Security updates are available for the two supported releases of XCP-ng: 8.0 and 8.1. XCP-ng 7.6 has reached its end of life.

To update, follow this guide. You can also join the discussion on our community forum.
Reboot after updating a host.

Related: Citrix Hypervisor Security Bulletin


XSA-313: possible host crash or information leak

  • Impact: "A malicious guest may be able to access sensitive information pertaining to other guests. Guests with "active profiling" enabled can crash the host (DoS). Privilege escalation cannot be ruled out."

  • Vulnerable systems: "Only x86 PV guests can leverage the vulnerabilities. Any x86 PV guest can leverage the information leak.Only x86 PV guests whose host administrator has explicitly enabled "active profiling" for an untrusted guest can exploit the DoS / potential privilege escalation."

  • Resolution: Apply the updates on your XCP-ng hosts and reboot. Also remember that PV guests are not supported anymore starting with XCP-ng 8.1.

Reference: http://xenbits.xen.org/xsa/advisory-313.html


XSA-316: possible host crash caused by guest

  • Impact: A malicious or buggy guest can crash the host.
  • Vulnerable systems: XCP-ng 8.1 is vulnerable. XCP-ng 8.0 is not.
  • Resolution: Apply the updates on your XCP-ng hosts and reboot.

Reference: http://xenbits.xen.org/xsa/advisory-316.html


XSA-318: possible host crash caused by guest

  • Impact: A malicious or buggy guest can cause host crashes or other incorrect behaviour.

  • Vulnerable systems: "Systems running any version of Xen are vulnerable". So any XCP-ng system is vulnerable.

  • Resolution: Apply the updates on your XCP-ng hosts and reboot.

Reference: http://xenbits.xen.org/xsa/advisory-318.html


Other

The current batch of updates also includes:

  • A fix for XSA-307, which is not believed to have put XCP-ng systems at risk.
  • On XCP-ng 8.0, an update to the bnx2x driver that can cause host failures with some NetXtreme device models. XCP-ng 8.1 already had the fix when it was released.
  • On XCP-ng 8.0, a bugfix update to xenserver-status-report for better filtering of the data than are exported if you run xen-bugtool on the host.
  • On XCP-ng 8.0, a bugfix update to sm (stands for storage manager, or SMAPIv1) with a fix backported from 8.1 to reduce possible log flood related to multipath.