Dear Qubes Community,
The [Xen Project](https://xenproject.org/) has released one or more [Xen security advisories (XSAs)](Xen Security Advisories).
The security of Qubes OS *is affected*.
## XSAs that DO affect the security of Qubes OS
The following XSAs *do affect* the security of Qubes OS:
- [XSA-464](XSA-464 - Xen Security Advisories)
- See [QSB-106](QSB-106: Information disclosure through uninitialized memory in libxl | Qubes OS)
## XSAs that DO NOT affect the security of Qubes OS
The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary:
- [XSA-463](XSA-463 - Xen Security Advisories)
- Denial of service only
## About this announcement
Qubes OS uses the [Xen hypervisor](Xen Project Software Overview - Xen) as part of its [architecture](Architecture | Qubes OS). When the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a [Xen security advisory (XSA)](Xen Security Problem Response Process - Xen Project). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a [Qubes security bulletin (QSB)](Qubes security bulletins (QSBs) | Qubes OS). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only *positive* confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs cannot provide *negative* confirmation that other XSAs do *not* affect the security of Qubes OS. Therefore, we also maintain an [XSA tracker](Xen security advisory (XSA) tracker | Qubes OS), which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS.
This announcement is also available on the Qubes website: