-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2018-08-14 21:38, Sphere wrote: > CVE-2018-3646 in particular is alarming: > "The third flaw, CVE-2018-3646, has a CVSS Base Score of 7.1 and enables bad > actors to attack virtual machines (VM), via virtualization software and > Virtual Machine Monitors (VMMs) running on Intel processors. A malicious > guest VM could infer the values of data in the VMM’s memory." > > Could potentially allow Untrusted VMs to attack safe VMs but I don't know for > sure whether or not Qubes mitigates this. >
CVE-2018-3620 and CVE-2018-3646 are XSA-273 [1], which was released yesterday without embargo. We won't have an official statement about whether or how this affects Qubes until the Qubes Security Team (QST) has had a chance to assess it. Both members of the QST are currently out of the office (completely offline, one on sabbatical and one on vacation), with one scheduled to return at the end of the month, so that's probably the earliest we'll know. XSAs 268-273 were all publicly released on 2018-08-14. 268-272 went through the normal predisclosure process, so the QST was able to evaluate them before they left. Consequently, we've published official statements regarding XSAs 268-272. [2][3] By contrast, XSA-273 skipped predisclosure, so the QST didn't get a chance to see it before they left. [1] https://xenbits.xen.org/xsa/advisory-273.html [2] https://www.qubes-os.org/news/2018/08/14/qsb-42/ [3] https://www.qubes-os.org/news/2018/08/14/xsa-268-269-271-272-qubes-not-affected/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAltz6z0ACgkQ203TvDlQ MDCzmw/7BKlMiRdWnnx1mzMecvXWKYftqF2VVycjqZ1M6nDw5FBN9RRirXv/HwYu 5Cxa3RY2kTWH97gtBpOhNJZ64BkZhbkKhkqTiAzfWvzwX5ZCtbZ5CRmxxN7Whuz0 rJCFd1Yv4rcBwqcBmWmCO6M0XW2er/ADr1l2qVxAd4/w5ME2BF1HpvXpW5nNchD5 +9bU82X6+nCQm5wKLm12ekPJpSUZeGprD7iuPQMnV12DKzcnJXn9Ay0OrExqu5bv sbG7c/yvd4KSPpy+EsRthV2E1K24yJbNq12reJwQ0r8NngvAXEKivmIMknHe/bHe VWxKakb5I4DcNQtwk7OYo1URU0fCQcq/OBNYCHsQtXyxrcvdcOV3a5qESxUNmmQH RxmbSf6L5nCS4m/NpLvAJwcUsF/yDT2UFNLotPMRYqDOAyOmb7jl+QPpEiJWZpgQ /ZcviPAaKC8V1j9A8rLhtMlsC+9kqIn8p1TApN6wV2tid8nGFMiRtpSMo4EIOnOf HZyKEPUaYelN2ftSVQImTs3jd1qXV9RF+XQvu1Mf+kx62lmJm+NVwC5MWbSbSmIF AF4PR+nbrDQV0FiMb5Pgwd6WyBSpAvOMQWuEE+JRx4ujuwnmWH+CAazHvViO4Lw6 nVa0/tLmGo4JA0XwDlVYh2FuxX+LUfRtuEV2ZTWR9U5+UYOr8b4= =PWx0 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fee9a141-9808-74bd-aab2-5a7cc49b6ed9%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.