Security updates are available for the two supported releases of XCP-ng: 8.1 and 8.2 LTS.
To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.
Related: Citrix Hypervisor Security Bulletin
Several security issues have been identified in Xen, the Linux kernel's Xen support and other components, that may allow:
- privileged code running in a guest VM to compromise the host,
- privileged code running in a guest VM to cause a denial of service,
- privileged code running in a guest VM to read non-sensitive metadata about another guest.
These issues have been fixed in XCP-ng 8.1 and 8.2 LTS.
List of issues and references
- CVE-2020-29479 (XSA-353)
- CVE-2020-29480 (XSA-115)
- CVE-2020-29481 (XSA-322)
- CVE-2020-29482 (XSA-323)
- CVE-2020-29485 (XSA-330)
- CVE-2020-29486 (XSA-352)
- CVE-2020-29487 (XSA-354)
- CVE-2020-29568 (XSA-349)
- CVE-2020-29569 (XSA-350)
- CVE-2020-29570 (XSA-358)
Security in XCP-ng
We now have a dedicated security section in our official doc! Feel free to go there: https://xcp-ng.org/docs/security.html and learn more about it.
XCP-ng 8.1 end of support date
When we released XCP-ng 8.2 LTS, we changed the way we defined support periods for XCP-ng releases. Instead of supporting the last two releases of XCP-ng, we switched to a more predictable model: each release will now have a well-defined end of life date, with LTS releases being supported for about 5 years and standard releases for about 9 to 12 months, depending on the release. Users won't be able to "skip" a release as before, but in exchange for that they are offered a Long Term Support release which is supported much longer.
Since that policy change happened after the release of XCP-ng 8.1, we wanted to still offer the opportunity to jump directly from XCP-ng 8.1 to XCP-ng 8.3, so we announced that XCP-ng 8.1 would remain supported until XCP-ng 8.3 would be released.
However, the release of XCP-ng 8.3 is likely to happen later than initially planned, so we had to define a more predictable deadline.
Thus, XCP-ng 8.1 will be supported until March 31 2021 or until the release of XCP-ng 8.3, whichever comes first.
We apologize for any inconvenience that this change may cause to users who planned to jump directly from XCP-ng 8.1 to XCP-ng 8.3 and advise them to consider upgrading to XCP-ng 8.2 LTS instead. As said above, counting from XCP-ng 8.2 every release will have a well defined end of support date right from the start.