,16 @@ configs=
 kver=$(/bin/uname -r)
 verbose=0
 early_check=0
+print_disclaimers=0
 
 ret=0
 
-while getopts "ek:c:mv" opt; do
+while getopts "dek:c:mv" opt; do
 	case "${opt}" in
+	d)
+		print_disclaimers=1
+		early_check=2
+		;;
 	e)
 		early_check=1
 		;;
@@ -472,6 +482,8 @@ for cfg in $(echo "${configs}"); do
 	ok_paths="$ok_paths $cfg_path"
 done
 
+[ 0 -eq "$print_disclaimers" ] || exit 0
+
 echo "cfgs$ret_cfgs"
 echo "skip_cfgs$skip_cfgs"
 echo "paths$ret_paths"
diff --git a/SOURCES/intel_disclaimer b/SOURCES/intel_disclaimer
new file mode 100644
index 0000000..c4669ba
--- /dev/null
+++ b/SOURCES/intel_disclaimer
@@ -0,0 +1,10 @@
+This kernel doesn't handle early microcode load properly (it tries to load
+microcode even in virtualised environment, which may lead to a panic on some
+hypervisors), thus the microcode files have not been added to the initramfs
+image.  Please update your kernel to one of the following:
+  RHEL 7.5: kernel-3.10.0-862.14.1 or newer;
+  RHEL 7.4: kernel-3.10.0-693.38.1 or newer;
+  RHEL 7.3: kernel-3.10.0-514.57.1 or newer;
+  RHEL 7.2: kernel-3.10.0-327.73.1 or newer.
+Please refer to /usr/share/doc/microcode_ctl/caveats/intel_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/intel_readme b/SOURCES/intel_readme
index ed352e5..de9213d 100644
--- a/SOURCES/intel_readme
+++ b/SOURCES/intel_readme
@@ -18,8 +18,7 @@ If you want to avoid early load of microcode for a specific kernel, please
 create "disallow-early-intel" file inside /lib/firmware/<kernel_version>
 directory and run dracut -f --kver "<kernel_version>":
 
-    touch /lib/firmware/3.10.0-862.9.1/disallow-intel
-    /usr/libexec/microcode_ctl/update_ucode
+    touch /lib/firmware/3.10.0-862.9.1/disallow-early-intel
     dracut -f --kver 3.10.0-862.9.1
 
 If you want to avoid early load of microcode for all kernels, please create
@@ -27,14 +26,13 @@ If you want to avoid early load of microcode for all kernels, please create
 directory and run dracut -f --regenerate-all:
 
     mkdir -p /etc/microcode_ctl/ucode_with_caveats
-    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel
-    dracut -f --kver 3.10.0-862.9.1
+    touch /etc/microcode_ctl/ucode_with_caveats/disallow-early-intel
+    dracut -f --regenerate-all
 
 If you want to enforce early load of microcode for a specific kernel, please
 create "force-early-intel" file inside /lib/firmware/<kernel_version> directory
 and run dracut -f --kver "<kernel_version>":
 
-    modir -p/lib/firmware/3.10.0-862.9.1/
     touch /lib/firmware/3.10.0-862.9.1/force-early-intel
     dracut -f --kver 3.10.0-862.9.1
 
@@ -46,8 +44,9 @@ directory and run dracut -f --kver "<kernel_version>":
     touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel
     dracut -f --regenerate-all
 
-In order to override late load behaviour, the "early" part of file names should
-be replaced with "late" (and there is no need to call dracut in that case).
+In order to override the late load behaviour, the "early" part of file names
+should be replaced with "late" (and there is no need to call dracut
+in that case).
 
 
 Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec
index 78fc18e..90b9620 100644
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@@ -1,4 +1,4 @@
-%define intel_ucode_version 20190618
+%define intel_ucode_version 20190918
 %define intel_ucode_file_id 28727
 %global debug_package %{nil}
 
@@ -13,13 +13,16 @@
 
 Summary:        CPU microcode updates for Intel x86 processors
 Name:           microcode_ctl
-Version:        %{intel_ucode_version}
-Release:        1%{?dist}
+Version:        20190618
+Release:        1.%{intel_ucode_version}.2%{?dist}
 Epoch:          4
 License:        CC0 and Redistributable, no modification permitted
 URL:            https://downloadcenter.intel.com/download/%{intel_ucode_file_id}/Linux-Processor-Microcode-Data-File
 Source0:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
 
+# (Pre-MDS) revision 0x714 of 06-2d-07 microcode
+Source2:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
+
 
 # systemd unit
 Source10:       microcode.service
@@ -39,14 +42,28 @@ Source41:       README.caveats
 
 ## Caveats
 # BDW EP/EX
+# https://bugzilla.redhat.com/show_bug.cgi?id=1622180
+# https://bugzilla.redhat.com/show_bug.cgi?id=1623630
+# https://bugzilla.redhat.com/show_bug.cgi?id=1646383
 Source100:      06-4f-01_readme
 Source101:      06-4f-01_config
+Source102:      06-4f-01_disclaimer
 
 # Unsafe early MC update inside VM:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1596627
 Source110:      intel_readme
 Source111:      intel_config
+Source112:      intel_disclaimer
+
+# SNB-EP (CPUID 0x206d7) post-MDS hangs
+# https://bugzilla.redhat.com/show_bug.cgi?id=1758382
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
+Source120:      06-2d-07_readme
+Source121:      06-2d-07_config
+Source122:      06-2d-07_disclaimer
+
 
+# "Provides:" RPM tags generator
 Source200:      gen_provides.sh
 
 ExclusiveArch:  %{ix86} x86_64
@@ -73,6 +90,10 @@ is no longer used for microcode upload and, as a result, no longer provided.
 %setup -n "Intel-Linux-Processor-Microcode-Data-Files-microcode-%{intel_ucode_version}"
 
 %build
+# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version
+mv intel-ucode/06-2d-07 intel-ucode-with-caveats/
+cp "%{SOURCE2}" intel-ucode/
+
 :
 
 %install
@@ -103,18 +124,21 @@ install "%{SOURCE30}" "%{SOURCE31}" "%{SOURCE32}" \
 ## Documentation
 install -m 755 -d "%{buildroot}/%{_pkgdocdir}/caveats"
 
+# caveats readme
 install "%{SOURCE41}" \
 	-m 644 -t "%{buildroot}/%{_pkgdocdir}/"
 
 # Provide Intel microcode license, as it requires so
 install -m 644 license \
 	"%{buildroot}/%{_pkgdocdir}/LICENSE.intel-ucode"
+
+# Provide release notes for Intel microcode
 install -m 644 releasenote \
 	"%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode"
 
 # caveats
-install -m 644 "%{SOURCE100}" "%{SOURCE110}" \
-        -t "%{buildroot}/%{_pkgdocdir}/caveats/"
+install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" \
+	-t "%{buildroot}/%{_pkgdocdir}/caveats/"
 
 
 ## Caveat data
@@ -122,9 +146,10 @@ install -m 644 "%{SOURCE100}" "%{SOURCE110}" \
 # BDW caveat
 %define bdw_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4f-01/
 install -m 755 -d "%{bdw_inst_dir}/intel-ucode"
-install -m 644 intel-ucode-with-caveats/* -t "%{bdw_inst_dir}/intel-ucode/"
+install -m 644 intel-ucode-with-caveats/06-4f-01 -t "%{bdw_inst_dir}/intel-ucode/"
 install -m 644 "%{SOURCE100}" "%{bdw_inst_dir}/readme"
 install -m 644 "%{SOURCE101}" "%{bdw_inst_dir}/config"
+install -m 644 "%{SOURCE102}" "%{bdw_inst_dir}/disclaimer"
 
 # Early update caveat
 %define intel_inst_dir %{buildroot}/%{caveat_dir}/intel/
@@ -132,12 +157,15 @@ install -m 755 -d "%{intel_inst_dir}/intel-ucode"
 install -m 644 intel-ucode/* -t "%{intel_inst_dir}/intel-ucode/"
 install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme"
 install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config"
+install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer"
 
-
-## Cleanup
-#rm -f intel-ucode-with-caveats/06-4f-01
-#rmdir intel-ucode-with-caveats
-#rm -rf intel-ucode
+# SNB caveat
+%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/
+install -m 755 -d "%{snb_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme"
+install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config"
+install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer"
 
 
 %post
@@ -145,6 +173,15 @@ install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config"
 %{update_ucode}
 %{reload_microcode}
 
+# send the message to syslog, so it gets recorded on /var/log
+if [ -e /usr/bin/logger ]; then
+	%{check_caveats} -m -d | /usr/bin/logger -p syslog.notice -t DISCLAIMER
+fi
+# also paste it over dmesg (some customers drop dmesg messages while
+# others keep them into /var/log for the later case, we'll have the
+# disclaimer recorded twice into system logs.
+%{check_caveats} -m -d > /dev/kmsg
+
 exit 0
 
 %posttrans
@@ -260,6 +297,14 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Sun Oct 06 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1.20190918.2
+- Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714
+  by default.
+
+* Thu Sep 19 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1.20190918.1
+- Intel CPU microcode update to 20190918 (#1758538).
+- Add new disclaimer, generated based on relevant caveats.
+
 * Wed Jun 19 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1
 - Intel CPU microcode update to 20190618 (#1717240).