December 2020 Security Updates

Security Dec 18, 2020

Security updates are available for the two supported releases of XCP-ng: 8.1 and 8.2 LTS.

To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.

Related: Citrix Hypervisor Security Bulletin

secupdates-1

Summary

Several security issues have been identified in Xen, the Linux kernel's Xen support and other components, that may allow:

  • privileged code running in a guest VM to compromise the host,
  • privileged code running in a guest VM to cause a denial of service,
  • privileged code running in a guest VM to read non-sensitive metadata about another guest.

These issues have been fixed in XCP-ng 8.1 and 8.2 LTS.

List of issues and references

Security in XCP-ng

We now have a dedicated security section in our official doc! Feel free to go there: https://xcp-ng.org/docs/security.html and learn more about it.

XCP-ng 8.1 end of support date

When we released XCP-ng 8.2 LTS, we changed the way we defined support periods for XCP-ng releases. Instead of supporting the last two releases of XCP-ng, we switched to a more predictable model: each release will now have a well-defined end of life date, with LTS releases being supported for about 5 years and standard releases for about 9 to 12 months, depending on the release. Users won't be able to "skip" a release as before, but in exchange for that they are offered a Long Term Support release which is supported much longer.

Since that policy change happened after the release of XCP-ng 8.1, we wanted to still offer the opportunity to jump directly from XCP-ng 8.1 to XCP-ng 8.3, so we announced that XCP-ng 8.1 would remain supported until XCP-ng 8.3 would be released.

However, the release of XCP-ng 8.3 is likely to happen later than initially planned, so we had to define a more predictable deadline.

Thus, XCP-ng 8.1 will be supported until March 31 2021 or until the release of XCP-ng 8.3, whichever comes first.

We apologize for any inconvenience that this change may cause to users who planned to jump directly from XCP-ng 8.1 to XCP-ng 8.3 and advise them to consider upgrading to XCP-ng 8.2 LTS instead. As said above, counting from XCP-ng 8.2 every release will have a well defined end of support date right from the start.

Tags

Samuel Verschelde

XCP-ng Lead Maintainer, Release Manager and Technical Product Manager. Open Source enthusiast since 2002.