Question about Xen sandbox escape from Oct 2015

[danmich...@gmail.com]

I have a question about the Xen sandbox escape from Oct 2015

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt

I am running Qubes 3.0.

Qubes 3.0 was released Oct 1 2015.

The Xen glitch was Oct 29 2015.

Does this mean that Qubes 3.0 does not come shipped with the patch, and that I have to manually patch this myself?

Or is Qubes 3.0. safe?

I downloaded and installed Qubes 3.0 just a few days ago.. using it for the very first time.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

You can (and should) download the patched packages by updating dom0,
as explained here:

https://www.qubes-os.org/doc/software-update-dom0/

After updating dom0, you should have Xen version 4.4.3-8 (or higher).
You can verify this by typing the following command into a dom0
terminal:

sudo yum info xen

Check the "Version" and "Release" lines. If "Version" is higher than
4.4.3, you're fine. If it's exactly 4.4.3, check "Release." If
"Release" is "8.fc20" or higher (i.e., the first number is a number
higher than 8), you're fine.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXdKiSAAoJENtN07w5UDAwMYcP/jvDusc4ILgxZ0Rex41eA9LN
QyYtbu+3BpLvGwnA+Ne4HiNPjwP5Tiq3woQIJoJOAZYvbFi2zkmUr44v0SjJ8/Jj
/7c3z7tjg5v8RHRxGGULmKrAyuMIwwbXFZL8U/zlNCduYEPRex0hj8mKRTRnl0w9
rX8tpxfOAhoXdZllNLdRj8cSHpgCxmUiiGCucJFndfY/OAkA27F9Tk9NWyl0D4gI
2UJRIdWVm0aWAttGdPW096oC0PSUtU740jJ4oceG8xxPTcTfGRlADAoSsT88DNzv
FxMUqbMyqs+Yr9XrK/uy2+GRaaW0S/GkiiHFSJYoDSS7e+Wqi/rk0t1rZ8ANlTG0
jyPbTmV8ctaCWlozg/rL7B45b5zHkj6tahxZmaxkHu+vt3n2n45s3biG2ONLU8Si
jv+Djo7r1uXD2lu3bLhB+kQI+C34/S92wDCHETB5nBkcOw+Ggnf0DPJD3YRm663Q
EfMFX0BOlNSPxrx3ulSeNQxQid5+L2RFZ6N2szk4jIQIuofgqNnF6yZYloj4D2xC
su+uEK2UKccv7qXn6917bzl2kGznjtZSNm4vwxdbcAkm5XubDahLHQNK4EvlLj/D
oulY+5pkKAtYt0YCUDjU0+twR7ZomEbkBhLjwGsevtUtbCUgD3p0oTrEfx9OvSNx
WOP06Ge2MBGpirimIuPs
=xS7Y
-----END PGP SIGNATURE-----

[danmich...@gmail.com]

OK....

Version: 4.4.3
Release: 11.fc20

So I am OK.

Does QUBES 3.0 come with the patched version though... Have the devs updated the ISO so that it comes patched..?

Or am I patched because I did a dom0 update..?

Thanks

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Jun 29, 2016 at 10:29:31PM -0700, danmich...@gmail.com wrote:
> OK....
>
> Version: 4.4.3
> Release: 11.fc20
>
> So I am OK.
>
> Does QUBES 3.0 come with the patched version though... Have the devs updated the ISO so that it comes patched..?

No, the ISO stays as is from the time of the release. It is always a
good idea to install updates just after installation.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXdOKqAAoJENuP0xzK19csKxsH/1m9I5wfs3AcpynrzY7Mlez0
XtOw833+wqeYnXIDOq0B/7cwlyq6CpLYTGmfSq5xF1H+p5PctwuKL7tlBY/Bskga
Zt98EuWF58+TnWJg6POJZQBQ/SlnWf98xB4PPz9XQ9tGvom7SFxlO5jKJkDQwzgT
Cn/ipnl0yv9u39/CCZKmzCAq4wlNnebbX3tDMoL4ZorKmkUUKIWFtFBuTqwjhGl/
FXE6U+jOxj7QpFXIePlMo6TuRaWaadbSTJt1r2MXZsRkm0GcqARWUygRay0YIJWf
nMIFBhXRh2T4InPUZr9dg4q74xlzeHVQ2U/3BRJPz+APW++5PuNkg2WOEHWlsQw=
=heue
-----END PGP SIGNATURE-----

[danmich...@gmail.com]

Wow... so the ISO doesn't get patched...? Wow...

Surely there should be a BIG warning on the Qubes downloads page... saying, WARNING! Xen in QUBES 3.0 allows full sandbox escape..! Update your software IMMEDIATELY after downloading, before doing anything else...!!

It really surprises me that there isn't such a big warning, given the severity of this Xen bug... Wow...

[raah...@gmail.com]

I think people concerned about their security know to update before doing anything else.