Re: [qubes-users] Question about Xen sandbox escape from Oct 2015
On Thursday, June 30, 2016 at 5:48:17 PM UTC-4, danmich...@gmail.com wrote: > Wow... so the ISO doesn't get patched...? Wow... > > Surely there should be a BIG warning on the Qubes downloads page... saying, > WARNING! Xen in QUBES 3.0 allows full sandbox escape..! Update your software > IMMEDIATELY after downloading, before doing anything else...!! > > It really surprises me that there isn't such a big warning, given the > severity of this Xen bug... Wow... I think people concerned about their security know to update before doing anything else. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78f0edee-4d90-4f43-a897-c0ca1a1d37ea%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Question about Xen sandbox escape from Oct 2015
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jun 29, 2016 at 10:29:31PM -0700, danmichaels8...@gmail.com wrote: > OK > > Version: 4.4.3 > Release: 11.fc20 > > So I am OK. > > Does QUBES 3.0 come with the patched version though... Have the devs updated > the ISO so that it comes patched..? No, the ISO stays as is from the time of the release. It is always a good idea to install updates just after installation. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXdOKqAAoJENuP0xzK19csKxsH/1m9I5wfs3AcpynrzY7Mlez0 XtOw833+wqeYnXIDOq0B/7cwlyq6CpLYTGmfSq5xF1H+p5PctwuKL7tlBY/Bskga Zt98EuWF58+TnWJg6POJZQBQ/SlnWf98xB4PPz9XQ9tGvom7SFxlO5jKJkDQwzgT Cn/ipnl0yv9u39/CCZKmzCAq4wlNnebbX3tDMoL4ZorKmkUUKIWFtFBuTqwjhGl/ FXE6U+jOxj7QpFXIePlMo6TuRaWaadbSTJt1r2MXZsRkm0GcqARWUygRay0YIJWf nMIFBhXRh2T4InPUZr9dg4q74xlzeHVQ2U/3BRJPz+APW++5PuNkg2WOEHWlsQw= =heue -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160630091314.GF1323%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Question about Xen sandbox escape from Oct 2015
OK Version: 4.4.3 Release: 11.fc20 So I am OK. Does QUBES 3.0 come with the patched version though... Have the devs updated the ISO so that it comes patched..? Or am I patched because I did a dom0 update..? Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2803962c-fa4d-4a17-aa53-6b12bacbe173%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Question about Xen sandbox escape from Oct 2015
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-06-29 21:42, danmichaels8...@gmail.com wrote: > I have a question about the Xen sandbox escape from Oct 2015 > > https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/ > qsb-022-2015.txt > > I am running Qubes 3.0. > > Qubes 3.0 was released Oct 1 2015. > > The Xen glitch was Oct 29 2015. > > Does this mean that Qubes 3.0 does not come shipped with the patch, > and that I have to manually patch this myself? > > Or is Qubes 3.0. safe? > > I downloaded and installed Qubes 3.0 just a few days ago.. using it > for the very first time. > You can (and should) download the patched packages by updating dom0, as explained here: https://www.qubes-os.org/doc/software-update-dom0/ After updating dom0, you should have Xen version 4.4.3-8 (or higher). You can verify this by typing the following command into a dom0 terminal: sudo yum info xen Check the "Version" and "Release" lines. If "Version" is higher than 4.4.3, you're fine. If it's exactly 4.4.3, check "Release." If "Release" is "8.fc20" or higher (i.e., the first number is a number higher than 8), you're fine. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXdKiSAAoJENtN07w5UDAwMYcP/jvDusc4ILgxZ0Rex41eA9LN QyYtbu+3BpLvGwnA+Ne4HiNPjwP5Tiq3woQIJoJOAZYvbFi2zkmUr44v0SjJ8/Jj /7c3z7tjg5v8RHRxGGULmKrAyuMIwwbXFZL8U/zlNCduYEPRex0hj8mKRTRnl0w9 rX8tpxfOAhoXdZllNLdRj8cSHpgCxmUiiGCucJFndfY/OAkA27F9Tk9NWyl0D4gI 2UJRIdWVm0aWAttGdPW096oC0PSUtU740jJ4oceG8xxPTcTfGRlADAoSsT88DNzv FxMUqbMyqs+Yr9XrK/uy2+GRaaW0S/GkiiHFSJYoDSS7e+Wqi/rk0t1rZ8ANlTG0 jyPbTmV8ctaCWlozg/rL7B45b5zHkj6tahxZmaxkHu+vt3n2n45s3biG2ONLU8Si jv+Djo7r1uXD2lu3bLhB+kQI+C34/S92wDCHETB5nBkcOw+Ggnf0DPJD3YRm663Q EfMFX0BOlNSPxrx3ulSeNQxQid5+L2RFZ6N2szk4jIQIuofgqNnF6yZYloj4D2xC su+uEK2UKccv7qXn6917bzl2kGznjtZSNm4vwxdbcAkm5XubDahLHQNK4EvlLj/D oulY+5pkKAtYt0YCUDjU0+twR7ZomEbkBhLjwGsevtUtbCUgD3p0oTrEfx9OvSNx WOP06Ge2MBGpirimIuPs =xS7Y -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/af53147e-9bdb-5ca4-c9d8-963cba3efce0%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Question about Xen sandbox escape from Oct 2015
I have a question about the Xen sandbox escape from Oct 2015 https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt I am running Qubes 3.0. Qubes 3.0 was released Oct 1 2015. The Xen glitch was Oct 29 2015. Does this mean that Qubes 3.0 does not come shipped with the patch, and that I have to manually patch this myself? Or is Qubes 3.0. safe? I downloaded and installed Qubes 3.0 just a few days ago.. using it for the very first time. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3ab493c-dddf-4d4e-92d4-ee8cc41ed96d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.