Security updates are available for the two supported releases of XCP-ng: 8.0 and 8.1.

To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.

Related: Citrix Hypervisor Security Bulletin

secupdates-1

Summary

Several security issues have been identified in Xen and in the Linux kernel's Xen support, that may allow:

  • a PV guest VM to be compromised by unprivileged code running in that VM
  • host crashes or unresponsiveness caused by privileged code in a guest VM
  • memory corruption of the host or other VMs from an HVM guest VM with a PCI passthrough device.

These issues have been fixed in XCP-ng 8.1 (updated on November 30th) and partially fixed in XCP-ng 8.0 (updated on October 2nd).

List of issues and references

XCP-ng 8.0 end of life is coming soon

XCP-ng 8.0 will reach its end of life as soon as XCP-ng 8.2 is released. This is likely to happen within two weeks.

Exceptionally, there are two CVEs that were not fixed in XCP-ng 8.0. We advise users of this release to:

  • Review the two CVEs and assess the risk (trusted vs untrusted workloads)
  • Upgrade as soon as possible to a higher release of XCP-ng

Other updates

The batch of updates released at this occasion also contains a few bugfixes and enhancements.

XCP-ng 8.1

  • Fix compatibility with XenDesktop
  • Openflow support in the SDN controller
  • DHCP requests from the host now properly send the hostname to the DHCP server

XCP-ng 8.0

  • Support for backups with RAM in Xen Orchestra
  • Openflow support in the SDN controller
  • DHCP requests from the host now properly send the hostname to the DHCP server