Dear Qubes Community, The [Xen Project](https://xenproject.org/) has released one or more [Xen security advisories (XSAs)](https://xenbits.xen.org/xsa/). The security of Qubes OS is *not* affected.
## XSAs that DO affect the security of Qubes OS The following XSAs *do affect* the security of Qubes OS: - (none) ## XSAs that DO NOT affect the security of Qubes OS The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary: - [XSA-472](https://xenbits.xen.org/xsa/advisory-472.html) - Due to a bug, Viridian extensions are currently not enabled in Qubes OS. Although Viridian extensions are enabled in our libvirt config, this setting is mostly ignored by libvirt. While it is used when libvirt converts the XML config to the xl config format, it is *not* used when actually creating a VM. Advanced users who wish to confirm this on their own systems may do so with the command `sudo xl list -l <NAME_OF_HVM>` in dom0. - [XSA-473](https://xenbits.xen.org/xsa/advisory-473.html) - This XSA affects only ARM devices. Qubes OS does not currently support ARM devices. - [XSA-474](https://xenbits.xen.org/xsa/advisory-474.html) - This XSA affects only XAPI, which is an alternative toolstack. Qubes OS uses libxl instead of XAPI. ## About this announcement Qubes OS uses the [Xen hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as part of its [architecture](https://www.qubes-os.org/doc/architecture/). When the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a [Xen security advisory (XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a [Qubes security bulletin (QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only *positive* confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs cannot provide *negative* confirmation that other XSAs do *not* affect the security of Qubes OS. Therefore, we also maintain an [XSA tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS. This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2025/09/09/xsas-released-on-2025-09-09/ -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/458ec7f9-3c8a-4e0e-b654-cf81b8e8a15e%40qubes-os.org.
