February 2021 Security and Bugfix Updates

Security and bugfix updates are available for the two supported releases of XCP-ng: 8.1 and 8.2 LTS.

To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.

Summary

The published batch of updates includes security fixes to the linux kernel in dom0, to protect your hosts against DoS attacks that could be performed by attackers able to execute privileged code in a VM. Reference: https://support.citrix.com/article/CTX296603.

It also fixes several bugs:

  • A possible kernel panic in dom0 under certain circumstances.
  • A network performance regression that was caused by the fixes for the XSA-332 security issue. The most obviously affected guests were FreeBSD guests. Identifying and fixing this bug required close cooperation between users, XCP-ng team and several Xen developers. We'll have a dedicated story about that, stay tuned!
  • After a crash, Xen was unable to produce a crash analysis when the extra version number was too long.
  • Weaker ciphersuites - that were not supposed to be enabled - have been removed from the list of supported ciphersuites in OpenSSH's configuration.
  • "A misconfigured PCI interface-rename rule leaves all host interfaces inaccessible" (quoting Citrix Hypervisor hotfix description).
  • "On slower systems, xen-bugtool can experience time outs" (quoting Citrix again).

XCP-ng 8.1 end of support is near

XCP-ng 8.1 will be supported until March 31st. Users are urged to upgrade to XCP-ng 8.2 LTS.