unsubscribe
Magnus Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, August 1, 2019 9:40 PM, Andrew David Wong <a...@qubes-os.org> wrote: > Dear Qubes Community, > > Fixed packages are now available for Qubes Security Bulletin (QSB) #050: > Reinstalling a TemplateVM does not reset the private volume. > > Instructions for installing the new packages are included in the latest > version of QSB #050, which is reproduced below. > > View QSB #050 in the qubes-secpack: > > https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-050-2019.txt > > Learn about the qubes-secpack, including how to obtain, verify, and read it: > > https://www.qubes-os.org/security/pack/ > > View all past QSBs: > > https://www.qubes-os.org/security/bulletins/ > > > > ---===[ Qubes Security Bulletin #50 ]===--- > > 2019-08-01 > > > Reinstalling a TemplateVM does not reset the private volume > > History > ======== > > 2019-08-01: Added list of fixed packages and patching instructions > 2019-07-24: Initial version > > Description > ============ > > In Qubes OS, we have the ability to reinstall a TemplateVM by running > `qubes-dom0-update --action=reinstall qubes-template-...` in dom0. [1] > This is supposed to reset the corresponding TemplateVM to the state of > the published package, i.e., no local changes should remain. > > One uncommon reason to perform such a reinstallation is that you suspect > that a TemplateVM may be compromised. In such cases, it is very > important that no local changes persist in order to ensure that the > TemplateVM is no longer compromised. > > Due to a regression in R4.0 [2], however, reinstalling a TemplateVM > using qubes-dom0-update does not completely reset all local changes to > that TemplateVM. Although the tool itself and our documentation claim > that the private volume of the TemplateVM is reset during > reinstallation, the private volume does not actually get reset. This > could allow a TemplateVM to remain compromised across a reinstallation > of that TemplateVM using qubes-dom0-update. > > Patching > ========= > > The specific packages that resolve the problems discussed in this > bulletin are as follows: > > For Qubes 4.0: > - qubes-core-admin-client, python3-qubesadmin version 4.0.26 > > The packages are to be installed in dom0 via the Qubes VM Manager or via > the qubes-dom0-update command as follows: > > For updates from the stable repository (not immediately available): > $ sudo qubes-dom0-update > > For updates from the security-testing repository: > $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing > > These packages will migrate from the security-testing repository to the > current (stable) repository over the next two weeks after being tested > by the community. > > Workaround > =========== > > Independently of patching (see above), the following workaround is > available: > > Rather than using the qubes-dom0-update method of reinstalling a > TemplateVM, you can instead manually remove the TemplateVM, then install > it again. Detailed instructions for this manual method are documented > here: > > https://www.qubes-os.org/doc/reinstall-template/#manual-method > > Credits > ======== > > Thank you to Andrey Bienkowski <hexagonrecurs...@gmail.com> for > > discovering and reporting this issue. > > References > =========== > > [1] https://www.qubes-os.org/doc/reinstall-template/ > [2] > https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192 > > -- > The Qubes Security Team > https://www.qubes-os.org/security/ > > > This announcement has also been updated on the Qubes website: > https://www.qubes-os.org/news/2019/07/24/qsb-050/ > > ------------------------------------------------------------------------------------------------------------------ > > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/uLJIdScVTO9-c66ErjZrhrGqsMNBDoeeRlZ4S8pkCKjebKrY5dqeXSQTOOoD1RTZicpr-gUfmgldUTSCg7HB-ixZITNP3FbaZY0dK22YRPE%3D%40protonmail.ch.