April 2022 Security Update

A security update is available for the only currently supported release of XCP-ng: 8.2 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.
⚠️
If you haven't installed the 8.2.1 update yet and want to update through Xen Orchestra's Rolling Pool Update, make sure your version is at least 5.69.2, otherwise VMs may fail to migrate.

Summary

Several vulnerabilities have been discovered and fixed in the Xen hypervisor.

To address them, we released updates for this component in XCP-ng.

Impact

Code running in a guest VM having had a physical device assigned using PCI passthrough may be able to cause the host to crash or become unresponsive. This is only possible on hardware with Intel CPUs.

About the release date

The security update for XCP-ng was initially ready to be published on Thursday, April 7th. But regressions were found by Xen developers in the Xen project's patches for advisory XSA-400, which added an extra delay as we needed to apply and test the patches fixing the regressions.

References