Qubes Security Bulletin #30 for another critical Xen bug(s) in PV memory virtualization (XSA 213-214): https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-030-2017.txt
The bugs were found by the same researcher who found the previous Xen bug (XSA 212): Jann Horn of Google P0, congrats!
Also, please read our commentary in the bulletin (linked above) about the general defense approaches we've been working on for Qubes 4.x.
@rootkovska is there a Qubes 4.0 roadmap showing any other major changes? I will want to jump ASAP for that improvement requiring (more expensive?) chain attacks, but Qubes is my full time OS, so obviously want to not sacrifice too much stability :)