qubes-doc/security-info/security-bulletins.md

layout	title	permalink	redirect_from
security	Security Bulletins	/security/bulletins/	/doc/security-bulletins/ /en/doc/security-bulletins/ /doc/SecurityBulletins/ /wiki/SecurityBulletins/ /trac/wiki/SecurityBulletins/

Qubes Security Bulletins

Qubes Security Bulletins are published through the Qubes Security Pack.

2010

• None

2011

• Qubes Security Bulletin #01 (Gui daemon bug, Intel VT-d escape on non-IR hardware)

2012

• Qubes Security Bulletin #02 (Intel SYSRET bug)
• Qubes Security Bulletin #03 (Xen hypervisor bugs: XSA 13, others with DoS potential)
• Qubes Security Bulletin #04 (Qubes firewall misconfiguration: ipv6 allowed)
• Qubes Security Bulletin #05 (Xen hypervisor bugs: XSA 29, others with DoS potential)

2013

• Qubes Security Bulletin #06 (Xen hypervisor bugs: XSA 50, others with DoS potential)
• Qubes Security Bulletin #07 (Xen hypervisor bugs: XSA 57 potential escalation, also XSA 52-54 with potential leaks)
• Qubes Security Bulletin #08 (Xen hypervisor bugs: XSA 45,58 potential DoS)

2014

• Qubes Security Bulletin #09 (Qubes qvm-open-in-[d]vm environment inter-VM leak)
• Qubes Security Bulletin #10 (Qubes pulseaudio & vchan bugs, Xen XSA 87)
• Qubes Security Bulletin #11 (Qubes clipboard inter-VM leak)
• Qubes Security Bulletin #12 (Memory leak in Xen hypervisor via RDMSR emulation bug (XSA 108))

2015

• Qubes Security Bulletin #13 (Qubes Clipboard Timing Attacks and Qubes Core Python API Inconsistency)
• Qubes Security Bulletin #14 (Race condition in Qubes Inter-VM File-Copy Mechanism)
• Qubes Security Bulletin #15 (Critical Xen Hypervisor Vulnerability (XSA 109))
• Qubes Security Bulletin #16 (Xen Hypervisor Information Leaks Vulnerabilities (XSA 121 & 122))
• Qubes Security Bulletin #17 (Xen DoS from malicious driver domains or devices (XSA 120 & 124))
• Qubes Security Bulletin #18 (Xen Hypervisor Instruction Emulation Bug (XSA 123))
• Qubes Security Bulletin #19 (Anti Evil Maid bypass through unusual LUKS header)
• Qubes Security Bulletin #20 (Fedora os-prober considered harmful)
• Qubes Security Bulletin #21 (Anti Evil Maid bypass through filesystem ID collision)
• Qubes Security Bulletin #22 (Critical Xen bug in PV memory virtualization code (XSA 148))
• Qubes Security Bulletin #23 (Race condition bugs in Xen code (XSA-155 and XSA-166), other Xen bugs)

2016

• Qubes Security Bulletin #24 (Critical Xen bug in PV memory virtualization code (XSA 182))
• Qubes Security Bulletin #25 (Xen bug in event channel handling code (XSA 188))
• Qubes Security Bulletin #26 (Colored window border handling bug in Qubes GUI daemon)
• Qubes Security Bulletin #27 (Xen 64-bit bit test instruction emulation broken (XSA 195))
• Qubes Security Bulletin #28 (Debian update mechanism vulnerability)

2017

• Qubes Security Bulletin #29 (Critical Xen bug in PV memory virtualization code (XSA-212))
• Qubes Security Bulletin #30 (Critical Xen bugs related to PV memory virtualization (XSA-213, XSA-214))
• Qubes Security Bulletin #31 (Xen hypervisor vulnerabilities with unresearched impact (XSA 216-224))
• Qubes Security Bulletin #32 (Xen hypervisor and Linux kernel vulnerabilities (XSA-226 through XSA-230))
• Qubes Security Bulletin #33 (Xen hypervisor (XSA-231 through XSA-234))
• Qubes Security Bulletin #34 (GUI issue and Xen vulnerabilities (XSA-237 through XSA-244))
• Qubes Security Bulletin #35 (Xen hypervisor issue related to grant tables (XSA-236))
• Qubes Security Bulletin #36 (Xen hypervisor issue in populate-on-demand code (XSA-247))

2018

• Qubes Security Bulletin #37 (Information leaks due to processor speculative execution bugs)