Re: [qubes-users] Qubes Security Bulletin #28

2016-12-24 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-12-24 00:15, '091348'0194328'0913284'09418 wrote: > Hello, > > so I must consider that all VM updates are corrupt also? > > I should consider that all data, which get processed are corrupt > also? > > I should consider, if I transferred

Re: [qubes-users] Qubes Security Bulletin #28

2016-12-24 Thread '091348'0194328'0913284'09418
Hello, so I must consider that all VM updates are corrupt also? I should consider that all data, which get processed are corrupt also? I should consider, if I transferred this data into other VM's, these VM's like a "storage VM" is corrupt also and if the files get executed in this VM or

Re: [qubes-users] Qubes Security Bulletin #28

2016-12-20 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Dec 20, 2016 at 12:37:21PM -0500, Chris Laprise wrote: > Regarding the "Alternate Patching Method" using normal apt update: Its > possible the template was attacked via updates even before the bug was > announced, or sometime between the

Re: [qubes-users] Qubes Security Bulletin #28

2016-12-20 Thread Chris Laprise
Regarding the "Alternate Patching Method" using normal apt update: Its possible the template was attacked via updates even before the bug was announced, or sometime between the Debian announcement and now. The "check InRelease" only helps if the attack occurs only during the next update and

[qubes-users] Qubes Security Bulletin #28

2016-12-20 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes community, We have just published Qubes Security Bulletin (QSB) #28: Debian update mechanism vulnerability. The current text of this QSB is reproduced below. The latest version, including any future corrections, will always be available