January 2022 Security Update
A security update is available for the only currently supported release of XCP-ng: 8.2 LTS.
⚠️
If you are still using 32 bit Paravirtualized VMs, please check this article before!
📔
To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.
Summary
Several vulnerabilities have been discovered and fixed in the Xen hypervisor as well as in the controller domain's Linux kernel.
To address this, we released updates for these components in XCP-ng.
Additionally, the updated Xen packages completely disable support for 32 bit PV guests, that have been officially unsupported since XCP-ng 8.1, for a 5% to 10% performance boost in dom0. Check the dedicated article for details and migration options if you still have such deprecated guests.
Impact
The vulnerabilities may allow privileged code in a VM to cause a host to crash or become unresponsive.
References
- Citrix Hypervisor Security Bulletin (CVE numbers listed there)
- Xen Security Advisories: XSA-388 XSA-389 XSA-392