We’re pleased to announce the new Xen Security Advisory (XSA) Tracker. This tracker clearly shows whether the security of Qubes OS is (or was) affected by any given XSA in a simple “Yes” or “No” format. Since Qubes OS uses Xen for virtualization, we know that many of our users follow new XSA announcements. However, we also understand that most of our users aren’t Xen experts and may not be able to easily determine whether an XSA affects the security of Qubes. We know that this uncertainty can be unsettling, so our aim with the XSA Tracker is to remove any doubt by communicating this information clearly and directly to users, as we already do with Qubes Security Bulletins (QSBs).
It’s worth noting that Qubes has typically not been affected by new XSAs. At present, it has been over six years since the first XSA was published on March 14, 2011. Since that time, 203 XSAs have been published (excluding unused XSA numbers and currently embargoed XSAs). However, only 17 (8.37%) of these XSAs have affected the security of Qubes OS. These Statistics will continue to be updated on the Tracker page as new XSAs are published.