/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disrepancy in number of exploitable bugs in Xen #2480

Closed
starius opened this Issue Dec 4, 2016 · 3 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Ongoing
4 participants
@starius @jpouellet @andrewdavidwong @marmarek
@starius

starius commented Dec 4, 2016

https://www.qubes-os.org/doc/vm-sudo/ says "so far there have been only one (!) publicly disclosed exploitable bug in the Xen hypervisor from a VM, found in 2008", but this seems to be outdated.

http://www.securityweek.com/xen-hypervisor-vulnerability-exposed-virtualized-servers tells about vulnerability CVE-2014-7188 forced the cloud to reboot many machines.

https://xenbits.xen.org/xsa/ lists hundreds of CVEs.
@jpouellet

This comment has been minimized.

Show comment
Hide comment
@jpouellet

jpouellet Dec 4, 2016

Contributor

Not all Xen bugs affect Qubes, but yes, I believe that statement is no longer correct. XSA-182 / QSB #24 come to mind most recently.
Contributor

jpouellet commented Dec 4, 2016

Not all Xen bugs affect Qubes, but yes, I believe that statement is no longer correct. XSA-182 / QSB #24 come to mind most recently.

@andrewdavidwong andrewdavidwong added the C: other label Dec 4, 2016

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Dec 4, 2016

Member

This would also have to be updated/changed here.

Some options:

  • Add a date: "As of [date], there has been only one (!) ..."
  • Remove that part.

@marmarek, how do you want to handle it?
Member

andrewdavidwong commented Dec 4, 2016

This would also have to be updated/changed here.

Some options:

  • Add a date: "As of [date], there has been only one (!) ..."
  • Remove that part.

@marmarek, how do you want to handle it?

@andrewdavidwong andrewdavidwong added the C: doc label Dec 4, 2016

@andrewdavidwong andrewdavidwong added this to the Documentation/website milestone Dec 4, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 4, 2016

Member

I'd keep that part in place. So - add a date. And maybe update the number anyway, like - "as of 2016, there has been only three publicly disclosed exploitable bug in the Xen"? Or keep the old number and add "as of Sep 2015"...
Member

marmarek commented Dec 4, 2016

I'd keep that part in place. So - add a date. And maybe update the number anyway, like - "as of 2016, there has been only three publicly disclosed exploitable bug in the Xen"? Or keep the old number and add "as of Sep 2015"...

@andrewdavidwong andrewdavidwong closed this in andrewdavidwong/qubes-core-agent-linux@cc7d3fc Dec 5, 2016

@andrewdavidwong andrewdavidwong referenced this issue in QubesOS/qubes-core-agent-linux Dec 5, 2016

Merged

Update Xen bug count in sudoers comment #29

andrewdavidwong added a commit to QubesOS/qubes-doc that referenced this issue Dec 5, 2016

@andrewdavidwong
Update Xen bug count in sudoers comment 
Closes QubesOS/qubes-issues#2480
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: 8CE137352A019A17 Learn about signing commits
658e02c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment