Qubes OS updates Weekly Review - Y2025-W20
Introduction
Weekly review of new packages uploaded to Qubes OS repositories. Link to previous Newsletter here.
Alphabetically sorted list of new packages uploaded to Qubes OS repositories
amd-gpu-firmware-20250509-1.fc37.noarch.rpm
amd-gpu-firmware-20250509-1.fc41.noarch.rpm
amd-ucode-firmware-20250509-1.fc37.noarch.rpm
amd-ucode-firmware-20250509-1.fc41.noarch.rpm
atheros-firmware-20250509-1.fc37.noarch.rpm
atheros-firmware-20250509-1.fc41.noarch.rpm
brcmfmac-firmware-20250509-1.fc37.noarch.rpm
brcmfmac-firmware-20250509-1.fc41.noarch.rpm
cirrus-audio-firmware-20250509-1.fc37.noarch.rpm
cirrus-audio-firmware-20250509-1.fc41.noarch.rpm
dvb-firmware-20250509-1.fc37.noarch.rpm
dvb-firmware-20250509-1.fc41.noarch.rpm
intel-audio-firmware-20250509-1.fc37.noarch.rpm
intel-audio-firmware-20250509-1.fc41.noarch.rpm
intel-gpu-firmware-20250509-1.fc37.noarch.rpm
intel-gpu-firmware-20250509-1.fc41.noarch.rpm
intel-vsc-firmware-20250509-1.fc37.noarch.rpm
intel-vsc-firmware-20250509-1.fc41.noarch.rpm
iwlegacy-firmware-20250509-1.fc37.noarch.rpm
iwlegacy-firmware-20250509-1.fc41.noarch.rpm
iwlwifi-dvm-firmware-20250509-1.fc37.noarch.rpm
iwlwifi-dvm-firmware-20250509-1.fc41.noarch.rpm
iwlwifi-mvm-firmware-20250509-1.fc37.noarch.rpm
iwlwifi-mvm-firmware-20250509-1.fc41.noarch.rpm
libertas-firmware-20250509-1.fc37.noarch.rpm
libertas-firmware-20250509-1.fc41.noarch.rpm
linux-firmware-20250509-1.fc37.noarch.rpm
linux-firmware-20250509-1.fc41.noarch.rpm
linux-firmware-whence-20250509-1.fc37.noarch.rpm
linux-firmware-whence-20250509-1.fc41.noarch.rpm
liquidio-firmware-20250509-1.fc37.noarch.rpm
liquidio-firmware-20250509-1.fc41.noarch.rpm
microcode_ctl-2.1.20250512-58.qubes1.fc37.x86_64.rpm
microcode_ctl-2.1.20250512-58.qubes1.fc41.x86_64.rpm
mlxsw_spectrum-firmware-20250509-1.fc37.noarch.rpm
mlxsw_spectrum-firmware-20250509-1.fc41.noarch.rpm
mrvlprestera-firmware-20250509-1.fc37.noarch.rpm
mrvlprestera-firmware-20250509-1.fc41.noarch.rpm
mt7xxx-firmware-20250509-1.fc37.noarch.rpm
mt7xxx-firmware-20250509-1.fc41.noarch.rpm
netronome-firmware-20250509-1.fc37.noarch.rpm
netronome-firmware-20250509-1.fc41.noarch.rpm
nvidia-gpu-firmware-20250509-1.fc37.noarch.rpm
nvidia-gpu-firmware-20250509-1.fc41.noarch.rpm
nxpwireless-firmware-20250509-1.fc37.noarch.rpm
nxpwireless-firmware-20250509-1.fc41.noarch.rpm
python3-xen-4.17.5-7.fc37.x86_64.rpm
python3-xen-4.19.2-2.fc41.x86_64.rpm
qcom-firmware-20250509-1.fc37.noarch.rpm
qcom-firmware-20250509-1.fc41.noarch.rpm
qed-firmware-20250509-1.fc37.noarch.rpm
qed-firmware-20250509-1.fc41.noarch.rpm
qubes-template-kicksecure-17-4.2.0-202505131900.noarch.rpm
qubes-template-kicksecure-17-4.3.0-202505131900.noarch.rpm
qubes-template-whonix-gateway-17-4.2.0-202505140948.noarch.rpm
qubes-template-whonix-gateway-17-4.3.0-202505132012.noarch.rpm
qubes-template-whonix-workstation-17-4.2.0-202505140948.noarch.rpm
qubes-template-whonix-workstation-17-4.3.0-202505132012.noarch.rpm
qubes-vm-xen-4.17.5-7-x86_64.pkg.tar.zst
realtek-firmware-20250509-1.fc37.noarch.rpm
realtek-firmware-20250509-1.fc41.noarch.rpm
tiwilink-firmware-20250509-1.fc37.noarch.rpm
tiwilink-firmware-20250509-1.fc41.noarch.rpm
xen-4.17.5-7.fc37.x86_64.rpm
xen-4.19.2-2.fc41.x86_64.rpm
xen-devel-4.17.5-7.fc37.x86_64.rpm
xen-devel-4.19.2-2.fc41.x86_64.rpm
xen-doc-4.17.5-7.fc37.noarch.rpm
xen-doc-4.19.2-2.fc41.noarch.rpm
xen-hypervisor-4.17.5-7.fc37.x86_64.rpm
xen-hypervisor-4.19.2-2.fc41.x86_64.rpm
xen-libs-4.17.5-7.fc37.x86_64.rpm
xen-libs-4.19.2-2.fc41.x86_64.rpm
xen-licenses-4.17.5-7.fc37.x86_64.rpm
xen-licenses-4.19.2-2.fc41.x86_64.rpm
xen-runtime-4.17.5-7.fc37.x86_64.rpm
xen-runtime-4.19.2-2.fc41.x86_64.rpm
Highlights
- Security fixes for Intel CPUs
Details
In addition to the usual minor fixes and patches (full list here):
-
core-admin-client v4.3.16 (r4.3)
. Introduction ofqvm-pause --suspendoption. Unlike the default forceful pause, suspend will put the qube to graceful S3 suspend mode (if it supports it).
. SSL authentication and GPG key verification support for user defined template repositories. If you are currently maintaining a community template, consider studying this specific PR. -
core-admin v4.2.38 (r4.2)
Many of the improvements and fixes which were tested on r4.3 are backported to r4.2. Specifically:
. Fix for restoring qubes with custom labels from backup on systems without such labels.
. Allowing equal sign and coma in feature requests (to support custom kernel command line parameters)
. Assuring (emergency) paused domains remain paused after computer resumes from suspend.
. Assuring USB and/or Network devices function properly after computer resumes from suspend. -
mgmt-salt-base-topd v4.2.1 (r4.2)
Removing a deprecated dependency -
qubes-template-whonix-workstation-17 4.2.0-202505140948 (r4.2)
qubes-template-whonix-workstation-17 4.3.0-202505132012 (r4.3)
qubes-template-whonix-gateway-17 4.2.0-202505140948 (r4.2)
qubes-template-whonix-gateway-17 4.3.0-202505132012 (r4.3)
qubes-template-kicksecure-17 4.3.0-202505131900 (r4.3)
qubes-template-kicksecure-17 4.2.0-202505131900 (r4.2)
Fresh set of Whonix and Kicksecure testing templates (see epilogue) -
vmm-xen v4.19.2-2 (r4.3)
vmm-xen v4.17.5-7 (r4.2)
XSA-469 security fixes for QSB-107. You need this if you have an Intel CPU. -
intel-microcode v20250512 (r4.3)
intel-microcode v20250512 (r4.2)
Intel Microcode to fix QSB-107. -
linux-firmware v20250509-1 (r4.3)
linux-firmware v20250509-1 (r4.2)
Firmware updates sent to Linux Kernel by hardware vendors (AMD, Intel, Realtek, Mediatek, Broadcom, Atheros, …). See full list.
Epilogue
In parallel universes, heavy development of SecureDrop has been in progress during the past few days. If you are journalist or someone who depends on it, keep an eye on its repository and/or Freedom of the Press Foundation announcements. Whonix and Kicksecure are also going through major improvements (e.g. introduction of sysmaint - System Maintenance User).