On Tue, May 2, 2017 at 8:10 AM, Andrew David Wong <[email protected]> wrote:
> Dear Qubes community,
>
> We have just published Qubes Security Bulletin (QSB) #30:
> Critical Xen bugs related to PV memory virtualization (XSA-213, XSA-214).
> [...]
> ---===[ Qubes Security Bulletin #30 ]===---
> [...]
> Commentary
> ===========
> [...]
> Some might argue that having only four fatal bugs (among other not-that-fatal
> ones [15]) in 8 years is a reasonably good result, especially compared to
> other
> desktop systems. We, however, have been deeply upset by each and every of
> these
> bugs. In fact, after we learned of the second of these (XSA-212) 10 months
> ago,
> we immediately began working on a way to move away from using PV-based VMs and
> toward using only hardware-based virtualization (HVM) VMs in Qubes 4.x [6].
Lets see... knew 10 months ago, XSA-212 public release was 2017-04-04,
(~1 month ago), so a 9 month embargo period for something so critical!?!?
Is this a typo? Did you perhaps mean XSA-182 [1] (published 2016-07-26,
which was indeed closer to 10 months ago)? Is the Xen disclosure process
actually that slow??
It would be nice for transparency if a timeline were included in XSAs...
Cheers,
Jean-Philippe
[1]: XSA-182, "x86: Privilege escalation in PV guests"
https://xenbits.xen.org/xsa/advisory-182.html
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/CABQWM_ByswZzW%2BCFb%3DCi-n_AMkJ0jdPx2XCvoc45%2B%2B3qqqOZYQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
