date:20210319

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

2021-03-19 Thread Andrew David Wong

On 3/19/21 4:35 PM, Marek Marczykowski-Górecki wrote:

On Fri, Mar 19, 2021 at 03:42:23PM -0700, Andrew David Wong wrote:

On 3/19/21 3:12 PM, Vít Šesták wrote:

It seems to have been fixed now. The dom0 updates have passed. The DomU
Fedora updates have succeeded with updating the macros.qubes file, which is
supposingly the workaround by Qubes team.

Regards,
Vít Šesták 'v6ak'

I now realize that we neglected to state, in the QSB, what the desired
result from updating Fedora-based TemplateVMs and StandaloneVMs should be. I
presume this is it:

--
ID: /usr/lib/rpm/macros.d/macros.qubes
Function: file.managed
Result: True
Comment: File /usr/lib/rpm/macros.d/macros.qubes updated
Started:
Duration:
Changes:
--
diff:
New file
--
ID: dnf-makecache
Function: cmd.script
Result: True
Comment: DNF cache successfully created
Started:
Duration:
Changes:
--

Marek or Demi, can you confirm?

Yes this seems right (in subsequent runs, the
/usr/lib/rpm/macros.d/macros.qubes state will not have "New file"
comment, but will still have "Result: True").
Below you should also see a summary with "Failed: 0".

Thanks, that is indeed the output I received.

However, on a few update attempts, I saw this:

Function: cmd.script
Result: False
Comment: Could not create DNF metadata cache
Started:
Duration:
Changes:
--
ID: update
Function: pkg.uptodate
Result: False
Comment: One or more requisite failed: update.qubes-vm.dnf-makecache
Started:
Duration:
Changes:
--

Subsequent attempts were successful (had the expected output), though.

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/39c31626-3eb9-60b3-5d99-27fda10c0d2f%40qubes-os.org.

OpenPGP_signature
Description: OpenPGP digital signature

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

2021-03-19 Thread Marek Marczykowski-Górecki

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Mar 19, 2021 at 03:42:23PM -0700, Andrew David Wong wrote:
> On 3/19/21 3:12 PM, Vít Šesták wrote:
> > It seems to have been fixed now. The dom0 updates have passed. The DomU
> > Fedora updates have succeeded with updating the macros.qubes file, which is
> > supposingly the workaround by Qubes team.
> > 
> > Regards,
> > Vít Šesták 'v6ak'
> > 
> 
> I now realize that we neglected to state, in the QSB, what the desired
> result from updating Fedora-based TemplateVMs and StandaloneVMs should be. I
> presume this is it:
> 
>   --
> ID: /usr/lib/rpm/macros.d/macros.qubes
>   Function: file.managed
> Result: True
>Comment: File /usr/lib/rpm/macros.d/macros.qubes updated
>Started: 
>   Duration: 
>Changes:
> --
> diff:
> New file
>   --
> ID: dnf-makecache
>   Function: cmd.script
> Result: True
>Comment: DNF cache successfully created
>Started: 
>   Duration: 
>Changes:
>   --
> 
> Marek or Demi, can you confirm?

Yes this seems right (in subsequent runs, the
/usr/lib/rpm/macros.d/macros.qubes state will not have "New file"
comment, but will still have "Result: True"). 
Below you should also see a summary with "Failed: 0".


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmBVNVIACgkQ24/THMrX
1yzSRAf+MghA3DpM18Rqikkcc3Qg9+ZEZsvXNr4cc+ZYVFLUWfdSQyVzNzMUcmPl
Y5Y6TGAjbTIJ0ni87FPMws+TeIa3SuYWwhzMk0c1NQhajOznQ9/k6HaLb3M/fpLn
mJB9KKgOtZntt3FsvysYfDPHiZ5udQVlXdD3pabOlpfZaO1+VUdwZoDlmVUdAGxa
6PZX/edN3ENuoc6FA50PNqswHZ0eSnLuh/Dyx9DcRcz/8lDn/Zs3q6u/D2WJojn0
gIs9U1ZH2u/y7jh1nbYpYpWrrLe9+gVHe7KyPg7YiggFxfz+sQMFFLlj4xA+sd4N
M5u12yktJEblUoHinSIFBHSXoqQR1Q==
=CvtC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YFU1UsLe0C8xMuxF%40mail-itl.

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

2021-03-19 Thread Vít Šesták

Thank you, it seems that my update is successful.

On Friday, March 19, 2021 at 11:42:41 PM UTC+1 a...@qubes-os.org wrote:

> P.S. -- Please avoid top-posting, Vít. 
>

Sorry for that, I sometimes forget to remove the quoted text. Anyway, I top 
post only if the quoted text is not important, i.e. when I don't quote 
selectively.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/faf25ad4-3066-4913-b1cf-9c4d35b6bb97n%40googlegroups.com.

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

2021-03-19 Thread Andrew David Wong


On 3/19/21 3:12 PM, Vít Šesták wrote:

It seems to have been fixed now. The dom0 updates have passed. The DomU
Fedora updates have succeeded with updating the macros.qubes file, which is
supposingly the workaround by Qubes team.

Regards,
Vít Šesták 'v6ak'



I now realize that we neglected to state, in the QSB, what the desired 
result from updating Fedora-based TemplateVMs and StandaloneVMs should 
be. I presume this is it:


  --
ID: /usr/lib/rpm/macros.d/macros.qubes
  Function: file.managed
Result: True
   Comment: File /usr/lib/rpm/macros.d/macros.qubes updated
   Started: 
  Duration: 
   Changes:
--
diff:
New file
  --
ID: dnf-makecache
  Function: cmd.script
Result: True
   Comment: DNF cache successfully created
   Started: 
  Duration: 
   Changes:
  --

Marek or Demi, can you confirm?


P.S. -- Please avoid top-posting, Vít.



On Friday, March 19, 2021 at 1:59:48 PM UTC+1 a...@qubes-os.org wrote:


On 3/19/21 4:41 AM, Vít Šesták wrote:

Hi, I've tried to install the updates. Even after removing systemtap and
when using --clean, I am unable to install it. IIUC, I am trying to

install

it too soon:

$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing --clean
Using sys-firewall as UpdateVM to download updates for Dom0; this may

take

some time...
40 files removed
Fedora 25 - x86_64 - Updates 272 kB/s | 24 MB
01:29
Fedora 25 - x86_64 3.6 MB/s | 50 MB
00:14
Qubes Dom0 Repository (updates) 1.3 MB/s | 1.3 MB
00:01
Qubes Dom0 Repository (security-testing) 1.5 MB/s | 3.0 MB
00:02
determining the fastest mirror (14 hosts).. done.-- B/s | 0 B --:--
ETA
Qubes Templates repository 2.2 kB/s | 5.9 kB
00:02
Error:
Problem 1: problem with installed package satyr-0.21-2.fc25.x86_64
- cannot install the best update candidate for package
satyr-0.21-2.fc25.x86_64
- nothing provides librpm.so.8()(64bit) needed by
satyr-0.21-2.1.fc25.x86_64
Problem 2: problem with installed package
qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
- cannot install the best update candidate for package
qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
- nothing provides rpm >= 4.14 needed by
qubes-core-dom0-linux-4.0.29-1.fc25.x86_64
Problem 3: problem with installed package
python3-hawkey-0.6.4-3.fc25.x86_64
- cannot install the best update candidate for package
python3-hawkey-0.6.4-3.fc25.x86_64
- nothing provides librpm.so.8()(64bit) needed by
python3-hawkey-0.6.4-3.1.fc25.x86_64
- nothing provides librpmio.so.8()(64bit) needed by
python3-hawkey-0.6.4-3.1.fc25.x86_64
Problem 4: problem with installed package libsolv-0.6.29-2.fc25.x86_64
- cannot install the best update candidate for package
libsolv-0.6.29-2.fc25.x86_64
- nothing provides librpm.so.8()(64bit) needed by
libsolv-0.6.29-2.1.fc25.x86_64
Problem 5: problem with installed package hawkey-0.6.4-3.fc25.x86_64
- cannot install the best update candidate for package
hawkey-0.6.4-3.fc25.x86_64
- nothing provides librpm.so.8()(64bit) needed by
hawkey-0.6.4-3.1.fc25.x86_64
- nothing provides librpmio.so.8()(64bit) needed by
hawkey-0.6.4-3.1.fc25.x86_64
Problem 6: problem with installed package drpm-0.3.0-3.fc25.x86_64
- cannot install the best update candidate for package
drpm-0.3.0-3.fc25.x86_64
- nothing provides librpm.so.8()(64bit) needed by
drpm-0.3.0-3.1.fc25.x86_64
- nothing provides librpmio.so.8()(64bit) needed by
drpm-0.3.0-3.1.fc25.x86_64
Problem 7: problem with installed package deltarpm-3.6-17.fc25.x86_64
- cannot install the best update candidate for package
deltarpm-3.6-17.fc25.x86_64
- nothing provides librpm.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
- nothing provides librpmio.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
Problem 8: problem with installed package
createrepo_c-libs-0.10.0-6.fc25.x86_64
- cannot install the best update candidate for package
createrepo_c-libs-0.10.0-6.fc25.x86_64
- nothing provides librpm.so.8()(64bit) needed by
createrepo_c-libs-0.10.0-6.1.fc25.x86_64
- nothing provides librpmio.so.8()(64bit) needed by
createrepo_c-libs-0.10.0-6.1.fc25.x86_64
Problem 9: problem with installed package

createrepo_c-0.10.0-6.fc25.x86_64

- cannot install the best update candidate for package
createrepo_c-0.10.0-6.fc25.x86_64
- nothing provides librpm.so.8()(64bit) needed by
createrepo_c-0.10.0-6.1.fc25.x86_64
- nothing provides librpmio.so.8()(64bit) needed by
createrepo_c-0.10.0-6.1.fc25.x86_64
Problem 10: problem with installed package PackageKit-1.1.5-1.fc25.x86_64
- cannot install the best update candidate for package
PackageKit-1.1.5-1.fc25.x86_64
- nothing provides librpm.so.8()(64bit) needed by
PackageKit-1.1.5-1.1.fc25.x86_64
- nothing provides librpmio.so.8()(64bit) needed by
PackageKit-1.1.5-1.1.fc25.x86_64
Problem 11: problem with installed package
python2-deltarpm-3.6-17.fc25.x86_64
- cannot install the best update candidate for package

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

2021-03-19 Thread Vít Šesták

It seems to have been fixed now. The dom0 updates have passed. The DomU 
Fedora updates have succeeded with updating the macros.qubes file, which is 
supposingly the workaround by Qubes team.

Regards,
Vít Šesták 'v6ak'

On Friday, March 19, 2021 at 1:59:48 PM UTC+1 a...@qubes-os.org wrote:

> On 3/19/21 4:41 AM, Vít Šesták wrote:
> > Hi, I've tried to install the updates. Even after removing systemtap and
> > when using --clean, I am unable to install it. IIUC, I am trying to 
> install
> > it too soon:
> > 
> > $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing --clean
> > Using sys-firewall as UpdateVM to download updates for Dom0; this may 
> take
> > some time...
> > 40 files removed
> > Fedora 25 - x86_64 - Updates 272 kB/s | 24 MB
> > 01:29
> > Fedora 25 - x86_64 3.6 MB/s | 50 MB
> > 00:14
> > Qubes Dom0 Repository (updates) 1.3 MB/s | 1.3 MB
> > 00:01
> > Qubes Dom0 Repository (security-testing) 1.5 MB/s | 3.0 MB
> > 00:02
> > determining the fastest mirror (14 hosts).. done.-- B/s | 0 B --:--
> > ETA
> > Qubes Templates repository 2.2 kB/s | 5.9 kB
> > 00:02
> > Error:
> > Problem 1: problem with installed package satyr-0.21-2.fc25.x86_64
> > - cannot install the best update candidate for package
> > satyr-0.21-2.fc25.x86_64
> > - nothing provides librpm.so.8()(64bit) needed by
> > satyr-0.21-2.1.fc25.x86_64
> > Problem 2: problem with installed package
> > qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
> > - cannot install the best update candidate for package
> > qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
> > - nothing provides rpm >= 4.14 needed by
> > qubes-core-dom0-linux-4.0.29-1.fc25.x86_64
> > Problem 3: problem with installed package
> > python3-hawkey-0.6.4-3.fc25.x86_64
> > - cannot install the best update candidate for package
> > python3-hawkey-0.6.4-3.fc25.x86_64
> > - nothing provides librpm.so.8()(64bit) needed by
> > python3-hawkey-0.6.4-3.1.fc25.x86_64
> > - nothing provides librpmio.so.8()(64bit) needed by
> > python3-hawkey-0.6.4-3.1.fc25.x86_64
> > Problem 4: problem with installed package libsolv-0.6.29-2.fc25.x86_64
> > - cannot install the best update candidate for package
> > libsolv-0.6.29-2.fc25.x86_64
> > - nothing provides librpm.so.8()(64bit) needed by
> > libsolv-0.6.29-2.1.fc25.x86_64
> > Problem 5: problem with installed package hawkey-0.6.4-3.fc25.x86_64
> > - cannot install the best update candidate for package
> > hawkey-0.6.4-3.fc25.x86_64
> > - nothing provides librpm.so.8()(64bit) needed by
> > hawkey-0.6.4-3.1.fc25.x86_64
> > - nothing provides librpmio.so.8()(64bit) needed by
> > hawkey-0.6.4-3.1.fc25.x86_64
> > Problem 6: problem with installed package drpm-0.3.0-3.fc25.x86_64
> > - cannot install the best update candidate for package
> > drpm-0.3.0-3.fc25.x86_64
> > - nothing provides librpm.so.8()(64bit) needed by
> > drpm-0.3.0-3.1.fc25.x86_64
> > - nothing provides librpmio.so.8()(64bit) needed by
> > drpm-0.3.0-3.1.fc25.x86_64
> > Problem 7: problem with installed package deltarpm-3.6-17.fc25.x86_64
> > - cannot install the best update candidate for package
> > deltarpm-3.6-17.fc25.x86_64
> > - nothing provides librpm.so.8()(64bit) needed by
> > deltarpm-3.6-17.1.fc25.x86_64
> > - nothing provides librpmio.so.8()(64bit) needed by
> > deltarpm-3.6-17.1.fc25.x86_64
> > Problem 8: problem with installed package
> > createrepo_c-libs-0.10.0-6.fc25.x86_64
> > - cannot install the best update candidate for package
> > createrepo_c-libs-0.10.0-6.fc25.x86_64
> > - nothing provides librpm.so.8()(64bit) needed by
> > createrepo_c-libs-0.10.0-6.1.fc25.x86_64
> > - nothing provides librpmio.so.8()(64bit) needed by
> > createrepo_c-libs-0.10.0-6.1.fc25.x86_64
> > Problem 9: problem with installed package 
> createrepo_c-0.10.0-6.fc25.x86_64
> > - cannot install the best update candidate for package
> > createrepo_c-0.10.0-6.fc25.x86_64
> > - nothing provides librpm.so.8()(64bit) needed by
> > createrepo_c-0.10.0-6.1.fc25.x86_64
> > - nothing provides librpmio.so.8()(64bit) needed by
> > createrepo_c-0.10.0-6.1.fc25.x86_64
> > Problem 10: problem with installed package PackageKit-1.1.5-1.fc25.x86_64
> > - cannot install the best update candidate for package
> > PackageKit-1.1.5-1.fc25.x86_64
> > - nothing provides librpm.so.8()(64bit) needed by
> > PackageKit-1.1.5-1.1.fc25.x86_64
> > - nothing provides librpmio.so.8()(64bit) needed by
> > PackageKit-1.1.5-1.1.fc25.x86_64
> > Problem 11: problem with installed package
> > python2-deltarpm-3.6-17.fc25.x86_64
> > - cannot install the best update candidate for package
> > python2-deltarpm-3.6-17.fc25.x86_64
> > - package python2-deltarpm-3.6-17.1.fc25.x86_64 requires deltarpm(x86-64)
> > = 3.6-17.1.fc25, but none of the providers can be installed
> > - nothing provides librpm.so.8()(64bit) needed by
> > deltarpm-3.6-17.1.fc25.x86_64
> > - nothing provides librpmio.so.8()(64bit) needed by
> > deltarpm-3.6-17.1.fc25.x86_64
> > (try to add '--skip-broken' to skip uninstallable packages)
> > 
> > Regards,
> >

[qubes-users] Sunday March 21 - Free talk about Qubes-based SecureDrop Workstation at LibrePlanet

2021-03-19 Thread Michael Carbone


https://libreplanet.org/2021/speakers/#4819

SecureDrop is a whistleblowing platform originally created in 2012 for 
journalists to accept leaked documents safely from anonymous sources. 
It's used by dozens of news organizations including The Guardian, The 
Washington Post and The New York Times.


This talk introduces the SecureDrop Workstation, the next-generation 
platform aimed at helping journalists communicate with sources in a 
high-security environment.


Based on Qubes OS, the SecureDrop Workstation leverages Xen hypervisor 
isolation to manage sensitive source material safely, including viewing, 
archiving, and processing documents. The talk will review the results of 
the recent security audit focusing on the Workstation, and outline 
future directions for the project as it approaches general availability.


--
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS 

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4
my.pronoun.is/they

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3b948d38-f9e1-2ec6-c292-dee88c7382b5%40qubes-os.org.

Re: [qubes-users] Networking issue with sys-whonix, missing vif*

2021-03-19 Thread 'awokd' via qubes-users

Vladimir Lushnikov:

Hello,

Since updating to latest Whonix 15/Qubes R4.1, I am having issues with
sys-whonix not bringing up the virtual interfaces for downstream VMs
correctly. I could find nothing conclusive in the bug tracker but am
hesitant to raise it on qubes-issue in case it only affects me.

The symptoms are as follows:

* AppVMs connected to sys-whonix do not get networking
* There is an incorrect nameserver specified in the AppVM
/etc/resolv.conf (the IP does not match the IP of sys-whonix)
* There are no vif* interfaces in sys-whonix, or they are down and have
no IP address
* There are errors in the logs of sys-whonix like:

Was this a fresh install of R4.1? If so, an issue would probably be the
best course of action since it's not released yet, so might not have
been widely encountered. If you upgraded by some other means, try
uninstalling the various Whonix templates & VMs and reinstalling via the
Salt commands documented on the Whonix website.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/8a9e487c-4918-e9ad-a466-337191d6c28a%40danwin1210.me.

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

2021-03-19 Thread Andrew David Wong


On 3/19/21 4:41 AM, Vít Šesták wrote:

Hi, I've tried to install the updates. Even after removing systemtap and
when using --clean, I am unable to install it. IIUC, I am trying to install
it too soon:

$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing --clean
Using sys-firewall as UpdateVM to download updates for Dom0; this may take
some time...
40 files removed
Fedora 25 - x86_64 - Updates272 kB/s |  24 MB
01:29
Fedora 25 - x86_64  3.6 MB/s |  50 MB
00:14
Qubes Dom0 Repository (updates) 1.3 MB/s | 1.3 MB
00:01
Qubes Dom0 Repository (security-testing)1.5 MB/s | 3.0 MB
00:02
determining the fastest mirror (14 hosts).. done.--  B/s |   0  B --:--
ETA
Qubes Templates repository  2.2 kB/s | 5.9 kB
00:02
Error:
  Problem 1: problem with installed package satyr-0.21-2.fc25.x86_64
   - cannot install the best update candidate for package
satyr-0.21-2.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
satyr-0.21-2.1.fc25.x86_64
  Problem 2: problem with installed package
qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
   - cannot install the best update candidate for package
qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
   - nothing provides rpm >= 4.14 needed by
qubes-core-dom0-linux-4.0.29-1.fc25.x86_64
  Problem 3: problem with installed package
python3-hawkey-0.6.4-3.fc25.x86_64
   - cannot install the best update candidate for package
python3-hawkey-0.6.4-3.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
python3-hawkey-0.6.4-3.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
python3-hawkey-0.6.4-3.1.fc25.x86_64
  Problem 4: problem with installed package libsolv-0.6.29-2.fc25.x86_64
   - cannot install the best update candidate for package
libsolv-0.6.29-2.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
libsolv-0.6.29-2.1.fc25.x86_64
  Problem 5: problem with installed package hawkey-0.6.4-3.fc25.x86_64
   - cannot install the best update candidate for package
hawkey-0.6.4-3.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
hawkey-0.6.4-3.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
hawkey-0.6.4-3.1.fc25.x86_64
  Problem 6: problem with installed package drpm-0.3.0-3.fc25.x86_64
   - cannot install the best update candidate for package
drpm-0.3.0-3.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
drpm-0.3.0-3.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
drpm-0.3.0-3.1.fc25.x86_64
  Problem 7: problem with installed package deltarpm-3.6-17.fc25.x86_64
   - cannot install the best update candidate for package
deltarpm-3.6-17.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
  Problem 8: problem with installed package
createrepo_c-libs-0.10.0-6.fc25.x86_64
   - cannot install the best update candidate for package
createrepo_c-libs-0.10.0-6.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
createrepo_c-libs-0.10.0-6.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
createrepo_c-libs-0.10.0-6.1.fc25.x86_64
  Problem 9: problem with installed package createrepo_c-0.10.0-6.fc25.x86_64
   - cannot install the best update candidate for package
createrepo_c-0.10.0-6.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
createrepo_c-0.10.0-6.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
createrepo_c-0.10.0-6.1.fc25.x86_64
  Problem 10: problem with installed package PackageKit-1.1.5-1.fc25.x86_64
   - cannot install the best update candidate for package
PackageKit-1.1.5-1.fc25.x86_64
   - nothing provides librpm.so.8()(64bit) needed by
PackageKit-1.1.5-1.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
PackageKit-1.1.5-1.1.fc25.x86_64
  Problem 11: problem with installed package
python2-deltarpm-3.6-17.fc25.x86_64
   - cannot install the best update candidate for package
python2-deltarpm-3.6-17.fc25.x86_64
   - package python2-deltarpm-3.6-17.1.fc25.x86_64 requires deltarpm(x86-64)
= 3.6-17.1.fc25, but none of the providers can be installed
   - nothing provides librpm.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
   - nothing provides librpmio.so.8()(64bit) needed by
deltarpm-3.6-17.1.fc25.x86_64
(try to add '--skip-broken' to skip uninstallable packages)

Regards,
Vít Šesták 'v6ak'



Yes, I'm seeing the same thing. I have already notified the team 
directly about this.




On Friday, March 19, 2021 at 11:40:02 AM UTC+1 a...@qubes-os.org wrote:


Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 067: Multiple RPM
vulnerabilities. The text of this QSB is reproduced below. This QSB and
its accompanying signatures will always be available in the Qubes
Security Pack (qubes-secpack).

View QSB-067 in the qubes-secpack:

Re: [qubes-users] HCL - Lenovo P14s (AMD Ryzen 7 Pro 4750U)

2021-03-19 Thread Josef Johansson

Hi,

I applied clocksource=tsc tsc=unstable hpetbroadcast=0 
https://github.com/QubesOS/qubes-issues/issues/6055 to my grub xen cmdline 
and the laptop is smooth as butter and really fast.
No need for dom0_max_vcpus=2 or dom0_vcpus_pin.

Managed to get the webcam working as well.

I'm quite satisfied with the 2xDP dongle so won't test out MST further, it 
may or may not work.

It's a TPM 2.0 chipset which needs secure boot to work. I don't have the 
time to work that out, so maybe TPM works? :) I will try in XEN 4.15 :)

Most function keys works (it seems that disable wifi does not work), not 
sure how to test F10-F12 (phone-related and bookmark?)

Backlight on keyboard works.

Quite satisfied, the machine is _fast_.
On Thursday, 18 March 2021 at 17:50:39 UTC+1 sv...@svensemmler.org wrote:

> Hi Josef,
>
> thank you for sending your HCL report. It is now part of this pull request:
>
> https://github.com/QubesOS/qubes-hcl/pull/53
>
> ... and will be merged into the website soon.
>
> /Sven
>
> -- 
> public key: https://www.svensemmler.org/0x8F541FB6.asc
> fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dfebdf25-97d0-4e4e-9809-5f23c456813cn%40googlegroups.com.

[qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

2021-03-19 Thread Vít Šesták

Hi, I've tried to install the updates. Even after removing systemtap and 
when using --clean, I am unable to install it. IIUC, I am trying to install 
it too soon:

$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing --clean
Using sys-firewall as UpdateVM to download updates for Dom0; this may take 
some time...
40 files removed
Fedora 25 - x86_64 - Updates272 kB/s |  24 MB 
01:29
Fedora 25 - x86_64  3.6 MB/s |  50 MB 
00:14
Qubes Dom0 Repository (updates) 1.3 MB/s | 1.3 MB 
00:01
Qubes Dom0 Repository (security-testing)1.5 MB/s | 3.0 MB 
00:02
determining the fastest mirror (14 hosts).. done.--  B/s |   0  B --:-- 
ETA
Qubes Templates repository  2.2 kB/s | 5.9 kB 
00:02
Error: 
 Problem 1: problem with installed package satyr-0.21-2.fc25.x86_64
  - cannot install the best update candidate for package 
satyr-0.21-2.fc25.x86_64
  - nothing provides librpm.so.8()(64bit) needed by 
satyr-0.21-2.1.fc25.x86_64
 Problem 2: problem with installed package 
qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
  - cannot install the best update candidate for package 
qubes-core-dom0-linux-4.0.28-1.fc25.x86_64
  - nothing provides rpm >= 4.14 needed by 
qubes-core-dom0-linux-4.0.29-1.fc25.x86_64
 Problem 3: problem with installed package 
python3-hawkey-0.6.4-3.fc25.x86_64
  - cannot install the best update candidate for package 
python3-hawkey-0.6.4-3.fc25.x86_64
  - nothing provides librpm.so.8()(64bit) needed by 
python3-hawkey-0.6.4-3.1.fc25.x86_64
  - nothing provides librpmio.so.8()(64bit) needed by 
python3-hawkey-0.6.4-3.1.fc25.x86_64
 Problem 4: problem with installed package libsolv-0.6.29-2.fc25.x86_64
  - cannot install the best update candidate for package 
libsolv-0.6.29-2.fc25.x86_64
  - nothing provides librpm.so.8()(64bit) needed by 
libsolv-0.6.29-2.1.fc25.x86_64
 Problem 5: problem with installed package hawkey-0.6.4-3.fc25.x86_64
  - cannot install the best update candidate for package 
hawkey-0.6.4-3.fc25.x86_64
  - nothing provides librpm.so.8()(64bit) needed by 
hawkey-0.6.4-3.1.fc25.x86_64
  - nothing provides librpmio.so.8()(64bit) needed by 
hawkey-0.6.4-3.1.fc25.x86_64
 Problem 6: problem with installed package drpm-0.3.0-3.fc25.x86_64
  - cannot install the best update candidate for package 
drpm-0.3.0-3.fc25.x86_64
  - nothing provides librpm.so.8()(64bit) needed by 
drpm-0.3.0-3.1.fc25.x86_64
  - nothing provides librpmio.so.8()(64bit) needed by 
drpm-0.3.0-3.1.fc25.x86_64
 Problem 7: problem with installed package deltarpm-3.6-17.fc25.x86_64
  - cannot install the best update candidate for package 
deltarpm-3.6-17.fc25.x86_64
  - nothing provides librpm.so.8()(64bit) needed by 
deltarpm-3.6-17.1.fc25.x86_64
  - nothing provides librpmio.so.8()(64bit) needed by 
deltarpm-3.6-17.1.fc25.x86_64
 Problem 8: problem with installed package 
createrepo_c-libs-0.10.0-6.fc25.x86_64
  - cannot install the best update candidate for package 
createrepo_c-libs-0.10.0-6.fc25.x86_64
  - nothing provides librpm.so.8()(64bit) needed by 
createrepo_c-libs-0.10.0-6.1.fc25.x86_64
  - nothing provides librpmio.so.8()(64bit) needed by 
createrepo_c-libs-0.10.0-6.1.fc25.x86_64
 Problem 9: problem with installed package createrepo_c-0.10.0-6.fc25.x86_64
  - cannot install the best update candidate for package 
createrepo_c-0.10.0-6.fc25.x86_64
  - nothing provides librpm.so.8()(64bit) needed by 
createrepo_c-0.10.0-6.1.fc25.x86_64
  - nothing provides librpmio.so.8()(64bit) needed by 
createrepo_c-0.10.0-6.1.fc25.x86_64
 Problem 10: problem with installed package PackageKit-1.1.5-1.fc25.x86_64
  - cannot install the best update candidate for package 
PackageKit-1.1.5-1.fc25.x86_64
  - nothing provides librpm.so.8()(64bit) needed by 
PackageKit-1.1.5-1.1.fc25.x86_64
  - nothing provides librpmio.so.8()(64bit) needed by 
PackageKit-1.1.5-1.1.fc25.x86_64
 Problem 11: problem with installed package 
python2-deltarpm-3.6-17.fc25.x86_64
  - cannot install the best update candidate for package 
python2-deltarpm-3.6-17.fc25.x86_64
  - package python2-deltarpm-3.6-17.1.fc25.x86_64 requires deltarpm(x86-64) 
= 3.6-17.1.fc25, but none of the providers can be installed
  - nothing provides librpm.so.8()(64bit) needed by 
deltarpm-3.6-17.1.fc25.x86_64
  - nothing provides librpmio.so.8()(64bit) needed by 
deltarpm-3.6-17.1.fc25.x86_64
(try to add '--skip-broken' to skip uninstallable packages)

Regards,
Vít Šesták 'v6ak'


On Friday, March 19, 2021 at 11:40:02 AM UTC+1 a...@qubes-os.org wrote:

> Dear Qubes Community,
>
> We have just published Qubes Security Bulletin (QSB) 067: Multiple RPM
> vulnerabilities. The text of this QSB is reproduced below. This QSB and
> its accompanying signatures will always be available in the Qubes
> Security Pack (qubes-secpack).
>
> View QSB-067 in the qubes-secpack:
>
> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-067-2021.txt
>
>

Re: [qubes-users] Survey from HackerNCoder: Colors in QubesOS

2021-03-19 Thread hackerncoder


On 3/16/21 6:48 PM, tetrahedra via qubes-users wrote:

On Mon, Mar 15, 2021 at 10:16:04PM +, hackerncoder wrote:
I have created a survey about colors in Qubes, to help understand 
users: Are there too many colors? Too few? What do users associate 
with the colors? what are they used for?


There wasn't any space in the survey for general comments, so let me say 
here: more colors, please! 


Well.. Yes, that is one of the things this study is trying to figure 
out. If people want more or less or what.


I find it makes the most sense to be able to 
isolate *both* by threat level and theme, and there simply aren't enough 
colors to do that.


I can say (which I really shouldn't, but I just cannot not do it, 
because... yes. Anyways, there is a month until this survey ends, it can 
very well change from what I am about to write) that most others agree 
that there are too few colors.


Colors are not just about preventing one VM from pretending to be 
another VM.


Colors also really help prevent *user error*, where you accidentally 
confuse e.g your chat window with Mom with the chat window you use for 
communicating with journalistic sources -- and end up asking Mom to get 
undercover footage from North Korea. Woops!




I'll note that one down.

HackerNCoder
--
Please don't send me proprietary formats.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/727b3343-9753-95d2-e175-a6c65febafcc%40encryptionin.space.


OpenPGP_0xAEB432E5491A7D9C.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature

[qubes-users] QSB-067: Multiple RPM vulnerabilities

2021-03-19 Thread Andrew David Wong


Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 067: Multiple RPM
vulnerabilities. The text of this QSB is reproduced below. This QSB and
its accompanying signatures will always be available in the Qubes
Security Pack (qubes-secpack).

View QSB-067 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-067-2021.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

```


 ---===[ Qubes Security Bulletin 067 ]===---

 2021-03-19


 Multiple RPM vulnerabilities


User action required
=

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0:
  - rpm 4.14.2.1 (plus rebuilt packages to link with the new rpm)
  - qubes-core-dom0-linux 4.0.29
  - qubes-mgmt-salt-dom0-update 4.0.10

  For Qubes 4.1:
  - qubes-core-dom0-linux 4.1.10
  - qubes-mgmt-salt-dom0-update 4.1.6

The packages are to be installed in dom0 via the Qubes Update tool [4]
or via the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

After installing the updates in dom0, it is necessary to install updates
in Fedora-based TemplateVMs and StandaloneVMs. This can be
done via the Qubes Update tool [4] or using qubesctl (salt) as follows:

  $ sudo qubesctl --skip-dom0 --templates --standalones state.sls 
update.qubes-vm


These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.


Summary


Demi M. Obenour has discovered several issues in the RPM package
manager:

- CVE-2021-20271[1] RPM: Signature checks bypass via corrupted RPM
  package
- CVE-2021-3421[2] RPM: unsigned signature header leads to string
  injection into an RPM database
- CVE-2021-20266[3] RPM: missing length checks in hdrblobInit()

These issues allow an attacker who controls packages the user downloads
to inject malicious content that, under some conditions, may not be
detected by signature verification. Specifically, they allow the
attacker to modify parts of the package header that are not protected by
the signature and that are later integrated into the RPM database. This
allows for corrupting the RPM database and preventing further updates of
select packages.  In the case of Fedora TemplateVMs, this also allows
for arbitrary code execution.

The CVE-2021-20271 exploit takes advantage of multiple headers in the
RPM package format. In a proper RPM package, the signature is placed in
a separate header (called the "signature header") and, if present, is
verified by librpm when loading the file (according to the requested
verification level). An RPM package also contains a "main header" that
includes all the other package metadata. The main header is protected by
a signature in the signature header. The payload is protected either by
a signature in the signature header or by a SHA-256 hash located in the
main header. The ability to distinguish between these two headers is
available to librpm internals but not to external librpm users.

A malformed package may contain a signature in the main header instead
of the signature header. Librpm will reject such a package only if a
strict signature check was requested. Otherwise, it will treat the
package as unsigned. DNF, on the other hand, has no way to check whether
the signature was in the correct header.  It will load the package and,
seeing a signature, will assume that it was verified by librpm. This
allows for bypassing package signature verification.

The other bugs (CVE-2021-20266, CVE-2021-3421) concern incorrect parsing
of the signature header (which, while it contains the signature, is
itself unsigned). These bugs lead either to crashing or to corrupting
the RPM database (if such a malformed package is installed).

While Fedora will release its own patches in due course, we apply a
mitigation that prevents the privilege escalation aspect of these
issues. We configure RPM to always verify package signatures, even if a
higher level package manager (like DNF) does not explicitly request it.
This way, bypassing the signature check in DNF is not enough to
compromise an entire TemplateVM. Note that this change also prevents the
installation of unsigned RPM packages, even when explicitly requested.
See the "Side effects" section below.

For the dom0 aspect of these issues in Qubes 4.0, we update RPM to a
version that is not vulnerable. We have decided to update to the next
major version of RPM (from 4.13 to 4.14). This is because, besides the
security fix itself (which could be

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

[qubes-users] Sunday March 21 - Free talk about Qubes-based SecureDrop Workstation at LibrePlanet

Re: [qubes-users] Networking issue with sys-whonix, missing vif*

Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

Re: [qubes-users] HCL - Lenovo P14s (AMD Ryzen 7 Pro 4750U)

[qubes-users] Re: QSB-067: Multiple RPM vulnerabilities

Re: [qubes-users] Survey from HackerNCoder: Colors in QubesOS

[qubes-users] QSB-067: Multiple RPM vulnerabilities

12 matches

Site Navigation

Mail list logo

Footer information