Qubes OS📢

2021-12-14 05:04:56 that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.


Proof of freshness
-------------------

Mon, 13 Dec 2021 01:15:23 +0000

Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
Resurrection of the SP: The Unexpected Rise of Germany's New Chancellor, Olaf Scholz
BioNTech Founder Şahin on the Omicron Variant: “It Will Make Scientific Sense To Offer Booster after Three Months”
City of Warriors: Resistance Across the Border to the Myanmar Military Junta
Deadly Intrigue: The Story of the Destruction of an Aid Organization
The One-Man State: Viktor Orbán and the Fall of Democracy in Hungary

Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Haiti’s Leader Kept a List of Drug Traffickers. His Assassins Came for It.
‘Our Boat Was Surrounded by Dead Bodies’: Witnessing a Migrant Tragedy
Israeli Leader Travels to U.A.E., Showcasing Deepening Ties
New Caledonia Says ‘Non’ to Independence
Diplomats Warn Russia of ‘Massive Consequences’ if It Invades Ukraine

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Kentucky tornadoes: Death toll likely to pass 100, governor says
Kentucky tornadoes: 100 year-old-church destroyed in seconds
Vladimir Putin: I moonlighted as a taxi driver in the 1990s
Black Axe: Leaked documents shine spotlight on secretive Nigerian gang
Alibaba fires woman who claimed sexual assault

Source: Blockchain.info
00000000000000000001b7c62afe91ab5ddb7ce534f4868fc71e4c9e4797f7b2


Footnotes
----------

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/

[3] https://github.com/QubesOS/qubes-issues/issues/6470

--
The Qubes Security Team
https://www.qubes-os.org/security/ Open / Comment

2021-12-14 05:04:55 Qubes Canary 029
https://www.qubes-os.org/news/2021/12/13/canary-029/

We have published Qubes Canary 029. The text of this canary is
reproduced below.

This canary and its accompanying signatures will always be available in
the Qubes security pack (qubes-secpack).

View Qubes Canary 029 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-029-2021.txt

Learn how to obtain and authenticate the qubes-secpack and all the
signatures it contains:

https://www.qubes-os.org/security/pack/

View all past canaries:

https://www.qubes-os.org/security/canary/


---===[ Qubes Canary 029 ]===---


Statements
-----------

The Qubes security team members who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is December 13, 2021.

2. There have been 74 Qubes security bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

5. We plan to publish the next of these canary statements in the first
fourteen days of March 2022. Special note should be taken if no new
canary is published by that time or if the list of statements changes
without plausible explanation.


Special announcements
----------------------

Many PGP keys in the Qubes security pack (qubes-secpack) that are used
elsewhere in the project (such as the Qubes builder), including the
Qubes Master Signing Key (QMSK), were signed or self-signed using the
SHA-1 hash function. Unlike some other uses of SHA-1, its use in our PGP
signatures does not pose a noteworthy security risk unless an adversary
is capable of performing a successful preimage attack (not merely a
collision attack). Since there are presently no known feasible attacks
against the preimage resistance of full SHA-1, our use of SHA-1 in PGP
signatures does not currently pose a relevant security risk.
Nonetheless, as a preemptive defense-in-depth enhancement and to support
deprecation of SHA-1 in tooling, we have decided to re-(self-)sign many
of these keys using SHA-256 or SHA-512. [3]

In addition, the qubes-secpack contains several expired code signing
keys, old release keys, and keys belonging to individuals who are no
longer active Qubes developers. We have decided to move these keys into
new "retired" subdirectories. (We've decided to move them rather than
delete them, since some users may wish to use them to authenticate old
signatures. Note that this is merely a matter of convenience, since even
deleted files always remain in the Git repository's history and can
always be retrieved that way.)

To be clear, none of the actions described here constitute a response to
any security incident. To our knowledge, the keys in the qubes-secpack
are not and have never been at risk. No key fingerprints have changed as
a result of these actions. We consider this updating and cleanup of the
keys to be more of a "housekeeping" task.


Disclaimers and notes
----------------------

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.

The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows Open / Comment

2021-12-07 21:35:56 Qubes OS pinned «Debian 11 templates available https://www.qubes-os.org/news/2021/12/07/debian-11-templates-available/ New Debian 11 templates are available for both Qubes 4.0 and 4.1. We provide fresh Debian 11 template packages through the official Qubes repositories,…» Open / Comment

2021-12-07 21:35:14 Debian 11 templates available
https://www.qubes-os.org/news/2021/12/07/debian-11-templates-available/

New Debian 11 templates are available for both Qubes 4.0 and 4.1.

We provide fresh Debian 11 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/debian/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/template/debian/upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).

For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).

Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol). Open / Comment

2021-12-02 18:15:34 XEN PROJECT SHIPS VERSION 4.16 WITH FOCUS ON IMPROVED PERFORMANCE SECURITY AND HARDWARE SUPPORT
https://xenproject.org/2021/12/02/xen-project-ships-version-4-16-with-focus-on-improved-performance-security-and-hardware-support/

NEW VERSION INTRODUCES ARM VIRTUAL PERFORMANCE MONITOR COUNTERS AND BROADER X86 HARDWARE SUPPORT. COMMUNITY INITIATIVES, INCLUDING FUNCTIONAL SAFETY AND VIRTIO, CONTINUE TO PROGRESS. The Xen Project, an open source hypervisor... Open / Comment

2021-11-30 20:00:07 Qubes OS pinned «Fedora 33 has reached EOL https://www.qubes-os.org/news/2021/11/30/fedora-33-eol/ As previously announced (https://www.qubes-os.org/news/2021/11/11/fedora-33-approaching-eol-fedora-34-templates-available/), Fedora 33 has reached EOL (end-of-life (https:/…» Open / Comment

2021-11-30 16:05:43 Fedora 33 has reached EOL
https://www.qubes-os.org/news/2021/11/30/fedora-33-eol/

As previously announced (https://www.qubes-os.org/news/2021/11/11/fedora-33-approaching-eol-fedora-34-templates-available/), Fedora 33 has reached EOL (end-of-life (https://fedoraproject.org/wiki/End_of_life)).
If you have not already done so, we strongly recommend upgrading (https://www.qubes-os.org/doc/templates/fedora/#upgrading) your
Fedora 33 templates and standalones to Fedora 34 immediately.

We provide fresh Fedora 34 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/fedora/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/template/fedora/upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).

For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).

Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).

Note for 4.1 release candidate testers: Qubes R4.1-rc1 already
includes the Fedora 34 template by default, so no action is required. Open / Comment

2021-11-24 11:40:17 enabled. In the default Qubes OS configuration, this excludes sys-net
and sys-usb, which have memory assigned statically. All other
Linux-based qubes are affected.


Credits
--------

See the original Xen Security Advisories.


References
-----------

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-388.html
[4] https://xenbits.xen.org/xsa/advisory-389.html

--
The Qubes Security Team
https://www.qubes-os.org/security/ Open / Comment

2021-11-24 11:40:17 QSB-074: Xen issues related to populate-on-demand (XSA-388, XSA-389)
https://www.qubes-os.org/news/2021/11/24/qsb-074/

We have just published Qubes Security Bulletin (QSB) 074:
Xen issues related to populate-on-demand (XSA-388, XSA-389).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB-074 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-074-2021.txt

In addition, you may wish to:


Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/



---===[ Qubes Security Bulletin 074 ]===---

2021-11-23

Xen issues related to populate-on-demand (XSA-388, XSA-389)


User action required
---------------------

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

For Qubes 4.0, in dom0:
- Xen packages, version 4.8.5-36

For Qubes 4.1, in dom0:
- Xen packages, version 4.14.3-4

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Summary
--------

The following security advisories were published on 2021-11-23:

XSA-388 [3] "PoD operations on misaligned GFNs":

| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
|
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls. These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| The implementation of some of these hypercalls for PoD does not
| enforce the base page frame number to be suitably aligned for the
| specified order, yet some code involved in PoD handling actually makes
| such an assumption.
|
| These operations are XENMEM_decrease_reservation (CVE-2021-28704) and
| XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by
| domains controlling the guest, i.e. a de-privileged qemu or a stub
| domain. (Patch 1, combining the fix to both these two issues.)
|
| In addition handling of XENMEM_decrease_reservation can also trigger a
| host crash when the specified page order is neither 4k nor 2M nor 1G
| (CVE-2021-28708, patch 2).

XSA-389 [4] "issues with partially successful P2M updates on x86":

| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
|
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls. These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| In some cases the hypervisor carries out the requests by splitting
| them into smaller chunks. Error handling in certain PoD cases has
| been insufficient in that in particular partial success of some
| operations was not properly accounted for.
|
| There are two code paths affected - page removal (CVE-2021-28705) and
| insertion of new pages (CVE-2021-28709). (We provide one patch which
| combines the fix to both issues.)


Impact
-------

Malicious or buggy guest kernels may be able to mount Denial of Service
(DoS) attacks affecting the entire system. Privilege escalation and
information leaks cannot be ruled out.

These issues affect only qubes that have dynamic memory balancing Open / Comment

2021-11-24 11:39:17 XSAs released on 2021-11-23
https://www.qubes-os.org/news/2021/11/24/xsas-released-on-2021-11-23/

The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is affected.
Therefore, user action is required.

XSAs that affect the security of Qubes OS (user action required)

The following XSAs do affect the security of Qubes OS:


XSA-388
XSA-389


Please see QSB-074 for the actions users must take in order to
protect themselves, as well as further details about these XSAs:

https://www.qubes-os.org/news/2021/11/24/qsb-074/

XSAs that do not affect the security of Qubes OS (no user action required)

The following XSAs do not affect the security of Qubes OS, and no
user action is necessary:


XSA-385 (DoS only; Qubes has BIGMEM disabled)
XSA-387 (Qubes has grant tables v2 disabled)


Related links


Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/ Open / Comment