Xen.org has announced a bunch of security advisories (XSA 52-54, XSA 57,
see ) affecting the Xen hypervisor, some of which apply to Qubes OS
Release 1 and Release 2 as well.
While the impact of the XSA 52-54 does not seem to be so problematic in
practice, the XSA 57 seems to allow for much more serious attacks, and
so users are recommended to apply the patches as soon a possible.
We have uploaded the patched Xen packages for Qubes Release 1 (version
4.1.5-1), as well as for the latest Qubes R2 Beta 2 (version 4.1.5-4).
In order to update your system use the following command from Dom0 console:
A system restart will be required afterwards.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR14 will change because of a new
This is not the first time when the overly-complex permission system
strikes back and causes more harm than good. Xen has also some history
of bugs in their XSM infrastructure, another form of (unnecessary?)
permission system framework. The very xenstore permission system also
tricked us (Qubes Developers) in the past as seen in this commit: