Great, thanks.

Sort of weirds me out that my OS can just silently update my CPU - I didn’t realize I was giving it that level of control… I guess it’s good vs the alternative of no-one actually updating for exploits like his though.

It does not upgrade your cpu, it loads up the firemware when you boot Linux.

That’s reassuring, thanks (not sure why you’re getting downvoted!)

As opposed to updating any other piece of software in the system directly? The OS has always had full control.

The implication was that you could boot a malicious OS, then boot into a different OS with the same processor and get pwned. As other commenters mentioned, this mechanism doesn't create that risk because the update has to be applied each boot.

the security patch has now shown up in ubuntu and is visible in that packages listing, 3.20191218.1ubuntu2.1