[qubes-users] [Update] QSB #050: Reinstalling a TemplateVM does not reset the private volume

2019-08-01 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

Fixed packages are now available for Qubes Security Bulletin (QSB) #050:
Reinstalling a TemplateVM does not reset the private volume.

Instructions for installing the new packages are included in the latest
version of QSB #050, which is reproduced below.

View QSB #050 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-050-2019.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

```


 ---===[ Qubes Security Bulletin #50 ]===---

 2019-08-01


  Reinstalling a TemplateVM does not reset the private volume

History


2019-08-01: Added list of fixed packages and patching instructions
2019-07-24: Initial version

Description


In Qubes OS, we have the ability to reinstall a TemplateVM by running
`qubes-dom0-update --action=reinstall qubes-template-...` in dom0. [1]
This is supposed to reset the corresponding TemplateVM to the state of
the published package, i.e., no local changes should remain.

One uncommon reason to perform such a reinstallation is that you suspect
that a TemplateVM may be compromised. In such cases, it is very
important that no local changes persist in order to ensure that the
TemplateVM is no longer compromised.

Due to a regression in R4.0 [2], however, reinstalling a TemplateVM
using qubes-dom0-update does not completely reset all local changes to
that TemplateVM. Although the tool itself and our documentation claim
that the private volume of the TemplateVM is reset during
reinstallation, the private volume does not actually get reset. This
could allow a TemplateVM to remain compromised across a reinstallation
of that TemplateVM using qubes-dom0-update.

Patching
=

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes 4.0:
  - qubes-core-admin-client, python3-qubesadmin version 4.0.26

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

Workaround
===

Independently of patching (see above), the following workaround is
available:

Rather than using the qubes-dom0-update method of reinstalling a
TemplateVM, you can instead manually remove the TemplateVM, then install
it again. Detailed instructions for this manual method are documented
here:

https://www.qubes-os.org/doc/reinstall-template/#manual-method

Credits


Thank you to Andrey Bienkowski  for
discovering and reporting this issue.

References
===

[1] https://www.qubes-os.org/doc/reinstall-template/
[2] 
https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192

- --
The Qubes Security Team
https://www.qubes-os.org/security/
```

This announcement has also been updated on the Qubes website:
https://www.qubes-os.org/news/2019/07/24/qsb-050/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1DlG8ACgkQ203TvDlQ
MDCW3A//QM/K/q/AKQHGrKowA3fhPIkoDs8zhdZ1R/h2SFOkSrloTcyolvg3cnPj
OeUqSis+wroxPFJ8wQb6BSJjEqi9rp9FbYsmcv3sGm3kAdcdliNC4PalMtzEGQUT
1P2bC+9dz0Pegzsq+zjDXVX6d2ZoA+iyAzYkBy6f6q2fPLtmhx3dtjMe0lIS2+OH
fPTdYT7c3wRkWyA5VbFdSLFeNhlno9r+B1ppxqt5I3D0tTXy9+vgaueEr6TmhOov
Q1I5/iG8cUVZqOwBWg4PmixBnyipaDYTxPIcVuBJWwW2I3X4f3P6hmeKCY1HS2c3
mWor3+ygj9JJ4FYPwS73W0Y5e1Wsu+H7AovWfCrEwe2OLupdrHdllfCkv3aEV7HM
0typI2+6h5nH9de5KG+Mkysv+iCqmt1SjCUs/+cGoTiUnhRwAWMwIUQIhzRdIoDo
nZpb04IxOyPkk3bPsv6Q5kSZQrcvCfYvPwGexLJCclcWG37+ZOLlB74ohhhViAgI
MDAXqljdHUOZssA7u+BC814ndrQ2m/kAYiFKwt45y+qqVfHusdWXk24Tx45ohFmC
hGA8uCrutQKdKJjJjibBkQcbs9eL9VnhKuH1gdq70k5fB+CcpqsTo85sL2PIe84r
qYjHuQMD5KC7otTfw9YT3Gehul+YOLuTJDQHd3/y2opCoEaoJCI=
=yaT3
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/83cf9e9c-c925-9ec0-b61e-cad9eff917ab%40qubes-os.org.

Re: [qubes-users] Qubes-OS compatible SSD SAMSUNG.

2019-08-01 Thread 0brand 


> Good morning I have the following doubt:
> 
> The qubes-os operating system is compatible with the following SSD disk 
> models:
> 
> SAMSUNG 860 EVO?
> SAMSUNG860 QVO?
> SAMSUNG860 PRO?
> 
> I have directly asked the manufacturer SAMSUNG and he has told me that LINUX 
> is generally compatible, but they have no list of which LINUX distributions 
> are fully compatible.

I used the 860 pro in a previous hardware configuration with no issues.

Regards

0brand


-- 
GPG Public Key: 0x09B31BA99EC051FE
Fingerprint: 4452 4D54 4EB2 53E8 1EE9 223A 09B3 1BA9 9EC0 51FE

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1208c4e-d979-3e6f-83ad-80aa125b9cf1%40mailbox.org.

[qubes-users] Re: Qubes-OS compatible SSD SAMSUNG.

2019-08-01 Thread brendan . hoar 
On Thursday, August 1, 2019 at 7:28:09 AM UTC-4, gerard ribas vicente wrote:
>
> The qubes-os operating system is compatible with the following SSD disk 
> models:
>
> SAMSUNG 860 EVO?
> SAMSUNG860 QVO?
> SAMSUNG860 PRO?
>

Generally all contemporary SSDs are compatible. I have used the 860 EVO 
(both SATA and mSATA) successfully. The other two should work fine, as well.

>From a performance perspective, I currently avoid the QVO line, which 
utilize quad-level cells, as they do not meet performance expectations if 
one plans to move a lot of data in and out of the drive regularly. 

Brendan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15968449-7db4-4dea-a570-cb46d3c3f230%40googlegroups.com.

[qubes-users] Qubes-OS compatible SSD SAMSUNG.

2019-08-01 Thread gerard ribas vicente 
Good morning I have the following doubt:

The qubes-os operating system is compatible with the following SSD disk models:

SAMSUNG 860 EVO?
SAMSUNG860 QVO?
SAMSUNG860 PRO?

I have directly asked the manufacturer SAMSUNG and he has told me that LINUX is 
generally compatible, but they have no list of which LINUX distributions are 
fully compatible.


Thank you.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LNXP265MB063519A84C370A212C8C9FEAA2DE0%40LNXP265MB0635.GBRP265.PROD.OUTLOOK.COM.