-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear Qubes Community,
We have just updated Qubes Security Bulletin (QSB) #37: Information leaks due to processor speculative execution bugs. The text of the main changes are reproduced below. For the full text, please see the complete QSB in the qubes-secpack: <https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-037-2018.txt> Learn about the qubes-secpack, including how to obtain, verify, and read it: <https://www.qubes-os.org/security/pack/> View all past QSBs: <https://www.qubes-os.org/security/bulletins/> View XSA-254 in the XSA Tracker: <https://www.qubes-os.org/security/xsa/#254> ``` Changelog ========== 2018-01-11: Original QSB published 2018-01-23: Updated mitigation plan to XPTI; added Xen package versions 2018-03-14: Updated package versions with Spectre SP2 mitigations [...] (Proper) patching ================== ## Qubes 4.0 [...] Additionally, Xen provided patches to mitigate Spectre variant 2. While we don't believe this variant is reliably exploitable to obtain sensitive information from other domains, it is possible to use it for help with other attacks inside a domain (like escaping a sandbox of web browser). This mitigation to be fully effective require updated microcode - refer to your BIOS vendor for updates. The specific packages that contain the XPTI and Spectre variant 2 patches for Qubes 4.0 are as follows: - Xen packages, version 4.8.3-3 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. ## Qubes 3.2 [...] Additionally, Xen provided patches to mitigate Spectre variant 2. While we don't believe this variant is reliably exploitable to obtain sensitive information from other domains, it is possible to use it for help with other attacks inside a domain (like escaping a sandbox of web browser). This mitigation to be fully effective require updated microcode - refer to your BIOS vendor for updates. The specific packages that contain the XPTI and Spectre variant 2 patches for Qubes 3.2 are as follows: - Xen packages, version 4.6.6-37 [...] ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2018/03/15/qsb-37-update/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlqrE18ACgkQ203TvDlQ MDApFw/8DZdF/WhE31coNPbW7tbroScuADS08kWhWG7QkiYqtzoERCq1TIxNfEiU KEMlpw28NJc+/NlesPEM/lB9W21eyR9VcIUea9aO98gwX938iTVT2MTMD0lwinnb Qg+K/jmAW8LMnJ2kDHZ93+GhAuLU9NOUZVdsmnF5tNsmW7NIKDgk7Fx8pGb32u9c nVL5HVd0SX1QLEanFZ7Jgapstt+6nVfkayCSZEp4gFpzF+drWRdJL/0Z0Qi6EJYr x29UKFuU+WPqNutxcL88usCwBthOuOgpdh0D+LxnIMaZfjkT002403Vcgqd3DrAw Jclwh+VOg+e5S4/fA3fFxeRhPrSJuuSvQ2Ik8WUhaE5p10gS6TAoP+fR0z7zBSZ9 7teiZQMORoTWWj02TmoUuf3sL9sEsec6IC+obTKtGr6qU5ntW2RDhMGiQetQO3zU jyro7p2cGVc8B6SSEZ//bUOpGTujppTAsrK/KAMZQ8Plu/KWOzuCdgIrnFRcoSsW NPONF8BASlFLUg/hjPbuO0NQwyWYOnejwhaaEcCP4eU9/dudLAvUWb9oTWGevwq5 o29TalXxx7+ZqJXeYt3MECv0pYv/GzeZtX50vaknJjmBYMtoF5l7s8AjiwtgvJep 85j4sMIH/8R/VmqqdpH/HZUkjB7R1/hRpp144mLqvOelvd8OP5Q= =Z2TQ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d9f66ee2-5d76-cbfb-e324-89e578eaade2%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
