[qubes-users] QSB-063: Multiple Xen issues (XSA-115, XSA-325, XSA-350)

Mailing Lists qubes-users
1

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 063: Stack corruption from XSA-346 change (XSA-355). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB-063 in the qubes-secpack:

Learn about the qubes-secpack, including how to obtain, verify, and read it:

View all past QSBs:

View the XSA Tracker:

```

              ---===[ Qubes Security Bulletin 063 ]===---

                              2020-12-15

            Multiple Xen issues (XSA-115, XSA-325, XSA-350)

User action required

2

Dera Andrew,

For Qubes 4.0:
- Xen packages, version 4.8.5-28
- Linux kernel packages, versions 5.9.14-1, 5.4.83-1, 4.19.163-1

how do I fetch 4.19.163-1 for example? I tried

sudo dnf install kernel-1000:4.19.163-1.pvops.qubes.x86_64

but this gives "no package available". Same happens for 5.9.14-1. Also

sudo qubes-dom0-update --action=install
kernel-1000:4.19.163-1.pvops.qubes.x86_64

fails. What am I missing?? Thank you.

3

Dera Andrew,

> For Qubes 4.0:
> - Xen packages, version 4.8.5-28
> - Linux kernel packages, versions 5.9.14-1, 5.4.83-1, 4.19.163-1

how do I fetch 4.19.163-1 for example? I tried

sudo dnf install kernel-1000:4.19.163-1.pvops.qubes.x86_64

but this gives "no package available". Same happens for 5.9.14-1. Also

sudo qubes-dom0-update --action=install
kernel-1000:4.19.163-1.pvops.qubes.x86_64

fails. What am I missing?? Thank you.

The packages are likely still in security testing, not in the stable repo.
You need the enablerepo parameter. From the original announcement:

4

right! Thank you. That brought indeed 4.19.163. But still

  sudo qubes-dom0-update --action=install
kernel-1000:5.9.14-1.qubes.x86_64 --enablerepo=qubes-dom0-security-testing

does not work. The main question seems: how do you get the correct
package name? Since a simple "update" does not install 5.9.14 but only
5.4.83 I have to ask for it "by hand", it seems.

5

I think the package is called kernel-latest- not just kernel- for 5.9
kernels.

6

Hi,

After upgrading I get an unbooteable system. Using a rescue pen I saw
that xen.cfg has a wrong initramfs for 5.4.832 (4.4.83 instead 5.4.83).

Could anyone check it? I saw (and maybe modified) it before rebooting
but it is very rare that I introduced accidentally that change.

7

wOps, here is a typo. Just for clarify I mean that kernel '5.4.83-1' had
initramfs '4.4.83-1'.