Summer 2021 Security and Bugfix Updates

Security Jun 28, 2021

Security and bugfix updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.

Summary

This update addresses vulnerabilities in QEMU and also brings bugfixes to several other components in XCP-ng.

We want to thank everyone involved in producing: upstream developers and packagers, XCP-ng developers, and our community who took part in testing them.

Security update

The vulnerabilities discovered in QEMU may allow privileged code in VMs to cause hosts to crash or become unresponsive. This is fixed in the updated qemu RPM package.

References:

Bugfix updates

We are releasing updated RPM packages that fix various issues or add better support for guest OSes.

Guest tools ISO

The guest tools ISO was updated. We used to embed the Linux guest tools built by Citrix (they are free software, freely redistributable), with a few added improvements, but this lacked flexibility. It was indeed impossible for us to release fixes in the guest packages themselves (RPM, DEB, TGZ) that the installer script installs on your VMs.

So now the tools are all built by us from the sources, as we had been planning for long.

Note: we changed the versioning of the guest tools. You will notice that the new ones report being in version 7.20-9 (sources in version 7.20, ninth XCP-ng patch level) instead of 8.1.50 like the ones from Citrix. It is not a downgrade. Citrix versions the tools after the release of Citrix Hypervisor (8.1.50 more or less means 8.2). We version them after their actual version in the source repository.

In addition to the new build process, the updated guest tools bring:

  • Support for Rocky Linux and Almalinux
  • Support for CentOS 8.3+ and CentOS Stream
  • Fixed support for FreePBX

There is no need to reinstall those tools in existing VMs where they already work correctly.

Windows guest tools are not available on the ISO yet (you still have to download them as described in the docs), but we are working on it.

Other bugfix updates

As you can see, we are doing more and more upstream contributions (reporting but also fixing stuff). Also, we would like to thank Citrix for putting back some repositories on github, so we could contribute more easily by improving the code and fixing bugs: there are already 4 pull requests, 2 of which were already merged. All of this just 24h after the repository was open to contributions.

Tags

Samuel Verschelde

Among with Olivier Lambert

XCP-ng release manager and lead packager