Qubes Security Bulletin #27
122 views
Skip to first unread message
Marek Marczykowski-Górecki
Nov 22, 2016, 7:45:18 AM11/22/16
to qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Qubes users,
We have just released a new Qubes Security Bulletin (QSB #27):
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYND3YAAoJENuP0xzK19csVFQH/ibnWivjFtupgu7DmHmX24ct
zMfX0bpSGNkf7G82yhnybddiLndKToOf3kaHJuXcF+ZERgWjhvq6ZBCGsJuMciet
rjlzjnFTJPb5s6YPQrhf0yTRQQULBuRZgk6z9Wl8CN/iuu8FwNcXpze1qNQgeSH4
LBtX+ND7ibtYJdwwLWWhLm7FmlWF0GqBVXnrGaEED6w+c6mGl4GcgTh7pE3UnOEA
DhWQS49SmdF5tMU8/RWlj6buTewq46DQ8grHimak5P8fuyBOi09+adz+fGVQG861
sQlMGNCWk360fCwpRV/0OpCLxU1UDJJEGLIUSt/rCGq911fsnHW4I6FpjepxW8s=
=SVQX
-----END PGP SIGNATURE-----
Hash: SHA256
Dear Qubes users,
We have just released a new Qubes Security Bulletin (QSB #27):
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYND3YAAoJENuP0xzK19csVFQH/ibnWivjFtupgu7DmHmX24ct
zMfX0bpSGNkf7G82yhnybddiLndKToOf3kaHJuXcF+ZERgWjhvq6ZBCGsJuMciet
rjlzjnFTJPb5s6YPQrhf0yTRQQULBuRZgk6z9Wl8CN/iuu8FwNcXpze1qNQgeSH4
LBtX+ND7ibtYJdwwLWWhLm7FmlWF0GqBVXnrGaEED6w+c6mGl4GcgTh7pE3UnOEA
DhWQS49SmdF5tMU8/RWlj6buTewq46DQ8grHimak5P8fuyBOi09+adz+fGVQG861
sQlMGNCWk360fCwpRV/0OpCLxU1UDJJEGLIUSt/rCGq911fsnHW4I6FpjepxW8s=
=SVQX
-----END PGP SIGNATURE-----
Jean-Philippe Ouellet
Nov 22, 2016, 8:39:27 AM11/22/16
to Marek Marczykowski-Górecki, qubes-devel
The xen-hypervisor package needs to have better EFI-awareness added to
its postinstall scriptlet, similar to the kernel packages which use
efibootmgr.
As it is right now, it assumes EFI users also use grub, but my system does not.
By simply installing the package and rebooting, I end up booting the
old version:
[user@dom0 ~]$ rpm -q xen
xen-4.6.3-22.fc23.x86_64
[user@dom0 ~]$ xl dmesg | head -1
Xen 4.6.1-20.fc23
its postinstall scriptlet, similar to the kernel packages which use
efibootmgr.
As it is right now, it assumes EFI users also use grub, but my system does not.
By simply installing the package and rebooting, I end up booting the
old version:
[user@dom0 ~]$ rpm -q xen
xen-4.6.3-22.fc23.x86_64
[user@dom0 ~]$ xl dmesg | head -1
Xen 4.6.1-20.fc23
Marek Marczykowski-Górecki
Nov 22, 2016, 8:42:06 AM11/22/16
to Jean-Philippe Ouellet, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Tue, Nov 22, 2016 at 08:39:00AM -0500, Jean-Philippe Ouellet wrote:
> The xen-hypervisor package needs to have better EFI-awareness added to
> its postinstall scriptlet, similar to the kernel packages which use
> efibootmgr.
>
> As it is right now, it assumes EFI users also use grub, but my system does not.
Hmm, I have already fix for it locally, but forgot to push to this
> The xen-hypervisor package needs to have better EFI-awareness added to
> its postinstall scriptlet, similar to the kernel packages which use
> efibootmgr.
>
> As it is right now, it assumes EFI users also use grub, but my system does not.
package version...
Should be in a few minutes (xen-4.6.3-23.fc23.x86_64).
> By simply installing the package and rebooting, I end up booting the
> old version:
> [user@dom0 ~]$ rpm -q xen
> xen-4.6.3-22.fc23.x86_64
> [user@dom0 ~]$ xl dmesg | head -1
> Xen 4.6.1-20.fc23
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYNEsqAAoJENuP0xzK19cs2L8H/2fUswQtq5mB9OkyYoZ6y0ir
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
A8xJsP9NBA4WMrNWdcVGYaq8zEA/Z/mOVgNG6W+EyHxUVuNKjuHTllT1TVHMnAmC
0uqcUpyOtP1WhEAqhIIfURoC4dN7hBZ/5SA3laPh6V+SyY2/1VfAWLzSfJ12BFsi
LQxtt/K5xH2fkym6N35jjO+n+g4Q3UVGKJuY4OLDXFJ2ZtvWMcGgy9fWfvIHliCd
LDgqYhqELU8jG/tUfRgIxpoYxDwELwr6fF178s5ARJ0S6SJ01L5oJwpJ8d+Ap59j
nye+DjM0wh8At6deMOjoPlztOYW/vhiBu3eZXXbiepNglrEh39xD9DbAZ4JI12Y=
=/oOz
-----END PGP SIGNATURE-----
Jean-Philippe Ouellet
Nov 22, 2016, 8:54:55 AM11/22/16
to Marek Marczykowski-Górecki, qubes-devel
On Tue, Nov 22, 2016 at 8:42 AM, Marek Marczykowski-Górecki
<marm...@invisiblethingslab.com> wrote:
>> As it is right now, it assumes EFI users also use grub, but my system does not.
>
> Hmm, I have already fix for it locally, but forgot to push to this
> package version...
>
> Should be in a few minutes (xen-4.6.3-23.fc23.x86_64).
Ah, I see it in there, but if you are referring only to
<marm...@invisiblethingslab.com> wrote:
>> As it is right now, it assumes EFI users also use grub, but my system does not.
>
> Hmm, I have already fix for it locally, but forgot to push to this
> package version...
>
> Should be in a few minutes (xen-4.6.3-23.fc23.x86_64).
b6c42560a8a36d6f88dd395701cd958a9d2ab8a3, then it does not appear to
be correct because the path it gets is relative to the root of the EFI
partition, and then it tries to use that as a path relative to the
root of the mounted filesystem (missing /boot/efi prefix), which
fails.
Will leave comments on github.
Andrew Clausen
Nov 22, 2016, 8:57:29 AM11/22/16
to Marek Marczykowski-Górecki, qubes-devel
Hi all,
Are the conversations between the Qubes and Xen people publicly available?
In particular, I'd like to understand better why instruction emulation
is required for PV and HVM virtualization.
Does this announcement mean that the plan to move to HVM domains in
Qubes 4.0 will only give minimal security benefits?
Kind regards,
Andrew
On 22 November 2016 at 12:45, Marek Marczykowski-Górecki
> --
> You received this message because you are subscribed to the Google Groups "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20161122124510.GA1145%40mail-itl.
> For more options, visit https://groups.google.com/d/optout.
Are the conversations between the Qubes and Xen people publicly available?
In particular, I'd like to understand better why instruction emulation
is required for PV and HVM virtualization.
Does this announcement mean that the plan to move to HVM domains in
Qubes 4.0 will only give minimal security benefits?
Kind regards,
Andrew
On 22 November 2016 at 12:45, Marek Marczykowski-Górecki
> You received this message because you are subscribed to the Google Groups "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20161122124510.GA1145%40mail-itl.
> For more options, visit https://groups.google.com/d/optout.
qubenix
Nov 22, 2016, 11:58:41 AM11/22/16
to qubes...@googlegroups.com
Marek Marczykowski-Górecki:
--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500
> Dear Qubes users,
>
> We have just released a new Qubes Security Bulletin (QSB #27):
>
> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
>
There is a typo on line 71: `gust` should be `guest`.
>
> We have just released a new Qubes Security Bulletin (QSB #27):
>
> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
>
--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500
Konstantin Ryabitsev
Nov 22, 2016, 1:07:19 PM11/22/16
to qubes-devel
On Tue, Nov 22, 2016 at 01:45:10PM +0100, Marek Marczykowski-Górecki wrote:
> Dear Qubes users,
>
> We have just released a new Qubes Security Bulletin (QSB #27):
>
> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
Would it be possible to include the contents of QSBs into the body of
> Dear Qubes users,
>
> We have just released a new Qubes Security Bulletin (QSB #27):
>
> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
the email in the future? The github blob is very hard to read on a
mobile device with limited resolution.
Best,
-K
Andrew David Wong
Nov 22, 2016, 1:29:55 PM11/22/16
to qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 11/22/16 10:07, Konstantin Ryabitsev wrote:
> On Tue, Nov 22, 2016 at 01:45:10PM +0100, Marek Marczykowski-Górecki wrote:
>> Dear Qubes users,
>>
>> We have just released a new Qubes Security Bulletin (QSB #27):
>>
>> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
>
> Would it be possible to include the contents of QSBs into the body of
> the email in the future?
I think the reason for this is so that there's only one location where
any corrections, edits, and re-signings have to be made.
> The github blob is very hard to read on a
> mobile device with limited resolution.
>
Since the QSB is just a plain text file, it should be easy read on any
device. Try viewing the "raw" version instead:
https://raw.githubusercontent.com/QubesOS/qubes-secpack/master/QSBs/qsb-027-2016.txt
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYNI6JAAoJENtN07w5UDAw2lkQAIMseiXGLDATf3ilrmmA15V3
EV5YiI2Yt8yzboxLD4X7DCm0Tml7JeNzH/iHsaM9cSU2HBl9LoPQQzHAxP7lD1MV
0njspMMdRucQI+ZHWsmKLAhr3kvFnxEhS7q5lw6cW32Em58NaeLbzdif3HShNVPw
zSMG2+Vy0c1b90myPqVjqv3Nj12BFtbkAXX8NYrx8MrnBJ3+f3tYOdjdtg7mt+ER
qforUbNKufmvjKFmyv+wlYw8C9mXsF/xELL+IbFlMOR6i9wCK4Yglmk1wZKKfw+w
EixedONX9JcHp08nHy3n5XzGU+0cdFsCqzFnii2lco4Fj9ynN8xGKoryF4RQRpfJ
qFtCr5C3aamEQggGDq09S6vBXmqN6HG7GLQB+NjY86sMNh/82/xLh4HHFVM6qcMq
MYYW96nQHH8nyQhkcAMXo/5XIVNv9Ic6NXBJe1Sbz3Q+NiCLoZWxvb0uZB3bKnyD
7EIbojbzPzX6pgU+d2s2vDnEdUrXuOg2/gPu/6S2fP2Zlo0R9OBIRx0W/PyHoSCx
y4cn5VoyQOO8PVibMVJmUW15YlkPW1okS90L8VKLkFc11AcYrMBfkilv0aWNgK7R
z1yA+Z2DCsWC9HBUu9pCJ60ZHfAHnX+4ZIja31/xxYFJoUAG6pMR01xFl3P+m/Xu
BK8ygmQz8sxw6QmR99Y1
=nU0p
-----END PGP SIGNATURE-----
Hash: SHA512
On 11/22/16 10:07, Konstantin Ryabitsev wrote:
> On Tue, Nov 22, 2016 at 01:45:10PM +0100, Marek Marczykowski-Górecki wrote:
>> Dear Qubes users,
>>
>> We have just released a new Qubes Security Bulletin (QSB #27):
>>
>> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
>
> Would it be possible to include the contents of QSBs into the body of
> the email in the future?
any corrections, edits, and re-signings have to be made.
> The github blob is very hard to read on a
> mobile device with limited resolution.
>
device. Try viewing the "raw" version instead:
https://raw.githubusercontent.com/QubesOS/qubes-secpack/master/QSBs/qsb-027-2016.txt
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYNI6JAAoJENtN07w5UDAw2lkQAIMseiXGLDATf3ilrmmA15V3
EV5YiI2Yt8yzboxLD4X7DCm0Tml7JeNzH/iHsaM9cSU2HBl9LoPQQzHAxP7lD1MV
0njspMMdRucQI+ZHWsmKLAhr3kvFnxEhS7q5lw6cW32Em58NaeLbzdif3HShNVPw
zSMG2+Vy0c1b90myPqVjqv3Nj12BFtbkAXX8NYrx8MrnBJ3+f3tYOdjdtg7mt+ER
qforUbNKufmvjKFmyv+wlYw8C9mXsF/xELL+IbFlMOR6i9wCK4Yglmk1wZKKfw+w
EixedONX9JcHp08nHy3n5XzGU+0cdFsCqzFnii2lco4Fj9ynN8xGKoryF4RQRpfJ
qFtCr5C3aamEQggGDq09S6vBXmqN6HG7GLQB+NjY86sMNh/82/xLh4HHFVM6qcMq
MYYW96nQHH8nyQhkcAMXo/5XIVNv9Ic6NXBJe1Sbz3Q+NiCLoZWxvb0uZB3bKnyD
7EIbojbzPzX6pgU+d2s2vDnEdUrXuOg2/gPu/6S2fP2Zlo0R9OBIRx0W/PyHoSCx
y4cn5VoyQOO8PVibMVJmUW15YlkPW1okS90L8VKLkFc11AcYrMBfkilv0aWNgK7R
z1yA+Z2DCsWC9HBUu9pCJ60ZHfAHnX+4ZIja31/xxYFJoUAG6pMR01xFl3P+m/Xu
BK8ygmQz8sxw6QmR99Y1
=nU0p
-----END PGP SIGNATURE-----
Konstantin Ryabitsev
Nov 22, 2016, 2:53:51 PM11/22/16
to Andrew David Wong, qubes-devel
On Tue, Nov 22, 2016 at 09:41:34AM -0800, Andrew David Wong wrote:
> Since the QSB is just a plain text file, it should be easy read on any
> device. Try viewing the "raw" version instead:
>
> https://raw.githubusercontent.com/QubesOS/qubes-secpack/master/QSBs/qsb-027-2016.txt
Yes, the raw view works much better than blob view.
> Since the QSB is just a plain text file, it should be easy read on any
> device. Try viewing the "raw" version instead:
>
> https://raw.githubusercontent.com/QubesOS/qubes-secpack/master/QSBs/qsb-027-2016.txt
-K
Andrew David Wong
Nov 22, 2016, 4:51:25 PM11/22/16
to qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 11/22/16 09:41, Andrew David Wong wrote:
> On 11/22/16 10:07, Konstantin Ryabitsev wrote:
>> On Tue, Nov 22, 2016 at 01:45:10PM +0100, Marek Marczykowski-Górecki wrote:
>>> Dear Qubes users,
>>>
>>> We have just released a new Qubes Security Bulletin (QSB #27):
>>>
>>> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
>
>> Would it be possible to include the contents of QSBs into the body of
>> the email in the future?
>
> I think the reason for this is so that there's only one location where
> any corrections, edits, and re-signings have to be made.
>
>> The github blob is very hard to read on a
>> mobile device with limited resolution.
>
>
> Since the QSB is just a plain text file, it should be easy read on any
> device. Try viewing the "raw" version instead:
>
> https://raw.githubusercontent.com/QubesOS/qubes-secpack/master/QSBs/qsb-027-2016.txt
>
Nonetheless, there's something to be said for using electronic mail to send the
> On 11/22/16 10:07, Konstantin Ryabitsev wrote:
>> On Tue, Nov 22, 2016 at 01:45:10PM +0100, Marek Marczykowski-Górecki wrote:
>>> Dear Qubes users,
>>>
>>> We have just released a new Qubes Security Bulletin (QSB #27):
>>>
>>> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
>
>> Would it be possible to include the contents of QSBs into the body of
>> the email in the future?
>
> I think the reason for this is so that there's only one location where
> any corrections, edits, and re-signings have to be made.
>
>> The github blob is very hard to read on a
>> mobile device with limited resolution.
>
>
> Since the QSB is just a plain text file, it should be easy read on any
> device. Try viewing the "raw" version instead:
>
> https://raw.githubusercontent.com/QubesOS/qubes-secpack/master/QSBs/qsb-027-2016.txt
>
actual message rather than just a URI. Perhaps a good solution to this would be to
have a "QSB template" that includes the necessary disclaimers along with the text
of the QSB itself (at the time). It could also serve the positive purpose of
informing recipients about QSBs and the Qubes Security Pack more generally. I'll
work up a template for future use.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
NswRB9vAbGw5QifXCYT+o7qgHh5acLKNzjiCryFqgtdEnV/Cq+nzyTZbmDDIu9I6
ChwATtgX16f1z699xyUV3chv28ROmY1tgvbQZo8AYvB20W/+YYYQkosnorINYz+q
Fb6A33qJFCqQDSrOiq08dA6FFv+vMKs4GicFJ/BY9fDgU7r9OYrncAfYhbtvIERr
kFPQmBJ4uOsRCQWWWNeVuQLgbpMFUngP/il66jnlSVJAcCfEFlBYvuMSFTy7WIDM
5GWMfJUnVlgCbPRx1TQH7MIeWoxAejB3NiHiK/K2lBDSJvSdiwXMlOgXcpcv6BM9
V1abu89C4Q+5pid53SOLTS/IigCeTpfmir8fNWnzUNP24zZ+mRxu9SlwhZGXfSKc
hxd3sq0LT5B+CNI6ezxrVBS03HMWOIQR6Vh1CM5vLip2PsRzroXyfLPQucrBI6u0
73ctCyRCqXWzfo2DQD+TWIzsDEuu9oRfLVJE/XN2twiw7asRmbNuHukQXNc71+WI
JXIXrbQgojWv7ySIoyuTJevWLJJfDfrFNWqAJP/Cp1//ibim5rvA4BvlaKOPvxB+
yrcx3VJAAGfQE6hWCYi7vjUMwM7JC045/oEz71sONyXr7kUnrNyZSMw6hzsWINqa
fMHt3LMsJMtX+CFU/Dab
=7rj8
-----END PGP SIGNATURE-----
Patrick Schleizer
Nov 23, 2016, 1:20:19 AM11/23/16
to qubes...@googlegroups.com
Marek Marczykowski-Górecki:
Cheers,
Patrick
> Dear Qubes users,
>
> We have just released a new Qubes Security Bulletin (QSB #27):
>
> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
>
>
Tested. Works for me.
>
> We have just released a new Qubes Security Bulletin (QSB #27):
>
> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-027-2016.txt
>
>
Cheers,
Patrick
Dimitri
Nov 29, 2016, 3:32:56 PM11/29/16
to qubes-devel
I installed the patch from security-testing repo shortly after it was published (on November 22). Sadly my computer did not reboot properly afterwards.
The last output I could see was: Reached target Paths
Then it hanged and I did not know better than re-installing Qubes.
Does somebody know how to track down this error? Interesting log files in case this happens again?
Thanks
The last output I could see was: Reached target Paths
Then it hanged and I did not know better than re-installing Qubes.
Does somebody know how to track down this error? Interesting log files in case this happens again?
Thanks
Reply all
Reply to author
Forward
0 new messages