We have just published Qubes Security Bulletin (QSB) #060: Multiple Xen
issues (XSA-345, XSA-346, XSA-347). The text of this QSB is reproduced
below. This QSB and its accompanying signatures will always be available
in the Qubes Security Pack (qubes-secpack).
*Special note:* Although XSA-345 is included in this QSB, we do not
consider XSA-345 to affect the security of Qubes OS [1], since the
default configuration is safe, and we have already implemented
appropriate safeguards to prevent users from changing to a vulnerable
configuration by accident. Please see the Impact section in QSB #060
below for further details.
XSA-346, XSA-457: A malicious domain with a PCI device (e.g., sys-net or
sys-usb in the default configuration) could try to exploit this
vulnerability in order to crash the host.
Just wanted to point out that there’s a very minor typo here (‘XSA-457’). Also, since the last QSB was posted on Discourse, I was wondering if this should be too.
Edit: Disregard the last sentence–I just noticed that posts in Qubes-Users gets linked here.
XSA-346, XSA-457: A malicious domain with a PCI device (e.g., sys-net or
sys-usb in the default configuration) could try to exploit this
vulnerability in order to crash the host.
Just wanted to point out that there's a very minor typo here ('XSA-457').
Thank you for pointing out the typo. We'll make sure this gets fixed in the repo and website versions.
Also, since the last QSB was posted on Discourse, I was wondering if this
should be too.