-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2018-08-15 03:58, Andrew David Wong wrote: > On 2018-08-14 21:38, Sphere wrote: >> CVE-2018-3646 in particular is alarming: >> "The third flaw, CVE-2018-3646, has a CVSS Base Score of 7.1 and enables bad >> actors to attack virtual machines (VM), via virtualization software and >> Virtual Machine Monitors (VMMs) running on Intel processors. A malicious >> guest VM could infer the values of data in the VMM’s memory." > >> Could potentially allow Untrusted VMs to attack safe VMs but I don't know >> for sure whether or not Qubes mitigates this. > > > CVE-2018-3620 and CVE-2018-3646 are XSA-273 [1], which was released > yesterday without embargo. We won't have an official statement about > whether or how this affects Qubes until the Qubes Security Team (QST) > has had a chance to assess it. Both members of the QST are currently out > of the office (completely offline, one on sabbatical and one on > vacation), with one scheduled to return at the end of the month, so > that's probably the earliest we'll know. > > XSAs 268-273 were all publicly released on 2018-08-14. 268-272 went > through the normal predisclosure process, so the QST was able to > evaluate them before they left. Consequently, we've published official > statements regarding XSAs 268-272. [2][3] By contrast, XSA-273 skipped > predisclosure, so the QST didn't get a chance to see it before they > left. > > [1] https://xenbits.xen.org/xsa/advisory-273.html > [2] https://www.qubes-os.org/news/2018/08/14/qsb-42/ > [3] > https://www.qubes-os.org/news/2018/08/14/xsa-268-269-271-272-qubes-not-affected/ >
Update: We have now published QSB #43: L1 Terminal Fault speculative side channel (XSA-273). https://www.qubes-os.org/news/2018/09/02/qsb-43/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAluLW44ACgkQ203TvDlQ MDAuKw/+K8hQn8Arav4WmYMD2r4CAuA+qQvWtNcD02fGy9M9ojDWaEkot4C410At zEAyjyACP36VjwtoTA0mqEv8ZPm9k18ImIzGBB8ZwUPuWMcQ+idVmu6yDAtEXT/K BD4LtSBYpfyMvvMLHuIIAx7UJ0+ABw+hiteYU0o1gp3O/uNfIfYWd/q1t3jLta9C PbBDjmLPLGcrtFZbv2x+thM8W4Hvjt7XGz6J5fm7avmOTlcpBVgybr7wyVQ5L1mB A66Ffi9+bpa1XgA/j5V2BMrXMG9gWkrYrqDr/CvCiX637oVmkg7NUDWc91NixGiT 5mfXTxjWjD8eX3/KVUPVJLm88EzBmXWAlKMgfRkx44y0cx8JEEVHNF9HcWesnNuU WtIFvUSr+mUhKETrw4sMj+tNWyEoZT75x5jS01wRmamzTF9MLUhcnYmoFnaPGaVA /pidkBToovi/fCp8VwHhcPMay2pKXs3hzZ3WdUxORPiN3h5wppvn80L4gdu7urcI braAtALRDBLzddw6p1WzhgC23tF6fRJP5zt6l6JZKY7abVXOrnUnWhyXdl/i5tXD czBgm1qaO1pFGG8bMPw4FSkQ7muqeetmyChUHNjqASdMji2GL7UJpd+GKBbFhr8D k3WOr8TR+RDxyb4FuLAlVNZvFNNFqA2wa6edUxRg5kjCKBCi02k= =riDr -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39a93d60-62af-8ed8-8d7a-55c86d3b1570%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
