December 2020 Security Updates

Security Dec 18, 2020

Security updates are available for the two supported releases of XCP-ng: 8.1 and 8.2 LTS.

To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.

Related: Citrix Hypervisor Security Bulletin

secupdates-1

Summary

Several security issues have been identified in Xen, the Linux kernel's Xen support and other components, that may allow:

  • privileged code running in a guest VM to compromise the host,
  • privileged code running in a guest VM to cause a denial of service,
  • privileged code running in a guest VM to read non-sensitive metadata about another guest.

These issues have been fixed in XCP-ng 8.1 and 8.2 LTS.

List of issues and references

Security in XCP-ng

We now have a dedicated security section in our official doc! Feel free to go there: https://xcp-ng.org/docs/security.html and learn more about it.

XCP-ng 8.1 end of support date

When we released XCP-ng 8.2 LTS, we changed the way we defined support periods for XCP-ng releases. Instead of supporting the last two releases of XCP-ng, we switched to a more predictable model: each release will now have a well-defined end of life date, with LTS releases being supported for about 5 years and standard releases for about 9 to 12 months, depending on the release. Users won't be able to "skip" a release as before, but in exchange for that they are offered a Long Term Support release which is supported much longer.

Since that policy change happened after the release of XCP-ng 8.1, we wanted to still offer the opportunity to jump directly from XCP-ng 8.1 to XCP-ng 8.3, so we announced that XCP-ng 8.1 would remain supported until XCP-ng 8.3 would be released.

However, the release of XCP-ng 8.3 is likely to happen later than initially planned, so we had to define a more predictable deadline.

Thus, XCP-ng 8.1 will be supported until March 31 2021 or until the release of XCP-ng 8.3, whichever comes first.

We apologize for any inconvenience that this change may cause to users who planned to jump directly from XCP-ng 8.1 to XCP-ng 8.3 and advise them to consider upgrading to XCP-ng 8.2 LTS instead. As said above, counting from XCP-ng 8.2 every release will have a well defined end of support date right from the start.

Tags

Samuel Verschelde

XCP-ng release manager and lead packager

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.