January 2023 Security Update

Security Jan 31, 2023

New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are not necessary after this update, if it's the only one applied (that is, if only the sudo component is updated).

📋 Summary

A vulnerability has been discovered and fixed in sudo, in versions equal to or below 1.9.12p1.

We released an update which fixes this vulnerability.

🔒 Impact

A sudoers policy bypass may lead to privilege escalation by editing unauthorized files.

Due to the nature of XCP-ng -as a dedicated appliance that shouldn't be modified-, the security impact is rather small. It is more relevant if you modified it, explaining why we prefer to push this fix now.

📚 References: