Whonix 15 has reached EOL
https://www.qubes-os.org/news/2021/11/14/whonix-15-eol/
Whonix 15 has reached EOL (end-of-life). If you have not already done
so, we strongly recommend upgrading your Whonix 15 templates and
standalones to Whonix 16 (https://www.qubes-os.org/news/2021/09/30/whonix-16-template-available/) immediately. The Whonix Project provides
fresh Whonix 16 template packages through the Qubes community template
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.whonix.org/wiki/Qubes/Install). Alternatively, the Whonix Project also
provides step-by-step instructions for performing an in-place upgrade (https://www.whonix.org/wiki/Release_Upgrade_Whonix_15_to_Whonix_16)
of an existing Whonix 15 template. After upgrading your templates,
please remember to switch all qubes that were using the old template
to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases supported for your specific
Qubes release, please see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
https://www.qubes-os.org/news/2021/11/14/whonix-15-eol/
Whonix 15 has reached EOL (end-of-life). If you have not already done
so, we strongly recommend upgrading your Whonix 15 templates and
standalones to Whonix 16 (https://www.qubes-os.org/news/2021/09/30/whonix-16-template-available/) immediately. The Whonix Project provides
fresh Whonix 16 template packages through the Qubes community template
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.whonix.org/wiki/Qubes/Install). Alternatively, the Whonix Project also
provides step-by-step instructions for performing an in-place upgrade (https://www.whonix.org/wiki/Release_Upgrade_Whonix_15_to_Whonix_16)
of an existing Whonix 15 template. After upgrading your templates,
please remember to switch all qubes that were using the old template
to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases supported for your specific
Qubes release, please see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Qubes OS 4.1-rc2 has been released!
https://www.qubes-os.org/news/2021/11/17/qubes-4-1-rc2/
We’re pleased to announce the second release candidate for Qubes 4.1!
Qubes 4.1-rc2 contains fixes for bugs that were discovered in the first
release candidate (4.1-rc1). For existing Qubes 4.1-rc1 users, a regular
update (https://www.qubes-os.org/doc/how-to-update/) is sufficient to upgrade to 4.1-rc2.
In case you haven’t heard, Qubes 4.1 includes several major new
features, each of which is explained in depth in its own article:
Qubes Architecture Next Steps: The GUI Domain (https://www.qubes-os.org/news/2020/03/18/gui-domain/)
Qubes Architecture Next Steps: The New Qrexec Policy System (https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/)
New Gentoo templates and maintenance infrastructure (https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/)
Reproducible builds for Debian: a big step forward (https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/)
There are also numerous other improvements and
bug fixes listed in the release notes (https://www.qubes-os.org/doc/releases/4.1/release-notes/) and in the issue
tracker (https://github.com/QubesOS/qubes-issues/issues?q=milestone%3A%22Release+4.1%22+is%3Aclosed+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+invalid%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+not+an+issue%22+-label%3A%22R%3A+not+our+bug%22+-label%3A%22R%3A+won%27t+do%22+-label%3A%22R%3A+won%27t+fix%22+).
Finally, Qubes 4.1 features the following updated default components:
Xen 4.14
Fedora 32 in dom0
Fedora 34 template
Debian 11 template
Whonix 16 Gateway and Workstation templates
Linux kernel 5.10
How to test Qubes 4.1-rc2
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help to
improve the stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/).
Experienced users are strongly encouraged to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190)!
How to migrate to 4.1-rc2:
If you’re already on 4.1-rc1, simply perform a normal update (https://www.qubes-os.org/doc/how-to-update/).
If you’re not on 4.1-rc1, you have two options:
Back up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) your current installation, download (https://www.qubes-os.org/downloads/) 4.1-rc2, perform a
fresh install (https://www.qubes-os.org/doc/installation-guide/), then restore (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) from your backup.
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/).
Release candidate planning
As with any release candidate, it’s possible that user testing will
reveal important bugs that we’ll want to fix before the stable release.
We plan to release the next release candidate in approximately five
weeks. As explained in our general release schedule (https://www.qubes-os.org/doc/version-scheme/#release-schedule), this cycle will
continue until no major bugs are discovered, at which point the latest
release candidate will be declared the stable 4.1 release.
https://www.qubes-os.org/news/2021/11/17/qubes-4-1-rc2/
We’re pleased to announce the second release candidate for Qubes 4.1!
Qubes 4.1-rc2 contains fixes for bugs that were discovered in the first
release candidate (4.1-rc1). For existing Qubes 4.1-rc1 users, a regular
update (https://www.qubes-os.org/doc/how-to-update/) is sufficient to upgrade to 4.1-rc2.
In case you haven’t heard, Qubes 4.1 includes several major new
features, each of which is explained in depth in its own article:
Qubes Architecture Next Steps: The GUI Domain (https://www.qubes-os.org/news/2020/03/18/gui-domain/)
Qubes Architecture Next Steps: The New Qrexec Policy System (https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/)
New Gentoo templates and maintenance infrastructure (https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/)
Reproducible builds for Debian: a big step forward (https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/)
There are also numerous other improvements and
bug fixes listed in the release notes (https://www.qubes-os.org/doc/releases/4.1/release-notes/) and in the issue
tracker (https://github.com/QubesOS/qubes-issues/issues?q=milestone%3A%22Release+4.1%22+is%3Aclosed+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+invalid%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+not+an+issue%22+-label%3A%22R%3A+not+our+bug%22+-label%3A%22R%3A+won%27t+do%22+-label%3A%22R%3A+won%27t+fix%22+).
Finally, Qubes 4.1 features the following updated default components:
Xen 4.14
Fedora 32 in dom0
Fedora 34 template
Debian 11 template
Whonix 16 Gateway and Workstation templates
Linux kernel 5.10
How to test Qubes 4.1-rc2
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help to
improve the stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/).
Experienced users are strongly encouraged to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190)!
How to migrate to 4.1-rc2:
If you’re already on 4.1-rc1, simply perform a normal update (https://www.qubes-os.org/doc/how-to-update/).
If you’re not on 4.1-rc1, you have two options:
Back up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) your current installation, download (https://www.qubes-os.org/downloads/) 4.1-rc2, perform a
fresh install (https://www.qubes-os.org/doc/installation-guide/), then restore (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) from your backup.
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/).
Release candidate planning
As with any release candidate, it’s possible that user testing will
reveal important bugs that we’ll want to fix before the stable release.
We plan to release the next release candidate in approximately five
weeks. As explained in our general release schedule (https://www.qubes-os.org/doc/version-scheme/#release-schedule), this cycle will
continue until no major bugs are discovered, at which point the latest
release candidate will be declared the stable 4.1 release.
XSAs released on 2021-11-19
https://www.qubes-os.org/news/2021/11/19/xsas-released-on-2021-11-19/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is not affected.
Therefore, no user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
(None)
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-390 (affects only Xen versions >=4.15; Qubes currently uses 4.14 and 4.8)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
https://www.qubes-os.org/news/2021/11/19/xsas-released-on-2021-11-19/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is not affected.
Therefore, no user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
(None)
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-390 (affects only Xen versions >=4.15; Qubes currently uses 4.14 and 4.8)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
XSAs released on 2021-11-23
https://www.qubes-os.org/news/2021/11/24/xsas-released-on-2021-11-23/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is affected.
Therefore, user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
XSA-388
XSA-389
Please see QSB-074 for the actions users must take in order to
protect themselves, as well as further details about these XSAs:
https://www.qubes-os.org/news/2021/11/24/qsb-074/
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no
user action is necessary:
XSA-385 (DoS only; Qubes has BIGMEM disabled)
XSA-387 (Qubes has grant tables v2 disabled)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
https://www.qubes-os.org/news/2021/11/24/xsas-released-on-2021-11-23/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is affected.
Therefore, user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
XSA-388
XSA-389
Please see QSB-074 for the actions users must take in order to
protect themselves, as well as further details about these XSAs:
https://www.qubes-os.org/news/2021/11/24/qsb-074/
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no
user action is necessary:
XSA-385 (DoS only; Qubes has BIGMEM disabled)
XSA-387 (Qubes has grant tables v2 disabled)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
QSB-074: Xen issues related to populate-on-demand (XSA-388, XSA-389)
https://www.qubes-os.org/news/2021/11/24/qsb-074/
We have just published Qubes Security Bulletin (QSB) 074:
Xen issues related to populate-on-demand (XSA-388, XSA-389).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-074 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-074-2021.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 074 ]===---
2021-11-23
Xen issues related to populate-on-demand (XSA-388, XSA-389)
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- Xen packages, version 4.8.5-36
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.3-4
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Summary
--------
The following security advisories were published on 2021-11-23:
XSA-388 [3] "PoD operations on misaligned GFNs":
| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
|
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls. These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| The implementation of some of these hypercalls for PoD does not
| enforce the base page frame number to be suitably aligned for the
| specified order, yet some code involved in PoD handling actually makes
| such an assumption.
|
| These operations are XENMEM_decrease_reservation (CVE-2021-28704) and
| XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by
| domains controlling the guest, i.e. a de-privileged qemu or a stub
| domain. (Patch 1, combining the fix to both these two issues.)
|
| In addition handling of XENMEM_decrease_reservation can also trigger a
| host crash when the specified page order is neither 4k nor 2M nor 1G
| (CVE-2021-28708, patch 2).
XSA-389 [4] "issues with partially successful P2M updates on x86":
| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
|
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls. These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| In some cases the hypervisor carries out the requests by splitting
| them into smaller chunks. Error handling in certain PoD cases has
| been insufficient in that in particular partial success of some
| operations was not properly accounted for.
|
| There are two code paths affected - page removal (CVE-2021-28705) and
| insertion of new pages (CVE-2021-28709). (We provide one patch which
| combines the fix to both issues.)
Impact
-------
Malicious or buggy guest kernels may be able to mount Denial of Service
(DoS) attacks affecting the entire system. Privilege escalation and
information leaks cannot be ruled out.
These issues affect only qubes that have dynamic memory balancing
https://www.qubes-os.org/news/2021/11/24/qsb-074/
We have just published Qubes Security Bulletin (QSB) 074:
Xen issues related to populate-on-demand (XSA-388, XSA-389).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-074 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-074-2021.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 074 ]===---
2021-11-23
Xen issues related to populate-on-demand (XSA-388, XSA-389)
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- Xen packages, version 4.8.5-36
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.3-4
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Summary
--------
The following security advisories were published on 2021-11-23:
XSA-388 [3] "PoD operations on misaligned GFNs":
| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
|
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls. These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| The implementation of some of these hypercalls for PoD does not
| enforce the base page frame number to be suitably aligned for the
| specified order, yet some code involved in PoD handling actually makes
| such an assumption.
|
| These operations are XENMEM_decrease_reservation (CVE-2021-28704) and
| XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by
| domains controlling the guest, i.e. a de-privileged qemu or a stub
| domain. (Patch 1, combining the fix to both these two issues.)
|
| In addition handling of XENMEM_decrease_reservation can also trigger a
| host crash when the specified page order is neither 4k nor 2M nor 1G
| (CVE-2021-28708, patch 2).
XSA-389 [4] "issues with partially successful P2M updates on x86":
| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
|
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls. These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| In some cases the hypervisor carries out the requests by splitting
| them into smaller chunks. Error handling in certain PoD cases has
| been insufficient in that in particular partial success of some
| operations was not properly accounted for.
|
| There are two code paths affected - page removal (CVE-2021-28705) and
| insertion of new pages (CVE-2021-28709). (We provide one patch which
| combines the fix to both issues.)
Impact
-------
Malicious or buggy guest kernels may be able to mount Denial of Service
(DoS) attacks affecting the entire system. Privilege escalation and
information leaks cannot be ruled out.
These issues affect only qubes that have dynamic memory balancing
enabled. In the default Qubes OS configuration, this excludes sys-net
and sys-usb, which have memory assigned statically. All other
Linux-based qubes are affected.
Credits
--------
See the original Xen Security Advisories.
References
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-388.html
[4] https://xenbits.xen.org/xsa/advisory-389.html
--
The Qubes Security Team
https://www.qubes-os.org/security/
and sys-usb, which have memory assigned statically. All other
Linux-based qubes are affected.
Credits
--------
See the original Xen Security Advisories.
References
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-388.html
[4] https://xenbits.xen.org/xsa/advisory-389.html
--
The Qubes Security Team
https://www.qubes-os.org/security/
Fedora 33 has reached EOL
https://www.qubes-os.org/news/2021/11/30/fedora-33-eol/
As previously announced (https://www.qubes-os.org/news/2021/11/11/fedora-33-approaching-eol-fedora-34-templates-available/), Fedora 33 has reached EOL (end-of-life (https://fedoraproject.org/wiki/End_of_life)).
If you have not already done so, we strongly recommend upgrading (https://www.qubes-os.org/doc/templates/fedora/#upgrading) your
Fedora 33 templates and standalones to Fedora 34 immediately.
We provide fresh Fedora 34 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/fedora/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/template/fedora/upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
Note for 4.1 release candidate testers: Qubes R4.1-rc1 already
includes the Fedora 34 template by default, so no action is required.
https://www.qubes-os.org/news/2021/11/30/fedora-33-eol/
As previously announced (https://www.qubes-os.org/news/2021/11/11/fedora-33-approaching-eol-fedora-34-templates-available/), Fedora 33 has reached EOL (end-of-life (https://fedoraproject.org/wiki/End_of_life)).
If you have not already done so, we strongly recommend upgrading (https://www.qubes-os.org/doc/templates/fedora/#upgrading) your
Fedora 33 templates and standalones to Fedora 34 immediately.
We provide fresh Fedora 34 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/fedora/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/template/fedora/upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
Note for 4.1 release candidate testers: Qubes R4.1-rc1 already
includes the Fedora 34 template by default, so no action is required.
XEN PROJECT SHIPS VERSION 4.16 WITH FOCUS ON IMPROVED PERFORMANCE SECURITY AND HARDWARE SUPPORT
https://xenproject.org/2021/12/02/xen-project-ships-version-4-16-with-focus-on-improved-performance-security-and-hardware-support/
NEW VERSION INTRODUCES ARM VIRTUAL PERFORMANCE MONITOR COUNTERS AND BROADER X86 HARDWARE SUPPORT. COMMUNITY INITIATIVES, INCLUDING FUNCTIONAL SAFETY AND VIRTIO, CONTINUE TO PROGRESS. The Xen Project, an open source hypervisor...
https://xenproject.org/2021/12/02/xen-project-ships-version-4-16-with-focus-on-improved-performance-security-and-hardware-support/
NEW VERSION INTRODUCES ARM VIRTUAL PERFORMANCE MONITOR COUNTERS AND BROADER X86 HARDWARE SUPPORT. COMMUNITY INITIATIVES, INCLUDING FUNCTIONAL SAFETY AND VIRTIO, CONTINUE TO PROGRESS. The Xen Project, an open source hypervisor...
Debian 11 templates available
https://www.qubes-os.org/news/2021/12/07/debian-11-templates-available/
New Debian 11 templates are available for both Qubes 4.0 and 4.1.
We provide fresh Debian 11 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/debian/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/template/debian/upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
https://www.qubes-os.org/news/2021/12/07/debian-11-templates-available/
New Debian 11 templates are available for both Qubes 4.0 and 4.1.
We provide fresh Debian 11 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/debian/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/template/debian/upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
Qubes Canary 029
https://www.qubes-os.org/news/2021/12/13/canary-029/
We have published Qubes Canary 029. The text of this canary is
reproduced below.
This canary and its accompanying signatures will always be available in
the Qubes security pack (qubes-secpack).
View Qubes Canary 029 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-029-2021.txt
Learn how to obtain and authenticate the qubes-secpack and all the
signatures it contains:
https://www.qubes-os.org/security/pack/
View all past canaries:
https://www.qubes-os.org/security/canary/
---===[ Qubes Canary 029 ]===---
Statements
-----------
The Qubes security team members who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is December 13, 2021.
2. There have been 74 Qubes security bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
fourteen days of March 2022. Special note should be taken if no new
canary is published by that time or if the list of statements changes
without plausible explanation.
Special announcements
----------------------
Many PGP keys in the Qubes security pack (qubes-secpack) that are used
elsewhere in the project (such as the Qubes builder), including the
Qubes Master Signing Key (QMSK), were signed or self-signed using the
SHA-1 hash function. Unlike some other uses of SHA-1, its use in our PGP
signatures does not pose a noteworthy security risk unless an adversary
is capable of performing a successful preimage attack (not merely a
collision attack). Since there are presently no known feasible attacks
against the preimage resistance of full SHA-1, our use of SHA-1 in PGP
signatures does not currently pose a relevant security risk.
Nonetheless, as a preemptive defense-in-depth enhancement and to support
deprecation of SHA-1 in tooling, we have decided to re-(self-)sign many
of these keys using SHA-256 or SHA-512. [3]
In addition, the qubes-secpack contains several expired code signing
keys, old release keys, and keys belonging to individuals who are no
longer active Qubes developers. We have decided to move these keys into
new "retired" subdirectories. (We've decided to move them rather than
delete them, since some users may wish to use them to authenticate old
signatures. Note that this is merely a matter of convenience, since even
deleted files always remain in the Git repository's history and can
always be retrieved that way.)
To be clear, none of the actions described here constitute a response to
any security incident. To our knowledge, the keys in the qubes-secpack
are not and have never been at risk. No key fingerprints have changed as
a result of these actions. We consider this updating and cleanup of the
keys to be more of a "housekeeping" task.
Disclaimers and notes
----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.
The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
https://www.qubes-os.org/news/2021/12/13/canary-029/
We have published Qubes Canary 029. The text of this canary is
reproduced below.
This canary and its accompanying signatures will always be available in
the Qubes security pack (qubes-secpack).
View Qubes Canary 029 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-029-2021.txt
Learn how to obtain and authenticate the qubes-secpack and all the
signatures it contains:
https://www.qubes-os.org/security/pack/
View all past canaries:
https://www.qubes-os.org/security/canary/
---===[ Qubes Canary 029 ]===---
Statements
-----------
The Qubes security team members who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is December 13, 2021.
2. There have been 74 Qubes security bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
fourteen days of March 2022. Special note should be taken if no new
canary is published by that time or if the list of statements changes
without plausible explanation.
Special announcements
----------------------
Many PGP keys in the Qubes security pack (qubes-secpack) that are used
elsewhere in the project (such as the Qubes builder), including the
Qubes Master Signing Key (QMSK), were signed or self-signed using the
SHA-1 hash function. Unlike some other uses of SHA-1, its use in our PGP
signatures does not pose a noteworthy security risk unless an adversary
is capable of performing a successful preimage attack (not merely a
collision attack). Since there are presently no known feasible attacks
against the preimage resistance of full SHA-1, our use of SHA-1 in PGP
signatures does not currently pose a relevant security risk.
Nonetheless, as a preemptive defense-in-depth enhancement and to support
deprecation of SHA-1 in tooling, we have decided to re-(self-)sign many
of these keys using SHA-256 or SHA-512. [3]
In addition, the qubes-secpack contains several expired code signing
keys, old release keys, and keys belonging to individuals who are no
longer active Qubes developers. We have decided to move these keys into
new "retired" subdirectories. (We've decided to move them rather than
delete them, since some users may wish to use them to authenticate old
signatures. Note that this is merely a matter of convenience, since even
deleted files always remain in the Git repository's history and can
always be retrieved that way.)
To be clear, none of the actions described here constitute a response to
any security incident. To our knowledge, the keys in the qubes-secpack
are not and have never been at risk. No key fingerprints have changed as
a result of these actions. We consider this updating and cleanup of the
keys to be more of a "housekeeping" task.
Disclaimers and notes
----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.
The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.
Proof of freshness
-------------------
Mon, 13 Dec 2021 01:15:23 +0000
Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
Resurrection of the SP: The Unexpected Rise of Germany's New Chancellor, Olaf Scholz
BioNTech Founder Şahin on the Omicron Variant: “It Will Make Scientific Sense To Offer Booster after Three Months”
City of Warriors: Resistance Across the Border to the Myanmar Military Junta
Deadly Intrigue: The Story of the Destruction of an Aid Organization
The One-Man State: Viktor Orbán and the Fall of Democracy in Hungary
Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Haiti’s Leader Kept a List of Drug Traffickers. His Assassins Came for It.
‘Our Boat Was Surrounded by Dead Bodies’: Witnessing a Migrant Tragedy
Israeli Leader Travels to U.A.E., Showcasing Deepening Ties
New Caledonia Says ‘Non’ to Independence
Diplomats Warn Russia of ‘Massive Consequences’ if It Invades Ukraine
Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Kentucky tornadoes: Death toll likely to pass 100, governor says
Kentucky tornadoes: 100 year-old-church destroyed in seconds
Vladimir Putin: I moonlighted as a taxi driver in the 1990s
Black Axe: Leaked documents shine spotlight on secretive Nigerian gang
Alibaba fires woman who claimed sexual assault
Source: Blockchain.info
00000000000000000001b7c62afe91ab5ddb7ce534f4868fc71e4c9e4797f7b2
Footnotes
----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/
[3] https://github.com/QubesOS/qubes-issues/issues/6470
--
The Qubes Security Team
https://www.qubes-os.org/security/
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.
Proof of freshness
-------------------
Mon, 13 Dec 2021 01:15:23 +0000
Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
Resurrection of the SP: The Unexpected Rise of Germany's New Chancellor, Olaf Scholz
BioNTech Founder Şahin on the Omicron Variant: “It Will Make Scientific Sense To Offer Booster after Three Months”
City of Warriors: Resistance Across the Border to the Myanmar Military Junta
Deadly Intrigue: The Story of the Destruction of an Aid Organization
The One-Man State: Viktor Orbán and the Fall of Democracy in Hungary
Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Haiti’s Leader Kept a List of Drug Traffickers. His Assassins Came for It.
‘Our Boat Was Surrounded by Dead Bodies’: Witnessing a Migrant Tragedy
Israeli Leader Travels to U.A.E., Showcasing Deepening Ties
New Caledonia Says ‘Non’ to Independence
Diplomats Warn Russia of ‘Massive Consequences’ if It Invades Ukraine
Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Kentucky tornadoes: Death toll likely to pass 100, governor says
Kentucky tornadoes: 100 year-old-church destroyed in seconds
Vladimir Putin: I moonlighted as a taxi driver in the 1990s
Black Axe: Leaked documents shine spotlight on secretive Nigerian gang
Alibaba fires woman who claimed sexual assault
Source: Blockchain.info
00000000000000000001b7c62afe91ab5ddb7ce534f4868fc71e4c9e4797f7b2
Footnotes
----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/
[3] https://github.com/QubesOS/qubes-issues/issues/6470
--
The Qubes Security Team
https://www.qubes-os.org/security/
XSAs released on 2021-12-20
https://www.qubes-os.org/news/2021/12/20/xsas-released-on-2021-12-20/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is not affected.
Therefore, no user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
(None)
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-376 (denial-of-service only)
XSA-391 (denial-of-service only)
XSA-392 (denial-of-service only)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
https://www.qubes-os.org/news/2021/12/20/xsas-released-on-2021-12-20/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is not affected.
Therefore, no user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
(None)
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-376 (denial-of-service only)
XSA-391 (denial-of-service only)
XSA-392 (denial-of-service only)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
Qubes OS 4.1-rc3 has been released!
https://www.qubes-os.org/news/2021/12/21/qubes-4-1-rc3/
The third release candidate for Qubes 4.1 is here! There are no major
changes to report. We’ve just focused on fixing bugs that were
discovered and reported in the second release candidate.
If you’re currently using either any Qubes 4.1 release candidate, a
regular update (https://www.qubes-os.org/doc/how-to-update/) is sufficient to upgrade to the latest one. Otherwise,
read on for more about how to get started with testing Qubes 4.1-rc3.
What’s new in Qubes 4.1?
In case you still haven’t heard, Qubes 4.1 includes several major new
features, each of which is explained in depth in its own article:
Qubes Architecture Next Steps: The GUI Domain (https://www.qubes-os.org/news/2020/03/18/gui-domain/)
Qubes Architecture Next Steps: The New Qrexec Policy System (https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/)
New Gentoo templates and maintenance infrastructure (https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/)
Reproducible builds for Debian: a big step forward (https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/)
There are also numerous other improvements and bug fixes listed in the
release notes (https://www.qubes-os.org/doc/releases/4.1/release-notes/) and in the issue tracker (https://github.com/QubesOS/qubes-issues/issues?q=milestone%3A%22Release+4.1%22+is%3Aclosed+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+invalid%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+not+an+issue%22+-label%3A%22R%3A+not+our+bug%22+-label%3A%22R%3A+won%27t+do%22+-label%3A%22R%3A+won%27t+fix%22+).
Finally, Qubes 4.1 features the following updated default components:
Xen 4.14
Fedora 32 in dom0
Fedora 34 template
Debian 11 template
Whonix 16 Gateway and Workstation templates
Linux kernel 5.10
How to test Qubes 4.1-rc3
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help to
improve the stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/).
Experienced users are strongly encouraged to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190)!
How to migrate to 4.1-rc3:
If you’re already on any 4.1 release candidate, simply perform a
normal update (https://www.qubes-os.org/doc/how-to-update/).
If you’re not on a 4.1 release candidate yet, you have two options:
Back up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) your current installation, download (https://www.qubes-os.org/downloads/) 4.1-rc3, perform a
fresh install (https://www.qubes-os.org/doc/installation-guide/), then restore (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) from your backup.
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/).
Release candidate planning
With each new release candidate, Qubes 4.1 becomes more and more stable
as our testers report more bugs, and our developers fix them. As
explained in our general release schedule (https://www.qubes-os.org/doc/version-scheme/#release-schedule), this cycle will continue
until no major bugs are discovered, at which point the last release
candidate will be declared the stable 4.1 release. Until then, we plan
to have new release candidates approximately every five weeks.
https://www.qubes-os.org/news/2021/12/21/qubes-4-1-rc3/
The third release candidate for Qubes 4.1 is here! There are no major
changes to report. We’ve just focused on fixing bugs that were
discovered and reported in the second release candidate.
If you’re currently using either any Qubes 4.1 release candidate, a
regular update (https://www.qubes-os.org/doc/how-to-update/) is sufficient to upgrade to the latest one. Otherwise,
read on for more about how to get started with testing Qubes 4.1-rc3.
What’s new in Qubes 4.1?
In case you still haven’t heard, Qubes 4.1 includes several major new
features, each of which is explained in depth in its own article:
Qubes Architecture Next Steps: The GUI Domain (https://www.qubes-os.org/news/2020/03/18/gui-domain/)
Qubes Architecture Next Steps: The New Qrexec Policy System (https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/)
New Gentoo templates and maintenance infrastructure (https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/)
Reproducible builds for Debian: a big step forward (https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/)
There are also numerous other improvements and bug fixes listed in the
release notes (https://www.qubes-os.org/doc/releases/4.1/release-notes/) and in the issue tracker (https://github.com/QubesOS/qubes-issues/issues?q=milestone%3A%22Release+4.1%22+is%3Aclosed+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+invalid%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+not+an+issue%22+-label%3A%22R%3A+not+our+bug%22+-label%3A%22R%3A+won%27t+do%22+-label%3A%22R%3A+won%27t+fix%22+).
Finally, Qubes 4.1 features the following updated default components:
Xen 4.14
Fedora 32 in dom0
Fedora 34 template
Debian 11 template
Whonix 16 Gateway and Workstation templates
Linux kernel 5.10
How to test Qubes 4.1-rc3
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help to
improve the stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/).
Experienced users are strongly encouraged to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190)!
How to migrate to 4.1-rc3:
If you’re already on any 4.1 release candidate, simply perform a
normal update (https://www.qubes-os.org/doc/how-to-update/).
If you’re not on a 4.1 release candidate yet, you have two options:
Back up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) your current installation, download (https://www.qubes-os.org/downloads/) 4.1-rc3, perform a
fresh install (https://www.qubes-os.org/doc/installation-guide/), then restore (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) from your backup.
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/).
Release candidate planning
With each new release candidate, Qubes 4.1 becomes more and more stable
as our testers report more bugs, and our developers fix them. As
explained in our general release schedule (https://www.qubes-os.org/doc/version-scheme/#release-schedule), this cycle will continue
until no major bugs are discovered, at which point the last release
candidate will be declared the stable 4.1 release. Until then, we plan
to have new release candidates approximately every five weeks.
Qubes OS 4.1.0-rc4 has been released!
https://www.qubes-os.org/news/2022/01/18/qubes-4-1-0-rc4/
The fourth release candidate for Qubes 4.1.0 is here! There are no major
changes to report. We’ve just focused on fixing bugs that were
discovered and reported in the third release candidate.
If you’re currently using any Qubes 4.1.0 release candidate, a regular
update (https://www.qubes-os.org/doc/how-to-update/) is sufficient to upgrade to the latest one. Otherwise, read on
for more about how to get started with testing Qubes 4.1.0-rc4.
What’s new in Qubes 4.1.0?
In case you still haven’t heard, Qubes 4.1.0 includes several major new
features, each of which is explained in depth in its own article:
Qubes Architecture Next Steps: The GUI Domain (https://www.qubes-os.org/news/2020/03/18/gui-domain/)
Qubes Architecture Next Steps: The New Qrexec Policy System (https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/)
New Gentoo templates and maintenance infrastructure (https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/)
Reproducible builds for Debian: a big step forward (https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/)
There are also numerous other improvements and bug fixes listed in the
release notes (https://www.qubes-os.org/doc/releases/4.1/release-notes/) and in the issue tracker (https://github.com/QubesOS/qubes-issues/issues?q=milestone%3A%22Release+4.1%22+is%3Aclosed+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+invalid%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+not+an+issue%22+-label%3A%22R%3A+not+our+bug%22+-label%3A%22R%3A+won%27t+do%22+-label%3A%22R%3A+won%27t+fix%22+).
Finally, Qubes 4.1.0 features the following updated default components:
Xen 4.14
Fedora 32 in dom0
Fedora 34 template
Debian 11 template
Whonix 16 Gateway and Workstation templates
Linux kernel 5.10
How to test Qubes 4.1.0-rc4
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help to
improve the stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/).
Experienced users are strongly encouraged to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190)!
How to migrate to 4.1.0-rc4:
If you’re already on any 4.1.0 release candidate, simply perform a
normal update (https://www.qubes-os.org/doc/how-to-update/).
If you’re not on a 4.1.0 release candidate yet, you have two options:
Back up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) your current installation, download (https://www.qubes-os.org/downloads/) 4.1.0-rc4, perform
a fresh install (https://www.qubes-os.org/doc/installation-guide/), then restore (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) from your backup.
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/).
Release candidate planning
With each new release candidate, Qubes 4.1.0 becomes more stable as
testers report bugs and our developers fix them. As explained in our
general release schedule (https://www.qubes-os.org/doc/version-scheme/#release-schedule), this cycle will continue until no major bugs
are discovered, at which point the last release candidate will be
declared the stable 4.1.0 release. Until then, we plan to have new
release candidates approximately every five weeks.
https://www.qubes-os.org/news/2022/01/18/qubes-4-1-0-rc4/
The fourth release candidate for Qubes 4.1.0 is here! There are no major
changes to report. We’ve just focused on fixing bugs that were
discovered and reported in the third release candidate.
If you’re currently using any Qubes 4.1.0 release candidate, a regular
update (https://www.qubes-os.org/doc/how-to-update/) is sufficient to upgrade to the latest one. Otherwise, read on
for more about how to get started with testing Qubes 4.1.0-rc4.
What’s new in Qubes 4.1.0?
In case you still haven’t heard, Qubes 4.1.0 includes several major new
features, each of which is explained in depth in its own article:
Qubes Architecture Next Steps: The GUI Domain (https://www.qubes-os.org/news/2020/03/18/gui-domain/)
Qubes Architecture Next Steps: The New Qrexec Policy System (https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/)
New Gentoo templates and maintenance infrastructure (https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/)
Reproducible builds for Debian: a big step forward (https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/)
There are also numerous other improvements and bug fixes listed in the
release notes (https://www.qubes-os.org/doc/releases/4.1/release-notes/) and in the issue tracker (https://github.com/QubesOS/qubes-issues/issues?q=milestone%3A%22Release+4.1%22+is%3Aclosed+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+invalid%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+not+an+issue%22+-label%3A%22R%3A+not+our+bug%22+-label%3A%22R%3A+won%27t+do%22+-label%3A%22R%3A+won%27t+fix%22+).
Finally, Qubes 4.1.0 features the following updated default components:
Xen 4.14
Fedora 32 in dom0
Fedora 34 template
Debian 11 template
Whonix 16 Gateway and Workstation templates
Linux kernel 5.10
How to test Qubes 4.1.0-rc4
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help to
improve the stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/).
Experienced users are strongly encouraged to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190)!
How to migrate to 4.1.0-rc4:
If you’re already on any 4.1.0 release candidate, simply perform a
normal update (https://www.qubes-os.org/doc/how-to-update/).
If you’re not on a 4.1.0 release candidate yet, you have two options:
Back up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) your current installation, download (https://www.qubes-os.org/downloads/) 4.1.0-rc4, perform
a fresh install (https://www.qubes-os.org/doc/installation-guide/), then restore (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) from your backup.
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/).
Release candidate planning
With each new release candidate, Qubes 4.1.0 becomes more stable as
testers report bugs and our developers fix them. As explained in our
general release schedule (https://www.qubes-os.org/doc/version-scheme/#release-schedule), this cycle will continue until no major bugs
are discovered, at which point the last release candidate will be
declared the stable 4.1.0 release. Until then, we plan to have new
release candidates approximately every five weeks.
XSAs released on 2022-01-25
https://www.qubes-os.org/news/2022/01/25/xsas-released-on-2022-01-25/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is affected.
Therefore, user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
XSA-395
Please see QSB-075 for the actions users must take in order to
protect themselves, as well as further details about these XSAs:
https://www.qubes-os.org/news/2022/01/25/qsb-075/
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-393 (ARM architectures only)
XSA-394 (denial-of-service only)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
https://www.qubes-os.org/news/2022/01/25/xsas-released-on-2022-01-25/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is affected.
Therefore, user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
XSA-395
Please see QSB-075 for the actions users must take in order to
protect themselves, as well as further details about these XSAs:
https://www.qubes-os.org/news/2022/01/25/qsb-075/
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-393 (ARM architectures only)
XSA-394 (denial-of-service only)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
QSB-075: Insufficient cleanup of passed-through device IRQs (XSA-395)
https://www.qubes-os.org/news/2022/01/25/qsb-075/
We have just published Qubes Security Bulletin (QSB) 075:
Insufficient cleanup of passed-through device IRQs (XSA-395).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-075 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-075-2022.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 075 ]===---
2022-01-25
Insufficient cleanup of passed-through device IRQs (XSA-395)
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- Xen packages, version 4.8.5-37
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.3-8
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new Xen
binaries.
Summary
--------
On 2022-01-25, the Xen project published XSA-395, "Insufficient cleanup
of passed-through device IRQs" [3]:
| The management of IRQs associated with physical devices exposed to x86
| HVM guests involves an iterative operation in particular when cleaning
| up after the guest's use of the device. In the case where an
| interrupt is not quiescent yet at the time this cleanup gets invoked,
| the cleanup attempt may be scheduled to be retried. When multiple
| interrupts are involved, this scheduling of a retry may get
| erroneously skipped. At the same time pointers may get cleared
| (resulting in a de-reference of NULL) and freed (resulting in a
| use-after-free), while other code would continue to assume them to be
| valid.
Impact
-------
The precise impact is system-specific but would typically be a denial of
service (DoS) affecting the entire host. Privilege escalation and
information leaks cannot be ruled out.
Only x86 HVM guests with one or more passed-through physical devices
using multiple physical interrupts together can exploit this
vulnerability. In Qubes, this generally applies to sys-usb and sys-net,
but whether the relevant devices use multiple interrupts together is
system-specific.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-395.html
--
The Qubes Security Team
https://www.qubes-os.org/security/
https://www.qubes-os.org/news/2022/01/25/qsb-075/
We have just published Qubes Security Bulletin (QSB) 075:
Insufficient cleanup of passed-through device IRQs (XSA-395).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-075 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-075-2022.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 075 ]===---
2022-01-25
Insufficient cleanup of passed-through device IRQs (XSA-395)
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- Xen packages, version 4.8.5-37
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.3-8
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new Xen
binaries.
Summary
--------
On 2022-01-25, the Xen project published XSA-395, "Insufficient cleanup
of passed-through device IRQs" [3]:
| The management of IRQs associated with physical devices exposed to x86
| HVM guests involves an iterative operation in particular when cleaning
| up after the guest's use of the device. In the case where an
| interrupt is not quiescent yet at the time this cleanup gets invoked,
| the cleanup attempt may be scheduled to be retried. When multiple
| interrupts are involved, this scheduling of a retry may get
| erroneously skipped. At the same time pointers may get cleared
| (resulting in a de-reference of NULL) and freed (resulting in a
| use-after-free), while other code would continue to assume them to be
| valid.
Impact
-------
The precise impact is system-specific but would typically be a denial of
service (DoS) affecting the entire host. Privilege escalation and
information leaks cannot be ruled out.
Only x86 HVM guests with one or more passed-through physical devices
using multiple physical interrupts together can exploit this
vulnerability. In Qubes, this generally applies to sys-usb and sys-net,
but whether the relevant devices use multiple interrupts together is
system-specific.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-395.html
--
The Qubes Security Team
https://www.qubes-os.org/security/
👍1