Comment on What’s New in the Xen Project Hypervisor 4.11 by ?Re-engineering Xen: The important open-source hypervisor gets remodeled - IT AND US
https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervisor-4-11/#comment-521
[…] VM products from Citrix, Huawei, Inspur, and Oracle. But, with the release of its latest edition, Xen Project Hypervisor 4.11, there are major changes under the […]
https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervisor-4-11/#comment-521
[…] VM products from Citrix, Huawei, Inspur, and Oracle. But, with the release of its latest edition, Xen Project Hypervisor 4.11, there are major changes under the […]
Comment on What’s New in the Xen Project Hypervisor 4.11 by ?Re-engineering Xen: The important open-source hypervisor gets remodeled | BuzzNews10
https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervisor-4-11/#comment-522
[…] from Citrix, Huawei, Inspur, and Oracle. However, with the discharge of its newest version, Xen Project Hypervisor 4.11, there are main adjustments underneath the […]
https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervisor-4-11/#comment-522
[…] from Citrix, Huawei, Inspur, and Oracle. However, with the discharge of its newest version, Xen Project Hypervisor 4.11, there are main adjustments underneath the […]
Comment on What’s New in the Xen Project Hypervisor 4.11 by ?Re-engineering Xen: The important open-source hypervisor gets remodeled | Longevity Technology
https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervisor-4-11/#comment-523
[…] VM products from Citrix, Huawei, Inspur, and Oracle. But, with the release of its latest edition, Xen Project Hypervisor 4.11, there are major changes under the […]
https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervisor-4-11/#comment-523
[…] VM products from Citrix, Huawei, Inspur, and Oracle. But, with the release of its latest edition, Xen Project Hypervisor 4.11, there are major changes under the […]
Comment on Xen Project 4.7.6 is available! by Xen four.eleven debuts new ‘PVH’ guest kind, for the sake of security • The Register - Servers Maintenance
https://blog.xenproject.org/2018/07/09/xen-project-4-7-6-is-available/#comment-524
[…] wait around, there’s a lot more! The Xen Task on Monday released Xen four.seven.6, a maintenance launch that fixes 21 security concerns and one hundred eighty other […]
https://blog.xenproject.org/2018/07/09/xen-project-4-7-6-is-available/#comment-524
[…] wait around, there’s a lot more! The Xen Task on Monday released Xen four.seven.6, a maintenance launch that fixes 21 security concerns and one hundred eighty other […]
Comment on Xen Project 4.7.6 is available! by Xen 4.11 debuts new ‘PVH’ guest type, for the sake of security • The Register - RareTechNews
https://blog.xenproject.org/2018/07/09/xen-project-4-7-6-is-available/#comment-525
[…] wait, there’s more! The Xen Project on Monday released Xen 4.7.6, a maintenance release that fixes 21 security issues and 180 other issues. Downloads and […]
https://blog.xenproject.org/2018/07/09/xen-project-4-7-6-is-available/#comment-525
[…] wait, there’s more! The Xen Project on Monday released Xen 4.7.6, a maintenance release that fixes 21 security issues and 180 other issues. Downloads and […]
Xen Project 4.8.4 is available!
https://blog.xenproject.org/2018/07/12/xen-project-4-8-4-is-available/
I am pleased to announce the release of the Xen 4.8.4. Xen Project maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.8 stable series update to the latest point release. The release is available from its git repositories xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.4) or from the Xen […]
https://blog.xenproject.org/2018/07/12/xen-project-4-8-4-is-available/
I am pleased to announce the release of the Xen 4.8.4. Xen Project maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.8 stable series update to the latest point release. The release is available from its git repositories xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.4) or from the Xen […]
Xen Project Hypervisor: Virtualization and Power Management are Coalescing into an Energy-Aware Hypervisor
https://blog.xenproject.org/2018/07/12/xen-project-hypervisor-virtualization-and-power-management-are-coalescing-into-an-energy-aware-hypervisor/
Power management in the Xen Project Hypervisor historically targets server applications to improve power consumption and heat management in data centers reducing electricity and cooling costs. In the embedded space, the Xen Project Hypervisor faces very different applications, architectures and power-related requirements, which focus on battery life, heat, and size. Although the same fundamental principles […]
https://blog.xenproject.org/2018/07/12/xen-project-hypervisor-virtualization-and-power-management-are-coalescing-into-an-energy-aware-hypervisor/
Power management in the Xen Project Hypervisor historically targets server applications to improve power consumption and heat management in data centers reducing electricity and cooling costs. In the embedded space, the Xen Project Hypervisor faces very different applications, architectures and power-related requirements, which focus on battery life, heat, and size. Although the same fundamental principles […]
Xen Project Hypervisor Power Management: Suspend-to-RAM on Arm Architectures
https://blog.xenproject.org/2018/07/19/xen-project-hypervisor-power-management-suspend-to-ram-on-arm-architectures/
This is the second part of the Xen Project Hypervisor series on power management. The first article focused on how virtualization and power management are coalescing into an energy-aware hypervisor. In this post, the focus is on a project that was started to lay the foundation for full-scale power management for applications involving the Xen […]
https://blog.xenproject.org/2018/07/19/xen-project-hypervisor-power-management-suspend-to-ram-on-arm-architectures/
This is the second part of the Xen Project Hypervisor series on power management. The first article focused on how virtualization and power management are coalescing into an energy-aware hypervisor. In this post, the focus is on a project that was started to lay the foundation for full-scale power management for applications involving the Xen […]
Comment on What’s New in the Xen Project Hypervisor 4.11 by Xen Hypervisor 4.11 Released, New Browsh Text-Based Browser, Finney Cryptocurrency Phone, GNOME Hiring and More | Linux Admins – News and Blog
https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervisor-4-11/#comment-528
[…] Xen Hypervisor 4.11 was released yesterday. In this release “PVH Dom0 support is now available as experimental feature and […]
https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervisor-4-11/#comment-528
[…] Xen Hypervisor 4.11 was released yesterday. In this release “PVH Dom0 support is now available as experimental feature and […]
XSA-274 does not affect the security of Qubes OS
https://www.qubes-os.org/news/2018/07/25/xsa-274-qubes-not-affected/
The Xen Project has published Xen Security Advisory 274 (XSA-274). This
XSA does not affect the security of Qubes OS, and no user action is
necessary.
This XSA has been added to the XSA Tracker (https://www.qubes-os.org/security/xsa/):
https://www.qubes-os.org/security/xsa/#274
https://www.qubes-os.org/news/2018/07/25/xsa-274-qubes-not-affected/
The Xen Project has published Xen Security Advisory 274 (XSA-274). This
XSA does not affect the security of Qubes OS, and no user action is
necessary.
This XSA has been added to the XSA Tracker (https://www.qubes-os.org/security/xsa/):
https://www.qubes-os.org/security/xsa/#274
A Recap of the Xen Project Developer and Design Summit: Community Health, Development Trends, Coding Changes and More
https://blog.xenproject.org/2018/07/27/a-recap-of-the-xen-project-developer-and-design-summit-community-health-development-trends-coding-changes-and-more/
We were extremely thrilled to host our Xen Project Developer and Design Summit in Nanjing Jiangning, China this June. The event brought together our community and power users under one roof to collaborate and to learn more about the future of our project. It also gave us the opportunity to connect with a large group […]
https://blog.xenproject.org/2018/07/27/a-recap-of-the-xen-project-developer-and-design-summit-community-health-development-trends-coding-changes-and-more/
We were extremely thrilled to host our Xen Project Developer and Design Summit in Nanjing Jiangning, China this June. The event brought together our community and power users under one roof to collaborate and to learn more about the future of our project. It also gave us the opportunity to connect with a large group […]
Killing Processes that Don’t Want to be Killed
https://blog.xenproject.org/2018/08/01/killing-processes-that-dont-want-to-be-killed/
This article originally appeared on lwn.net. Suppose you have a program running on your system that you don’t quite trust. Maybe it’s a program submitted by a student to an automated grading system. Or maybe it’s a QEMU device model running in a Xen control domain ("domain 0" or “dom0”), and you want to make sure […]
https://blog.xenproject.org/2018/08/01/killing-processes-that-dont-want-to-be-killed/
This article originally appeared on lwn.net. Suppose you have a program running on your system that you don’t quite trust. Maybe it’s a program submitted by a student to an automated grading system. Or maybe it’s a QEMU device model running in a Xen control domain ("domain 0" or “dom0”), and you want to make sure […]
[Video] Micah Lee presents Qubes OS at HOPE 2018
https://www.qubes-os.org/news/2018/08/03/micah-lee-hope-conf-2018/
Micah Lee (https://micahflee.com/), a long-time Qubes advocate (https://www.qubes-os.org/experts/), presented Qubes OS: The Operating
System That Can Protect You Even If You Get Hacked (https://www.hope.net/schedule.html#-qubes-os-the-operating-system-that-can-protect-you-even-if-you-get-hacked-) at the Circle of HOPE (https://www.hope.net/index.html)
conference, which took place July 20-22, 2018 in New York City. A video
recording of Micah’s presentation is available here (https://livestream.com/internetsociety2/hope/videos/178431606).
https://www.qubes-os.org/news/2018/08/03/micah-lee-hope-conf-2018/
Micah Lee (https://micahflee.com/), a long-time Qubes advocate (https://www.qubes-os.org/experts/), presented Qubes OS: The Operating
System That Can Protect You Even If You Get Hacked (https://www.hope.net/schedule.html#-qubes-os-the-operating-system-that-can-protect-you-even-if-you-get-hacked-) at the Circle of HOPE (https://www.hope.net/index.html)
conference, which took place July 20-22, 2018 in New York City. A video
recording of Micah’s presentation is available here (https://livestream.com/internetsociety2/hope/videos/178431606).
Whonix 14 has been released
https://www.qubes-os.org/news/2018/08/07/whonix-14-has-been-released/
After more than two years of development, the Whonix Project is proud
to announce the release of Whonix 14.
Whonix 14 is based on the Debian stretch (Debian 9) distribution which
was released in June 2017. This means users have access to many new
software packages in concert with existing packages such as a modern
branch of GNuPG, and more. [1 (https://www.debian.org/News/2017/20170617)][2 (https://www.debian.org/releases/stable/amd64/release-notes/)][3 (https://www.debian.org/releases/stable/i386/release-notes/)]
Major Changes and New Features
Whonix 14 contains extensive security and usability improvements, new
features and bug fixes. For a detailed denoscription of these and other
changes, please refer to the official release notes. [4 (https://whonix.org/wiki/Whonix_Release_Notes#Whonix_14)]
Rebased Whonix on Debian stretch (Debian 9).
Whonix 14 is 64-bit (amd64) only - 32-bit (i386) images will no
longer be built and made available for download. [5]
The new Anon Connection Wizard [6 (https://whonix.org/wiki/Anon_Connection_Wizard)] feature in Whonix simplifies
connections to the Tor network via a Tor bridge and/or a proxy.
The Tor pluggable transport meek_lite [7 (https://www.whonix.org/blog/meek_lite-whonix-14)] is now supported,
making it much easier to connect to the Tor network in heavily
censored areas, like China. [8 (https://github.com/Yawning/obfs4/commit/611205be681322883a4d73dd00fcb13c4352fe53)]
Onioncircuits are installed by default in Whonix. [9 (https://packages.debian.org/stretch/onioncircuits)]
Tails’ onion-grater program has been implemented to enable
OnionShare, Ricochet and Zeronet compatibility with Whonix. [10 (https://phabricator.whonix.org/T657)]
Onion sources are now preferred for Whonix updates/upgrades for
greater security.
Reduced the size of the default, binary Whonix images by
approximately 35 per cent using zerofree. [11 (https://phabricator.whonix.org/T790)] [12]
Updated Tor to version 3.3.7 (stable) release to enable full v3
onion functionality for both hosting of onion services and access to
v3 onion addresses in Tor Browser.
Created the grub-live package [13 (https://whonix.org/wiki/Whonix_Live)] which can run Whonix as a
live system on non-Qubes-Whonix platforms. [14]
Corrected and hardened various AppArmor profiles to ensure the
correct functioning of Tor Browser, obfsproxy and other applications.
Known Issues
Desktop shortcuts are no longer available in non-Qubes-Whonix.
OnionShare is not installed by default in Whonix 14 as it is not in
the stretch repository. [15 (https://packages.debian.org/search?searchon=names&keywords=onionshare)] It can still be manually installed by
following the Whonix wiki instructions [16 (https://whonix.org/wiki/Onionshare)] or building it from source
code. [17 (https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux)]
Enabling seccomp (Sandbox 1) in /usr/local/etc/torrc.d/50_user.conf
causes the Tor process to crash if a Tor version lower than 0.3.3 is
used. [18 (https://trac.torproject.org/projects/tor/ticket/22605)] [19 (https://packages.debian.org/stretch/tor)]
While there may be other issues that exist in this declared stable
release, every effort has been made to address major known problems.
Please report any other issues to us in the forums, after first
searching for whether it is already known.
https://www.whonix.org/wiki/Known_Issues
Download Whonix 14
Whonix is cross-platform and can be installed on the Windows, macOS,
Linux or Qubes operating systems. Choose your operating system from
the link below and follow the instructions to install it.
https://www.whonix.org/download/
Upgrade to Whonix 14
Current Whonix users (or those with 32-bit hardware) who would prefer
to upgrade their existing Whonix 13 platform should follow the upgrade
instructions below.
https://www.qubes-os.org/news/2018/08/07/whonix-14-has-been-released/
After more than two years of development, the Whonix Project is proud
to announce the release of Whonix 14.
Whonix 14 is based on the Debian stretch (Debian 9) distribution which
was released in June 2017. This means users have access to many new
software packages in concert with existing packages such as a modern
branch of GNuPG, and more. [1 (https://www.debian.org/News/2017/20170617)][2 (https://www.debian.org/releases/stable/amd64/release-notes/)][3 (https://www.debian.org/releases/stable/i386/release-notes/)]
Major Changes and New Features
Whonix 14 contains extensive security and usability improvements, new
features and bug fixes. For a detailed denoscription of these and other
changes, please refer to the official release notes. [4 (https://whonix.org/wiki/Whonix_Release_Notes#Whonix_14)]
Rebased Whonix on Debian stretch (Debian 9).
Whonix 14 is 64-bit (amd64) only - 32-bit (i386) images will no
longer be built and made available for download. [5]
The new Anon Connection Wizard [6 (https://whonix.org/wiki/Anon_Connection_Wizard)] feature in Whonix simplifies
connections to the Tor network via a Tor bridge and/or a proxy.
The Tor pluggable transport meek_lite [7 (https://www.whonix.org/blog/meek_lite-whonix-14)] is now supported,
making it much easier to connect to the Tor network in heavily
censored areas, like China. [8 (https://github.com/Yawning/obfs4/commit/611205be681322883a4d73dd00fcb13c4352fe53)]
Onioncircuits are installed by default in Whonix. [9 (https://packages.debian.org/stretch/onioncircuits)]
Tails’ onion-grater program has been implemented to enable
OnionShare, Ricochet and Zeronet compatibility with Whonix. [10 (https://phabricator.whonix.org/T657)]
Onion sources are now preferred for Whonix updates/upgrades for
greater security.
Reduced the size of the default, binary Whonix images by
approximately 35 per cent using zerofree. [11 (https://phabricator.whonix.org/T790)] [12]
Updated Tor to version 3.3.7 (stable) release to enable full v3
onion functionality for both hosting of onion services and access to
v3 onion addresses in Tor Browser.
Created the grub-live package [13 (https://whonix.org/wiki/Whonix_Live)] which can run Whonix as a
live system on non-Qubes-Whonix platforms. [14]
Corrected and hardened various AppArmor profiles to ensure the
correct functioning of Tor Browser, obfsproxy and other applications.
Known Issues
Desktop shortcuts are no longer available in non-Qubes-Whonix.
OnionShare is not installed by default in Whonix 14 as it is not in
the stretch repository. [15 (https://packages.debian.org/search?searchon=names&keywords=onionshare)] It can still be manually installed by
following the Whonix wiki instructions [16 (https://whonix.org/wiki/Onionshare)] or building it from source
code. [17 (https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux)]
Enabling seccomp (Sandbox 1) in /usr/local/etc/torrc.d/50_user.conf
causes the Tor process to crash if a Tor version lower than 0.3.3 is
used. [18 (https://trac.torproject.org/projects/tor/ticket/22605)] [19 (https://packages.debian.org/stretch/tor)]
While there may be other issues that exist in this declared stable
release, every effort has been made to address major known problems.
Please report any other issues to us in the forums, after first
searching for whether it is already known.
https://www.whonix.org/wiki/Known_Issues
Download Whonix 14
Whonix is cross-platform and can be installed on the Windows, macOS,
Linux or Qubes operating systems. Choose your operating system from
the link below and follow the instructions to install it.
https://www.whonix.org/download/
Upgrade to Whonix 14
Current Whonix users (or those with 32-bit hardware) who would prefer
to upgrade their existing Whonix 13 platform should follow the upgrade
instructions below.
https://whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14
What’s Next?
Work on Whonix 15 is ongoing and interested users can refer to the
roadmap to see where Whonix is heading. [20 (https://phabricator.whonix.org/maniphest/query/open/)]
Developer priorities are currently focused on easing the transition to
the next Debian release due in 2019 (“buster”; Debian 10) and
squashing existing bugs, rather than implementing new features.
We need your help and there are various ways to contribute to Whonix -
donating or investing your time will help the project immensely. Come
and talk with us! [21 (https://forums.whonix.org/)]
Notes
[5] Whonix 13 users with 32-bit systems can however upgrade their
platform by following the available wiki instructions, rather than
download new Whonix-WS and Whonix-GW images.
[12] VirtualBox .ova and libvirt qcow2 raw images. The Whonix-Gateway
is reduced from 1.7 GB to 1.1 GB, while the Whonix-Workstation is
reduced from 2 GB to 1.3 GB.
[14] grub-live is optional and requires the user to first enable it
manually.
This post has been formatted for presentation on the Qubes website from the original mailing list announcement (https://groups.google.com/forum/#!topic/qubes-users/5mBXxQ_LSvg).
What’s Next?
Work on Whonix 15 is ongoing and interested users can refer to the
roadmap to see where Whonix is heading. [20 (https://phabricator.whonix.org/maniphest/query/open/)]
Developer priorities are currently focused on easing the transition to
the next Debian release due in 2019 (“buster”; Debian 10) and
squashing existing bugs, rather than implementing new features.
We need your help and there are various ways to contribute to Whonix -
donating or investing your time will help the project immensely. Come
and talk with us! [21 (https://forums.whonix.org/)]
Notes
[5] Whonix 13 users with 32-bit systems can however upgrade their
platform by following the available wiki instructions, rather than
download new Whonix-WS and Whonix-GW images.
[12] VirtualBox .ova and libvirt qcow2 raw images. The Whonix-Gateway
is reduced from 1.7 GB to 1.1 GB, while the Whonix-Workstation is
reduced from 2 GB to 1.3 GB.
[14] grub-live is optional and requires the user to first enable it
manually.
This post has been formatted for presentation on the Qubes website from the original mailing list announcement (https://groups.google.com/forum/#!topic/qubes-users/5mBXxQ_LSvg).
Get an Introduction to Working with the Xen Project Hypervisor and More at Open Source Summit #OSSummit
https://blog.xenproject.org/2018/08/14/get-an-introduction-to-working-with-the-xen-project-hypervisor-and-more-at-open-source-summit-ossummit/
Open Source Summit is the premier event to get introduced to open source and to learn more about the trends that are surrounding this space. This year’s Open Source Summit will be held in Vancouver, BC from August 29 – 31. The event covers a wide range of topics from blockchain to security to virtualization […]
https://blog.xenproject.org/2018/08/14/get-an-introduction-to-working-with-the-xen-project-hypervisor-and-more-at-open-source-summit-ossummit/
Open Source Summit is the premier event to get introduced to open source and to learn more about the trends that are surrounding this space. This year’s Open Source Summit will be held in Vancouver, BC from August 29 – 31. The event covers a wide range of topics from blockchain to security to virtualization […]
QSB #42: Linux netback driver OOB access in hash handling (XSA-270)
https://www.qubes-os.org/news/2018/08/14/qsb-42/
Dear Qubes Community,
We have just published Qubes Security Bulletin (QSB) #42: Linux netback
driver OOB access in hash handling (XSA-270). The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).
View QSB #42 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-042-2018.txt
Learn about the qubes-secpack, including how to obtain, verify, and read
it:
https://www.qubes-os.org/security/pack/
View all past QSBs:
https://www.qubes-os.org/security/bulletins/
View XSA-270 in the XSA Tracker:
https://www.qubes-os.org/security/xsa/#270
---===[ Qubes Security Bulletin #42 ]===---
2018-08-14
Linux netback driver OOB access in hash handling (XSA-270)
Summary
========
On 2018-08-14, the Xen Security Team published Xen Security Advisory
270 (XSA-270) [1] with the following denoscription:
| Linux's netback driver allows frontends to control mapping of requests
| to request queues. When processing a request to set or change this
| mapping, some input validation was missing or flawed.
|
| A malicious or buggy frontend may cause the (usually privileged)
| backend to make out of bounds memory accesses, potentially resulting
| in one or more of privilege escalation, Denial of Service (DoS), or
| information leaks.
Impact for Qubes
=================
The bug affects only the network backend driver, which means that any
qube with access to a network can attack the qube that provides it with
access to that network. For example:
- In a default configuration, any network-connected AppVM can attack
sys-firewall, which can in turn attack sys-net.
- Any qube connected to a VPN Gateway [2] can attack the VPN Gateway
and potentially steal VPN credentials.
- Any Whonix Workstation can attack the Whonix Gateway to which it is
connected, potentially compromising anonymity.
It is important to note, however, that dom0 and network-disconnected
qubes are not affected.
Patching
=========
The Xen Project has provided patches to fix this issue.
The specific packages that resolve the problems discussed in this
bulletin are as follows:
For Qubes 3.2:
- kernel packages, version 4.14.57-2
- kernel-latest packages, version 4.17.9-2
For Qubes 4.0:
- kernel packages, version 4.14.57-2
- kernel-latest packages, version 4.17.9-2
The kernel-latest packages are not installed by default. If you do not
already have them installed, then it is not necessary to install them in
order to fix this issue. However, if you already have them installed,
then we recommend that you update them to the version containing the fix
for this issue.
The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:
For updates from the stable repository (not immediately available):
$ sudo qubes-dom0-update
For updates from the security-testing repository:
$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
A restart of all network-providing qubes will be required afterwards.
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Linux binaries.
Users who are using in-VM kernels [3] for any of their VMs should note
that installing the packages listed above will not update their in-VM
kernels. We recommend that these users install updates for their in-VM
kernels when the appropriate distributions provide kernel updates that
fix this issue.
Credits
========
See the original Xen Security Advisory.
References
===========
https://www.qubes-os.org/news/2018/08/14/qsb-42/
Dear Qubes Community,
We have just published Qubes Security Bulletin (QSB) #42: Linux netback
driver OOB access in hash handling (XSA-270). The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).
View QSB #42 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-042-2018.txt
Learn about the qubes-secpack, including how to obtain, verify, and read
it:
https://www.qubes-os.org/security/pack/
View all past QSBs:
https://www.qubes-os.org/security/bulletins/
View XSA-270 in the XSA Tracker:
https://www.qubes-os.org/security/xsa/#270
---===[ Qubes Security Bulletin #42 ]===---
2018-08-14
Linux netback driver OOB access in hash handling (XSA-270)
Summary
========
On 2018-08-14, the Xen Security Team published Xen Security Advisory
270 (XSA-270) [1] with the following denoscription:
| Linux's netback driver allows frontends to control mapping of requests
| to request queues. When processing a request to set or change this
| mapping, some input validation was missing or flawed.
|
| A malicious or buggy frontend may cause the (usually privileged)
| backend to make out of bounds memory accesses, potentially resulting
| in one or more of privilege escalation, Denial of Service (DoS), or
| information leaks.
Impact for Qubes
=================
The bug affects only the network backend driver, which means that any
qube with access to a network can attack the qube that provides it with
access to that network. For example:
- In a default configuration, any network-connected AppVM can attack
sys-firewall, which can in turn attack sys-net.
- Any qube connected to a VPN Gateway [2] can attack the VPN Gateway
and potentially steal VPN credentials.
- Any Whonix Workstation can attack the Whonix Gateway to which it is
connected, potentially compromising anonymity.
It is important to note, however, that dom0 and network-disconnected
qubes are not affected.
Patching
=========
The Xen Project has provided patches to fix this issue.
The specific packages that resolve the problems discussed in this
bulletin are as follows:
For Qubes 3.2:
- kernel packages, version 4.14.57-2
- kernel-latest packages, version 4.17.9-2
For Qubes 4.0:
- kernel packages, version 4.14.57-2
- kernel-latest packages, version 4.17.9-2
The kernel-latest packages are not installed by default. If you do not
already have them installed, then it is not necessary to install them in
order to fix this issue. However, if you already have them installed,
then we recommend that you update them to the version containing the fix
for this issue.
The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:
For updates from the stable repository (not immediately available):
$ sudo qubes-dom0-update
For updates from the security-testing repository:
$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
A restart of all network-providing qubes will be required afterwards.
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Linux binaries.
Users who are using in-VM kernels [3] for any of their VMs should note
that installing the packages listed above will not update their in-VM
kernels. We recommend that these users install updates for their in-VM
kernels when the appropriate distributions provide kernel updates that
fix this issue.
Credits
========
See the original Xen Security Advisory.
References
===========