qubes-doc/project-security/xsa.md

---
lang: en
layout: doc
permalink: /security/xsa/
ref: 214
title: Xen Security Advisory (XSA) Tracker
---

Xen Security Advisory (XSA) Tracker
===================================

This tracker shows whether Qubes OS is affected by any given [Xen Security Advisory (XSA)][XSA].
Shortly after a new XSA is published, we will add a new row to this tracker.
Whenever Qubes is significantly affected by an XSA, a [Qubes Security Bulletin (QSB)][QSB] is published, and a link to that QSB is added to the row for the associated XSA.

Under the "Is Qubes Affected?" column, there are two possible values: **Yes** or **No**.

* **Yes** means that the *security* of Qubes OS *is* affected.
* **No** means that the *security* of Qubes OS is *not* affected.

Important Notes
---------------

* For the purpose of this tracker, we do *not* classify mere [denial-of-service (DoS) attacks][DoS] as affecting the *security* of Qubes OS.
  Therefore, if an XSA pertains *only* to DoS attacks against Qubes, the value in the "Is Qubes Affected?" column will be **No**.
* For simplicity, we use the present tense ("is affected") throughout this page, but this does **not** necessarily mean that up-to-date Qubes installations are *currently* affected by any particular XSA.
  In fact, it is extremely unlikely that any up-to-date Qubes installations are vulnerable to any XSAs on this page, since patches are almost always published concurrently with QSBs.
  Please read the QSB (if any) for each XSA for patching details.
* Embargoed XSAs are excluded from this tracker until they are publicly released, since the [Xen Security Policy] does not permit us to state whether Qubes is affected prior to the embargo date.
* Unused and withdrawn XSA numbers are included in the tracker for the sake of completeness, but they are excluded from the [Statistics] section for the sake of accuracy.
* All dates are in UTC.

[XSA]: https://xenbits.xen.org/xsa/
[QSB]: /security/bulletins/
[DoS]: https://en.wikipedia.org/wiki/Denial-of-service_attack
[Xen Security Policy]: https://www.xenproject.org/security-policy.html
[Statistics]: #statistics
Create XSA Tracker page (QubesOS/qubes-issues#2703) 2017-03-18 22:30:04 -04:00			`---`
Add lang + ref tags to frontmatter Those are fields used by the language switcher to correlate pages across different languages, even if they have different names/paths/titles. They are generated with the prepare_for_translation.py script. 2021-03-13 13:06:18 -05:00			`lang: en`
Use default doc layout for project security docs 2019-05-26 21:04:23 -04:00			`layout: doc`
Create XSA Tracker page (QubesOS/qubes-issues#2703) 2017-03-18 22:30:04 -04:00			`permalink: /security/xsa/`
Add lang + ref tags to frontmatter Those are fields used by the language switcher to correlate pages across different languages, even if they have different names/paths/titles. They are generated with the prepare_for_translation.py script. 2021-03-13 13:06:18 -05:00			`ref: 214`
Normalize frontmatter - sort keys - remove permalink from redirects 2021-03-13 12:42:50 -05:00			`title: Xen Security Advisory (XSA) Tracker`
Create XSA Tracker page (QubesOS/qubes-issues#2703) 2017-03-18 22:30:04 -04:00			`---`

Convert from HTML to Markdown (QubesOS/qubes-issues#2703) 2017-03-19 03:20:38 -04:00			`Xen Security Advisory (XSA) Tracker`
			`===================================`
Create XSA Tracker page (QubesOS/qubes-issues#2703) 2017-03-18 22:30:04 -04:00
Convert from HTML to Markdown (QubesOS/qubes-issues#2703) 2017-03-19 03:20:38 -04:00			`This tracker shows whether Qubes OS is affected by any given [Xen Security Advisory (XSA)][XSA].`
			`Shortly after a new XSA is published, we will add a new row to this tracker.`
			`Whenever Qubes is significantly affected by an XSA, a [Qubes Security Bulletin (QSB)][QSB] is published, and a link to that QSB is added to the row for the associated XSA.`

			`Under the "Is Qubes Affected?" column, there are two possible values: Yes or No.`

Create Satistics section (QubesOS/qubes-issues#2703) 2017-03-21 01:05:53 -04:00			`* Yes means that the security of Qubes OS is affected.`
			`* No means that the security of Qubes OS is not affected.`

Add Important Notes and consolidate columns QubesOS/qubes-issues#2703 2017-03-19 04:03:49 -04:00			`Important Notes`
			`---------------`
Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00
Add Important Notes and consolidate columns QubesOS/qubes-issues#2703 2017-03-19 04:03:49 -04:00			`* For the purpose of this tracker, we do not classify mere [denial-of-service (DoS) attacks][DoS] as affecting the security of Qubes OS.`
Update Important Notes (QubesOS/qubes-issues#2703) 2017-03-20 23:37:42 -04:00			`Therefore, if an XSA pertains only to DoS attacks against Qubes, the value in the "Is Qubes Affected?" column will be No.`
Create Satistics section (QubesOS/qubes-issues#2703) 2017-03-21 01:05:53 -04:00			`* For simplicity, we use the present tense ("is affected") throughout this page, but this does not necessarily mean that up-to-date Qubes installations are currently affected by any particular XSA.`
Update Important Notes (QubesOS/qubes-issues#2703) 2017-03-20 23:37:42 -04:00			`In fact, it is extremely unlikely that any up-to-date Qubes installations are vulnerable to any XSAs on this page, since patches are almost always published concurrently with QSBs.`
Add Important Notes and consolidate columns QubesOS/qubes-issues#2703 2017-03-19 04:03:49 -04:00			`Please read the QSB (if any) for each XSA for patching details.`
Add notes regarding embargoed XSAs and unused XSA numbers QubesOS/qubes-issues#2703 2017-03-21 21:02:03 -04:00			`* Embargoed XSAs are excluded from this tracker until they are publicly released, since the [Xen Security Policy] does not permit us to state whether Qubes is affected prior to the embargo date.`
Include "withdrawn" XSA numbers with "unused" numbers 2019-03-05 10:39:30 -05:00			`* Unused and withdrawn XSA numbers are included in the tracker for the sake of completeness, but they are excluded from the [Statistics] section for the sake of accuracy.`
Update Important Notes (QubesOS/qubes-issues#2703) 2017-03-20 23:37:42 -04:00			`* All dates are in UTC.`
Add Important Notes and consolidate columns QubesOS/qubes-issues#2703 2017-03-19 04:03:49 -04:00
Convert from HTML to Markdown (QubesOS/qubes-issues#2703) 2017-03-19 03:20:38 -04:00			`[XSA]: https://xenbits.xen.org/xsa/`
			`[QSB]: /security/bulletins/`
			`[DoS]: https://en.wikipedia.org/wiki/Denial-of-service_attack`
Add notes regarding embargoed XSAs and unused XSA numbers QubesOS/qubes-issues#2703 2017-03-21 21:02:03 -04:00			`[Xen Security Policy]: https://www.xenproject.org/security-policy.html`
			`[Statistics]: #statistics`