-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2017-05-02 15:11, Jean-Philippe Ouellet wrote: > On Tue, May 2, 2017 at 8:10 AM, Andrew David Wong <[email protected]> wrote: >> Dear Qubes community, >> >> We have just published Qubes Security Bulletin (QSB) #30: >> Critical Xen bugs related to PV memory virtualization (XSA-213, XSA-214). >> [...] >> ---===[ Qubes Security Bulletin #30 ]===--- >> [...] >> Commentary >> =========== >> [...] >> Some might argue that having only four fatal bugs (among other not-that-fatal >> ones [15]) in 8 years is a reasonably good result, especially compared to >> other >> desktop systems. We, however, have been deeply upset by each and every of >> these >> bugs. In fact, after we learned of the second of these (XSA-212) 10 months >> ago, >> we immediately began working on a way to move away from using PV-based VMs >> and >> toward using only hardware-based virtualization (HVM) VMs in Qubes 4.x [6]. > > Lets see... knew 10 months ago, XSA-212 public release was 2017-04-04, > (~1 month ago), so a 9 month embargo period for something so critical!?!? > > Is this a typo? Did you perhaps mean XSA-182 [1] (published 2016-07-26, > which was indeed closer to 10 months ago)?
Yes, that's a typo. "The second of these" in the preceding list is XSA-182. (Also, if you look at ref [6], it's a link to QSB #24, which was the QSB for XSA-182.) Fixed: https://github.com/QubesOS/qubes-secpack/commit/731e36a62528d7cd823a18569e5308181cdaa355 Thanks for pointing it out! > Is the Xen disclosure process > actually that slow?? > > It would be nice for transparency if a timeline were included in XSAs... > > Cheers, > Jean-Philippe > > [1]: XSA-182, "x86: Privilege escalation in PV guests" > https://xenbits.xen.org/xsa/advisory-182.html > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZCdiQAAoJENtN07w5UDAwwowP/16vZId8VEd5QtytwaepIV5m 7vVrtObDqOvSJLwN5dWC+pY25YNHOgkWBwJ5zj5up5lI5r+ib4ep8pg+14NrJvfZ nmeVTKZLQIlcBYDuQ/g6H2P4+C5Ky8ZdN1czohOonfI9bA7obxDZCvJsHfVTPYJo k/pi2EYJVu5mCBBLeHcLq/B3ildpn/mf+Q8AsUbxgKl9Ydc/g0RZXaTA1qFfiu2u j9z3wj4kdx/nrJku7jhOGrj5CF+0QTxJ5PjMjI4JDf3XqeLm9WhX7/vjHv9JFi7m jQShTHo44xG8Ek0RLx4PvzDmgvLm4Jh2MAHn/NHZWi9eAx2CqyHUASOsKq9hBYwR vTVi7dnpCJg9xsPmoHb5lg2kplB5VfIyS3T9z0NBm3KrlR3uAwgr/hHYRahLcrpP yN/rgzGi+ZFa+vcub64WfJ3NF24UXV/Zbopp2vh6u5kyOqEKh8scUr3zNVDn79E7 naJFxyw6FHOj34nlFuM3JNC/u/4wean3UiuzKdXN80kMN3F3cieaCH26y7Enttvp IvXG+/yrkXdvyAT85AijeU4pnDMc+ZRaAwztAqlf6g+aKj6lcleCe1DF2vRveVFg IsieLvrSZ+y8TCDGno0CT/lCrAjccQWt+kmLxiDUgd2lfpogU+meOeskvVLiyRif f+63x8Ilej/ZLNLv5kiz =aPx5 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/d1badcbe-fce1-3ac2-e391-9cc6710d0019%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
