[qubes-users] QSB-069: Multiple Xen and Intel issues

adw · June 9, 2021, 1:06am

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 069: Multiple Xen and Intel issues. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB-069 in the qubes-secpack:

github.com

QubesOS/qubes-secpack/blob/master/QSBs/qsb-069-2021.txt



             ---===[ Qubes Security Bulletin 069 ]===---

                             2021-06-08


                    Multiple Xen and Intel issues
        (XSA-373, XSA-374, XSA-375, XSA-377, INTEL-SA-00442)


User action required
=====================

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0, in dom0:
  - Xen packages, version 4.8.5-34
  - Linux kernel packages, versions 5.12.9-1 (for users of the "latest"

This file has been truncated. show original

Learn about the qubes-secpack, including how to obtain, verify, and read it:

View all past QSBs:

```

---===[ Qubes Security Bulletin 069 ]===---

2021-06-08

Multiple Xen and Intel issues
(XSA-373, XSA-374, XSA-375, XSA-377, INTEL-SA-00442)

User action required

Ulrich_Windl · June 9, 2021, 9:07pm

...

User action required

Users must install the following specific packages in order to address
the issues discussed in this bulletin:
  For Qubes 4\.0, in dom0:
  \- Xen packages, version 4\.8\.5\-34
  \- Linux kernel packages, versions 5\.12\.9\-1 \(for users of the &quot;latest&quot;
    kernel flavor\)
  \- microcode\_ctl package, version 2\.1\-33\.qubes1 \(for Intel CPU users\)

After updating today no kernel was offered; I still have:
# rpm -qa kernel\*
kernel-5.4.88-1.qubes.x86_64
kernel-5.4.98-1.fc25.qubes.x86_64
kernel-qubes-vm-5.4.98-1.fc25.qubes.x86_64
kernel-5.4.107-1.fc25.qubes.x86_64
kernel-qubes-vm-5.4.107-1.fc25.qubes.x86_64
kernel-qubes-vm-5.4.88-1.qubes.x86_64

Somehow I'm missing instructions to get that kernel...

My repositories are:

Ludovic_Bellier · June 9, 2021, 9:33pm

After updating today no kernel was offered; I still have:
# rpm -qa kernel\*
kernel-5.4.88-1.qubes.x86_64
kernel-5.4.98-1.fc25.qubes.x86_64
kernel-qubes-vm-5.4.98-1.fc25.qubes.x86_64
kernel-5.4.107-1.fc25.qubes.x86_64
kernel-qubes-vm-5.4.107-1.fc25.qubes.x86_64
kernel-qubes-vm-5.4.88-1.qubes.x86_64

Somehow I'm missing instructions to get that kernel...

Hi Ulrich,

 please, re\-read the QSB, you missed \*\*security\-testing repository\*\* :

> These packages will migrate from the security-testing repository to the
> current (stable) repository over the next two weeks after being tested
> by the community. [1] Once available, the packages are to be installed
> via the Qubes Update Tool or its command-line equivalents. [2]

 The QSB provides the links to the documentation which explains how to update from security\-testing, else wait \~2 weeks\.

 The kernel update is only if you use \`kernel latest\` \(i\.e\. 5\.5 kernel\), but you use a 5\.4 kernel\. The xen and intel\-microcode update is for everyone\.

 Same for your post about XScreenSaver : \*\*security\-testing repository\*\*\.

 I did all theses update on my Qubes\-OS host, from now, no detected issue\.

Regards,

Ludovic

adw · June 9, 2021, 11:01pm

Ludovic is correct. The kernel update is only for people who are using `kernel-latest`, as clearly stated in the QSB. You would know if you were using `kernel-latest`, as you would've had to take deliberate action to start using it. If you never did anything to change from the default kernel, then this kernel update doesn't apply to you, and it's expected that you would not see any kernel updates associated with this QSB.