Security Leftovers
Fedora 36 reaches EOL on 2023-05-16
The Fedora Project has announced that Fedora 36 will reach EOL (end-of-life) on 2023-05-16. We strongly recommend that all users upgrade their Fedora templates and standalones to Fedora 37 no later than 2023-05-16.
We provide fresh Fedora 37 template packages through the official Qubes repositories, which you can install in dom0 by following the standard installation instructions. Alternatively, we also provide step-by-step instructions for performing an in-place upgrade of an existing Fedora template. After upgrading your templates, please remember to switch all qubes that were using the old template to use the new one.
For a complete list of template releases that are supported for your specific Qubes release, see our supported template releases.
Please note that no user action is required regarding the OS version in dom0. For details, please see our note on dom0 and EOL.
QSB-089: Qrexec: Memory corruption in service request handling
We have published Qubes Security Bulletin (QSB) 089: Qrexec: Memory corruption in service request handling. The text of this QSB and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this QSB, please see the end of this announcement.
Assessing performance and QoS of a distributed peering platform
Guest Post: New framework assesses platform performance in multi-site environments.
Mozilla Security Blog: Updated GPG key for signing Firefox Releases
The GPG key used to sign the Firefox release manifests is expiring soon, and so we’re going to be switching over to new key shortly.
The new GPG subkey’s fingerprint is
ADD7 0794 7970 0DCA DFDD 5337 E36D 3B13 F3D9 3274
, and it expires2025-05-04
.The public key can be fetched from KEY files from the latest Firefox Nightly,, or from below. This can be used to validate existing releases signed with the current key, or future releases signed with the new key.