April 2020 XCP-ng Security Updates

Security Apr 17, 2020

Security updates are available for the two supported releases of XCP-ng: 8.0 and 8.1. XCP-ng 7.6 has reached its end of life.

To update, follow this guide. You can also join the discussion on our community forum.
Reboot after updating a host.

Impact: "A malicious guest may be able to access sensitive information pertaining to other guests. Guests with "active profiling" enabled can crash the host (DoS). Privilege escalation cannot be ruled out."
Vulnerable systems: "Only x86 PV guests can leverage the vulnerabilities. Any x86 PV guest can leverage the information leak.Only x86 PV guests whose host administrator has explicitly enabled "active profiling" for an untrusted guest can exploit the DoS / potential privilege escalation."
Resolution: Apply the updates on your XCP-ng hosts and reboot. Also remember that PV guests are not supported anymore starting with XCP-ng 8.1.

Impact: A malicious or buggy guest can cause host crashes or other incorrect behaviour.
Vulnerable systems: "Systems running any version of Xen are vulnerable". So any XCP-ng system is vulnerable.
Resolution: Apply the updates on your XCP-ng hosts and reboot.

The current batch of updates also includes:

A fix for XSA-307, which is not believed to have put XCP-ng systems at risk.
On XCP-ng 8.0, an update to the bnx2x driver that can cause host failures with some NetXtreme device models. XCP-ng 8.1 already had the fix when it was released.
On XCP-ng 8.0, a bugfix update to xenserver-status-report for better filtering of the data than are exported if you run xen-bugtool on the host.
On XCP-ng 8.0, a bugfix update to sm (stands for storage manager, or SMAPIv1) with a fix backported from 8.1 to reduce possible log flood related to multipath.