Is Qubes vulnerable to CVE-2018-3620?
431 views
Skip to first unread message
Sphere
Aug 14, 2018, 10:33:09 PM8/14/18
to qubes-users
https://www.bleepingcomputer.com/news/security/researchers-disclose-new-foreshadow-l1tf-vulnerabilities-affecting-intel-cpus/
There are other vulnerabilities disclosed along with this today and if possible, I would like to confirm that as well.
On a side note, I have long disabled Hyperthreading on my machine.
Sphere
Aug 14, 2018, 10:36:21 PM8/14/18
to qubes-users
For reference to this vulnerability as well as 2 more:
https://threatpost.com/intel-cpus-afflicted-with-fresh-speculative-execution-flaws/135096/
Sphere
Aug 14, 2018, 10:38:10 PM8/14/18
to qubes-users
CVE-2018-3646 in particular is alarming:
"The third flaw, CVE-2018-3646, has a CVSS Base Score of 7.1 and enables bad actors to attack virtual machines (VM), via virtualization software and Virtual Machine Monitors (VMMs) running on Intel processors. A malicious guest VM could infer the values of data in the VMM’s memory."
Could potentially allow Untrusted VMs to attack safe VMs but I don't know for sure whether or not Qubes mitigates this.
"The third flaw, CVE-2018-3646, has a CVSS Base Score of 7.1 and enables bad actors to attack virtual machines (VM), via virtualization software and Virtual Machine Monitors (VMMs) running on Intel processors. A malicious guest VM could infer the values of data in the VMM’s memory."
Could potentially allow Untrusted VMs to attack safe VMs but I don't know for sure whether or not Qubes mitigates this.
Andrew David Wong
Aug 15, 2018, 4:58:53 AM8/15/18
to Sphere, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2018-3620 and CVE-2018-3646 are XSA-273 [1], which was released
yesterday without embargo. We won't have an official statement about
whether or how this affects Qubes until the Qubes Security Team (QST)
has had a chance to assess it. Both members of the QST are currently out
of the office (completely offline, one on sabbatical and one on
vacation), with one scheduled to return at the end of the month, so
that's probably the earliest we'll know.
XSAs 268-273 were all publicly released on 2018-08-14. 268-272 went
through the normal predisclosure process, so the QST was able to
evaluate them before they left. Consequently, we've published official
statements regarding XSAs 268-272. [2][3] By contrast, XSA-273 skipped
predisclosure, so the QST didn't get a chance to see it before they
left.
[1] https://xenbits.xen.org/xsa/advisory-273.html
[2] https://www.qubes-os.org/news/2018/08/14/qsb-42/
[3] https://www.qubes-os.org/news/2018/08/14/xsa-268-269-271-272-qubes-not-affected/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAltz6z0ACgkQ203TvDlQ
MDCzmw/7BKlMiRdWnnx1mzMecvXWKYftqF2VVycjqZ1M6nDw5FBN9RRirXv/HwYu
5Cxa3RY2kTWH97gtBpOhNJZ64BkZhbkKhkqTiAzfWvzwX5ZCtbZ5CRmxxN7Whuz0
rJCFd1Yv4rcBwqcBmWmCO6M0XW2er/ADr1l2qVxAd4/w5ME2BF1HpvXpW5nNchD5
+9bU82X6+nCQm5wKLm12ekPJpSUZeGprD7iuPQMnV12DKzcnJXn9Ay0OrExqu5bv
sbG7c/yvd4KSPpy+EsRthV2E1K24yJbNq12reJwQ0r8NngvAXEKivmIMknHe/bHe
VWxKakb5I4DcNQtwk7OYo1URU0fCQcq/OBNYCHsQtXyxrcvdcOV3a5qESxUNmmQH
RxmbSf6L5nCS4m/NpLvAJwcUsF/yDT2UFNLotPMRYqDOAyOmb7jl+QPpEiJWZpgQ
/ZcviPAaKC8V1j9A8rLhtMlsC+9kqIn8p1TApN6wV2tid8nGFMiRtpSMo4EIOnOf
HZyKEPUaYelN2ftSVQImTs3jd1qXV9RF+XQvu1Mf+kx62lmJm+NVwC5MWbSbSmIF
AF4PR+nbrDQV0FiMb5Pgwd6WyBSpAvOMQWuEE+JRx4ujuwnmWH+CAazHvViO4Lw6
nVa0/tLmGo4JA0XwDlVYh2FuxX+LUfRtuEV2ZTWR9U5+UYOr8b4=
=PWx0
-----END PGP SIGNATURE-----
Hash: SHA512
yesterday without embargo. We won't have an official statement about
whether or how this affects Qubes until the Qubes Security Team (QST)
has had a chance to assess it. Both members of the QST are currently out
of the office (completely offline, one on sabbatical and one on
vacation), with one scheduled to return at the end of the month, so
that's probably the earliest we'll know.
XSAs 268-273 were all publicly released on 2018-08-14. 268-272 went
through the normal predisclosure process, so the QST was able to
evaluate them before they left. Consequently, we've published official
statements regarding XSAs 268-272. [2][3] By contrast, XSA-273 skipped
predisclosure, so the QST didn't get a chance to see it before they
left.
[1] https://xenbits.xen.org/xsa/advisory-273.html
[2] https://www.qubes-os.org/news/2018/08/14/qsb-42/
[3] https://www.qubes-os.org/news/2018/08/14/xsa-268-269-271-272-qubes-not-affected/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAltz6z0ACgkQ203TvDlQ
MDCzmw/7BKlMiRdWnnx1mzMecvXWKYftqF2VVycjqZ1M6nDw5FBN9RRirXv/HwYu
5Cxa3RY2kTWH97gtBpOhNJZ64BkZhbkKhkqTiAzfWvzwX5ZCtbZ5CRmxxN7Whuz0
rJCFd1Yv4rcBwqcBmWmCO6M0XW2er/ADr1l2qVxAd4/w5ME2BF1HpvXpW5nNchD5
+9bU82X6+nCQm5wKLm12ekPJpSUZeGprD7iuPQMnV12DKzcnJXn9Ay0OrExqu5bv
sbG7c/yvd4KSPpy+EsRthV2E1K24yJbNq12reJwQ0r8NngvAXEKivmIMknHe/bHe
VWxKakb5I4DcNQtwk7OYo1URU0fCQcq/OBNYCHsQtXyxrcvdcOV3a5qESxUNmmQH
RxmbSf6L5nCS4m/NpLvAJwcUsF/yDT2UFNLotPMRYqDOAyOmb7jl+QPpEiJWZpgQ
/ZcviPAaKC8V1j9A8rLhtMlsC+9kqIn8p1TApN6wV2tid8nGFMiRtpSMo4EIOnOf
HZyKEPUaYelN2ftSVQImTs3jd1qXV9RF+XQvu1Mf+kx62lmJm+NVwC5MWbSbSmIF
AF4PR+nbrDQV0FiMb5Pgwd6WyBSpAvOMQWuEE+JRx4ujuwnmWH+CAazHvViO4Lw6
nVa0/tLmGo4JA0XwDlVYh2FuxX+LUfRtuEV2ZTWR9U5+UYOr8b4=
=PWx0
-----END PGP SIGNATURE-----
Rusty Bird
Aug 15, 2018, 8:50:28 AM8/15/18
to Sphere, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Sphere:
Hash: SHA512
XSA-273 data leak, and that fixing it involves
1. disabling hyperthreading (by adding smt=off to the Xen command line)
2. AND upgrading Intel microcode to 20180807
3. AND upgrading Xen
There's a pull request* for the new microcode package. As for Xen, the
XSA says they're "not supplying separate patches because the changes
have many complicated prerequisites", and their d95b5bb commit on the
staging-4.8 branch is 42 patches ahead of RELEASE-4.8.4... :\
Rusty
* https://github.com/QubesOS/qubes-intel-microcode/pull/2
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJbdB8sXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf+A4P/jJopc94LC67vWz+PmkLOmB5
DaxS/VmFB70CNzfDmQMJ58YLOJ7z2wu9GEOOnHgP+KmAKsn9/xtp5nufrMfNoOd+
a7dezBA0b2vHy7aVaAXG3qhRL9PhHqpFhcUrudShATrUWdY2aFnaeRGSZDbwoR40
jGEgjxFFM2SGEtTHOEuKBBfLU/OJMw72ClmIAIdtvfEPABQ0WYw95OmcVTzi+tvZ
2bEwXJz1cXUovGzDPInbBBZm43m3X/r9FAnsFdLQXyjgRNkFc2LuhVz5Tc12NGjH
6Xb2qJlIhQVZjotRPqm506G6UrKrx5DB0lANY2/H8tl/tPACyoTY+EHrOJHIz/21
XipPbVVLqQJtQJOgQXCkHEPz49X1Deni/TFedrQxzEuTiOH5R/KVjqEe17cwyaL4
f6HHf94OiFHGKVmGtwySwMxxWiH9T0UOu3+Xzo3UNE9IPkLoakcXMTvaLFJS9Hfa
AFZil3+aKMogWWRS0mJJc0UX+m9jpPdwERdXAriqAY4mp59TJ3qt5OFEobSlG4kD
aRIfBiQbMRZagfwtsHLTxwEymwMyaovm/q7hv6cZvNYm2S7cztMdFXeUquYlZgJi
ZzCr+AirENSDSBq+hCosnGdvwAAemiUBpRh3kXHMuOTtR1Lu3ulnatN64SCznzPR
M8ZJnNdpOLX4RqU/yTr/
=E4BM
-----END PGP SIGNATURE-----
Sphere
Aug 15, 2018, 9:49:13 PM8/15/18
to qubes-users
I have hyperthreading disabled on my BIOS, do I still have to add that option to Xen command line?
By pull request you mean, it's still being grabbed for use and installation using qubes-dom0-update right?
As for Xen updates, welp we have no choice but to wait for that I suppose.
Chris Laprise
Aug 15, 2018, 11:15:49 PM8/15/18
to Sphere, qubes-users
On 08/15/2018 08:40 AM, Rusty Bird wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Sphere:
>> https://www.bleepingcomputer.com/news/security/researchers-disclose-new-foreshadow-l1tf-vulnerabilities-affecting-intel-cpus/
>>
>> There are other vulnerabilities disclosed along with this today and
>> if possible, I would like to confirm that as well.
>>
>> On a side note, I have long disabled Hyperthreading on my machine.
>
> To me as a layman, it looks like Qubes is indeed vulnerable to the
> XSA-273 data leak, and that fixing it involves
>
> 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> 2. AND upgrading Intel microcode to 20180807
On #2, assuming Intel has still abandoned Ivy Bridge and earlier CPUs, I
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Sphere:
>> https://www.bleepingcomputer.com/news/security/researchers-disclose-new-foreshadow-l1tf-vulnerabilities-affecting-intel-cpus/
>>
>> There are other vulnerabilities disclosed along with this today and
>> if possible, I would like to confirm that as well.
>>
>> On a side note, I have long disabled Hyperthreading on my machine.
>
> To me as a layman, it looks like Qubes is indeed vulnerable to the
> XSA-273 data leak, and that fixing it involves
>
> 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> 2. AND upgrading Intel microcode to 20180807
wonder if this makes the CoreBoot targeted systems essentially
unsafe/unusable.
Very bad.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Rusty Bird
Aug 16, 2018, 5:50:41 AM8/16/18
to Sphere, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Sphere:
Hash: SHA512
Sphere:
> I have hyperthreading disabled on my BIOS, do I still have to add
> that option to Xen command line?
Disabling it in the BIOS is okay too, according to the XSA.
> that option to Xen command line?
> By pull request you mean, it's still being grabbed for use and
> installation using qubes-dom0-update right?
built/uploaded yet. You could build it yourself with qubes-builder
(after applying the patch from the GitHub pull request), but I think
it's pointless as long as there's no updated Xen package to actually
use the new LD1_FLUSH microcode instruction.
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJbdUjoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfnLcP/3m8dHksgWS6QW+rDSMpv1tD
4dVpPf76cihRlJpDttXucU7rfqTaldzF6ytIlTHCoZYpa06fOKsqmcKYZ6HE7fn2
iGCCFdDKao+DDfvP3caNupRs4DCD0Z2H1VLXZHwWVniN/s2MVEIv8BN5nWB0HvpH
2R45/lKC5BjMq0l2i42tPp3Nm/CjDbh4X/etqrx2p729Ykw9TTJCkPO1diImdu9N
CYzvA5amIduDRnJrNanBZKANjetHnNQysmEbGXWndgbVshd6JF53zq9CcgArHKZp
LqadTe+d1ayoAaRidVdD+I72h/1wjGDVx2OVcrtVKq6hhqJ24YQHlHO0XKDQfmK3
5xzxgjx9SlFwVw7u9a4osxsmExSMpuXA+9wdmegbNJoFmKgvIfYFLLrWrtvgN2pU
Cvhxbmb7+MtbwVcN9Xlo2LbgKA/bAJ0dRgKcuAWZYH0ceo2tokfKu1GT5asSI8bJ
QHlqE68r8SVZrU7hic6qfaqA2U1MPjJJSh7k19HduhrkwUYL8o9Tzpjgz4mqfAod
hnb+H1GsqHRA8eT4ZyG7YQ5aB5PxBZHFOydAPAfmxjkloEtV78mbuzfWM5bAa8EW
kZ4QRNSY1msm3h6NeJIZroGS1/PBtaDBQXwwiXJ0FmkX5AvVvJ2hltk8VNS1epdj
leeMYghualtPH8s7ka3L
=P5jC
-----END PGP SIGNATURE-----
Rusty Bird
Aug 16, 2018, 6:04:45 AM8/16/18
to Chris Laprise, Sphere, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Chris Laprise:
Hash: SHA512
> On 08/15/2018 08:40 AM, Rusty Bird wrote:
> > To me as a layman, it looks like Qubes is indeed vulnerable to the
> > XSA-273 data leak, and that fixing it involves
> >
> > 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> > 2. AND upgrading Intel microcode to 20180807
>
> On #2, assuming Intel has still abandoned Ivy Bridge and earlier CPUs, I
> wonder if this makes the CoreBoot targeted systems essentially
> unsafe/unusable.
Apparently, there are microcode updates for Ivy Bridge (page 10) and
> > To me as a layman, it looks like Qubes is indeed vulnerable to the
> > XSA-273 data leak, and that fixing it involves
> >
> > 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> > 2. AND upgrading Intel microcode to 20180807
>
> On #2, assuming Intel has still abandoned Ivy Bridge and earlier CPUs, I
> wonder if this makes the CoreBoot targeted systems essentially
> unsafe/unusable.
even Sandy Bridge (page 14):
https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf
> Very bad.
Maybe slightly less so. :)
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJbdUnbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf8P8P/3YFam7dyux4Qb4AuzzXX1/i
AV243309HUgr/HXKvQMuOjXnItOcptg/J56lxlNZg4vrgXAEVr1YPMjEFkcgC/9l
iLLV1W76vvURQcEb7FLqAI+UC6L1Pm9Um5qSAHzcY41kE9ASSz1AcEH4abVp6iCB
b3o2YWlMN4Bz9HQq03jb5WD/qoumXdUdmASsTWDA0s9h9TIDrYSXyUJCXg/OAxyO
qBfbfIAeTL7IZ6UB5ewIeGK/lZujmd0c3jhyfQh+7t1/nTBccdz4xK65DKhbxEVY
NIAFj5K2qeZXtxqOGa3XIo8b5oiLsDAQ1uSBJfgC9D325qnROSM5uebIHIOCSixB
su7FjBXu9F5b0l09mib2CmmhrZdo1hf42kxHl/MTo6H8gwpUTO+pxvxcXDouBrEg
Y11YT/j2ux7ugaP6KYML8G3dzXD1GGTENaLD7p4p7hPNwK2QPRcnDWWCZ/cHxOQj
FdCpCz2vBaqy3rPxHu6ujVYCBBBJVMBUsoeH4yhKvkojwAPmIT4r8GYq3epfYU+9
IrzQ8ARKnRpHOqSrAD+9x1AikaNePi5SYsfg8W+ZcZpD767QTFMbZ3mb35oqJEbN
Vg9BCcj1OOVuc/mG+hI3Ki1u3AS/D0RRMKg/fInuTJ4e2N6Z9S8U1dnx/yblVT/X
bAKRaM0Z+0V+Og7C5VS0
=T78o
-----END PGP SIGNATURE-----
Rusty Bird
Aug 26, 2018, 8:48:54 AM8/26/18
to Sphere, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Rusty Bird:
Hash: SHA512
> To me as a layman, it looks like Qubes is indeed vulnerable to the
> XSA-273 data leak, and that fixing it involves
>
> 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> 2. AND upgrading Intel microcode to 20180807
> 3. AND upgrading Xen
https://groups.google.com/d/msg/qubes-users/v5UPnWmnzJY/WG9lmyxYAgAJ
> XSA-273 data leak, and that fixing it involves
>
> 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> 2. AND upgrading Intel microcode to 20180807
> 3. AND upgrading Xen
=> There's no point in manually adding the smt=off parameter - Qubes'
latest Xen 4.8.4-1 package doesn't support it yet, and I imagine the
next package version is going to add it automatically.
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJbgqGUXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf0bwP/iGQCNSorNefwhFSldoqvjJa
fSz1oZoqU81ESpqxMvylTGT+Q0odjG01PQpQ+y14+EZZgkgbM3NIbIUcTLYX4HIf
3cjcsqmyp17YbM0pqCeG3DuTQFo1IJZh22pqUt+6q7Y3G4hSYNlW1jvy76n9c9Ae
h0tW9gQb3EpTxzQGaryKswq+NyXKR1D0mUIErKTdLSk8KzROIhCLE8pQWbKFX5/t
8M5xZ8+VTw1aGF4v+LS8Oxjhl2R1PkMc0Qi7IKgZhTFE+RqQOkMJK75Emv7U5eFK
oEEx7sWVy7nh3beKaaZUBThCZU0iLZRuvODp64eUkSqJYCHvtABzvHyhMBT++4l/
n3bBJ+/dMRpe846FZuzdqxb0AbbBwGCeCRCk7SXZRnNIEDavJhW/x1Tr13oGIkan
mNLiA2uaeQY1mOOVXyiK4zfYblDl0xtCEa2zPFvFya/iWC0nDSntuzT6zMxZuq8i
ywFDxax22XezSA0m2RwE/5M1I/8dx92yUcscCvpW5HU/WsEccRubo95kcMg5l9U6
cH7G6nZLAxSCek4SobvW9yp1CjbuVNmSFR2GPGRKpoe67sEvTRbxP4Mmhxd+D1c6
AKMKiK1vg5/pV3pioeICI97FYvYu/sTynX5uMq4PKv6LgUae+EPKWaut0Qdkz3xK
YdGbUkoqLk/l92E+M43l
=zaWC
-----END PGP SIGNATURE-----
Andrew David Wong
Sep 1, 2018, 11:40:14 PM9/1/18
to Sphere, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2018-08-15 03:58, Andrew David Wong wrote:
> On 2018-08-14 21:38, Sphere wrote:
>> CVE-2018-3646 in particular is alarming:
>> "The third flaw, CVE-2018-3646, has a CVSS Base Score of 7.1 and enables bad actors to attack virtual machines (VM), via virtualization software and Virtual Machine Monitors (VMMs) running on Intel processors. A malicious guest VM could infer the values of data in the VMM’s memory."
>
>> Could potentially allow Untrusted VMs to attack safe VMs but I don't know for sure whether or not Qubes mitigates this.
>
>
> CVE-2018-3620 and CVE-2018-3646 are XSA-273 [1], which was released
> yesterday without embargo. We won't have an official statement about
> whether or how this affects Qubes until the Qubes Security Team (QST)
> has had a chance to assess it. Both members of the QST are currently out
> of the office (completely offline, one on sabbatical and one on
> vacation), with one scheduled to return at the end of the month, so
> that's probably the earliest we'll know.
>
> XSAs 268-273 were all publicly released on 2018-08-14. 268-272 went
> through the normal predisclosure process, so the QST was able to
> evaluate them before they left. Consequently, we've published official
> statements regarding XSAs 268-272. [2][3] By contrast, XSA-273 skipped
> predisclosure, so the QST didn't get a chance to see it before they
> left.
>
> [1] https://xenbits.xen.org/xsa/advisory-273.html
> [2] https://www.qubes-os.org/news/2018/08/14/qsb-42/
> [3] https://www.qubes-os.org/news/2018/08/14/xsa-268-269-271-272-qubes-not-affected/
>
Update:
> On 2018-08-14 21:38, Sphere wrote:
>> CVE-2018-3646 in particular is alarming:
>> "The third flaw, CVE-2018-3646, has a CVSS Base Score of 7.1 and enables bad actors to attack virtual machines (VM), via virtualization software and Virtual Machine Monitors (VMMs) running on Intel processors. A malicious guest VM could infer the values of data in the VMM’s memory."
>
>> Could potentially allow Untrusted VMs to attack safe VMs but I don't know for sure whether or not Qubes mitigates this.
>
>
> CVE-2018-3620 and CVE-2018-3646 are XSA-273 [1], which was released
> yesterday without embargo. We won't have an official statement about
> whether or how this affects Qubes until the Qubes Security Team (QST)
> has had a chance to assess it. Both members of the QST are currently out
> of the office (completely offline, one on sabbatical and one on
> vacation), with one scheduled to return at the end of the month, so
> that's probably the earliest we'll know.
>
> XSAs 268-273 were all publicly released on 2018-08-14. 268-272 went
> through the normal predisclosure process, so the QST was able to
> evaluate them before they left. Consequently, we've published official
> statements regarding XSAs 268-272. [2][3] By contrast, XSA-273 skipped
> predisclosure, so the QST didn't get a chance to see it before they
> left.
>
> [1] https://xenbits.xen.org/xsa/advisory-273.html
> [2] https://www.qubes-os.org/news/2018/08/14/qsb-42/
> [3] https://www.qubes-os.org/news/2018/08/14/xsa-268-269-271-272-qubes-not-affected/
>
We have now published QSB #43: L1 Terminal Fault speculative side
channel (XSA-273).
https://www.qubes-os.org/news/2018/09/02/qsb-43/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDAuKw/+K8hQn8Arav4WmYMD2r4CAuA+qQvWtNcD02fGy9M9ojDWaEkot4C410At
zEAyjyACP36VjwtoTA0mqEv8ZPm9k18ImIzGBB8ZwUPuWMcQ+idVmu6yDAtEXT/K
BD4LtSBYpfyMvvMLHuIIAx7UJ0+ABw+hiteYU0o1gp3O/uNfIfYWd/q1t3jLta9C
PbBDjmLPLGcrtFZbv2x+thM8W4Hvjt7XGz6J5fm7avmOTlcpBVgybr7wyVQ5L1mB
A66Ffi9+bpa1XgA/j5V2BMrXMG9gWkrYrqDr/CvCiX637oVmkg7NUDWc91NixGiT
5mfXTxjWjD8eX3/KVUPVJLm88EzBmXWAlKMgfRkx44y0cx8JEEVHNF9HcWesnNuU
WtIFvUSr+mUhKETrw4sMj+tNWyEoZT75x5jS01wRmamzTF9MLUhcnYmoFnaPGaVA
/pidkBToovi/fCp8VwHhcPMay2pKXs3hzZ3WdUxORPiN3h5wppvn80L4gdu7urcI
braAtALRDBLzddw6p1WzhgC23tF6fRJP5zt6l6JZKY7abVXOrnUnWhyXdl/i5tXD
czBgm1qaO1pFGG8bMPw4FSkQ7muqeetmyChUHNjqASdMji2GL7UJpd+GKBbFhr8D
k3WOr8TR+RDxyb4FuLAlVNZvFNNFqA2wa6edUxRg5kjCKBCi02k=
=riDr
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages