April 2022 Security Update
A security update is available for the only currently supported release of XCP-ng: 8.2 LTS.
Summary
Several vulnerabilities have been discovered and fixed in the Xen hypervisor.
To address them, we released updates for this component in XCP-ng.
Impact
Code running in a guest VM having had a physical device assigned using PCI passthrough may be able to cause the host to crash or become unresponsive. This is only possible on hardware with Intel CPUs.
About the release date
The security update for XCP-ng was initially ready to be published on Thursday, April 7th. But regressions were found by Xen developers in the Xen project's patches for advisory XSA-400, which added an extra delay as we needed to apply and test the patches fixing the regressions.
References
- Citrix Hypervisor Security Bulletin
- Xen Security Advisories: XSA-399, XSA-400