Announcement regarding XSA-254 (Meltdown and Spectre attacks)
The Qubes Security Team is currently investigating the extent to which XSA-254 (and the Meltdown and Spectre attacks more generally) affect the security of Qubes OS. The practical impact of these attacks on Qubes is currently unclear. While the Qubes Security Team is a member of the Xen predisclosure list, XSA-254 was disclosed on an accelerated timetable ahead of schedule, so our team has not yet had a chance to analyze these attacks, nor has the Xen Project released any patches associated with XSA-254. We are continuing to monitor the situation closely. Once the Security Team makes a determination about the impact on Qubes, we will make another announcement, update the XSA Tracker, and, if appropriate, issue a Qubes Security Bulletin with information about patching.