[qubes-users] QSB #61 Information leak via power sidechannel (XSA-351)

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #61: Information
leak via power sidechannel (XSA-351). The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).

View QSB #61 in the qubes-secpack:

Learn about the qubes-secpack, including how to obtain, verify, and read

View all past QSBs:

View XSA-351 in the XSA Tracker:


             ---===[ Qubes Security Bulletin #61 ]===---


           Information leak via power sidechannel (XSA-351)


Hello, Marek wrote in the QSB

   For Qubes 4.0: Xen packages, version 4.8.5-26
   For updates from the security-testing repository:
   $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

I found out an unexpected behaviour. I always ran the command

sudo qubes-dom0-update --enablerepo=qubes-dom0-*-testing

to update the system, believing that "*" it would include the case
"security". This seems not the case! After running the update with *
the xen state was still 4.8.25:

dnf list |grep xen
libvirt-daemon-driver-xen.x86_64 3.3.0-10.fc25
libvirt-daemon-xen.x86_64 3.3.0-10.fc25
python3-xen.x86_64 2001:4.8.5-25.fc25
qubes-libvchan-xen.x86_64 4.0.8-1.fc25
xen.x86_64 2001:4.8.5-25.fc25
xen-hvm.x86_64 2001:4.8.5-25.fc25
xen-hvm-stubdom-linux.x86_64 1.0.10-1.fc25
xen-hypervisor.x86_64 2001:4.8.5-25.fc25
xen-libs.x86_64 2001:4.8.5-25.fc25
xen-licenses.x86_64 2001:4.8.5-25.fc25
xen-runtime.x86_64 2001:4.8.5-25.fc25

Only running explicitly the command as Marek suggests, * replaced by
security would upgrade to 4.8.26. That is odd, isn't it?