Looks like another* QSB containing not one, but two vulnerabilities (Edit: XSA-374 doesn’t concern sys-net. I wasn’t thinking straight. Excuse me while I put on my dunce hat and sit in this corner for a bit. Don’t mind the drool.) a vulnerability that particularly impacts sys-net. As noted before, because sys-net is an HVM with PCI access, it is the weak link in our systems’ security–especially because it can’t sit behind a firewall (unless external).
Sometimes I just feel like we should crowdfund development of a unikernel like Mirage to replace sys-net, if only just for ethernet connections (if you’re this worried about your security, you shouldn’t be using WiFi anyways).
XSA-337: A malicious HVM with a PCI device (such as sys-net or sys-usb
in the default Qubes OS configuration) can potentially compromise the
whole system.
Not technically-trained; consume advice with salt