October 2023 Security Update #2

Security Oct 27, 2023

New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

In the announcement for the first security update of October 2023 for XCP-ng, we mentioned that another update would be released before the end of the month.

The first update addressed several vulnerabilities, one of which would have had reduced or no impact if specific components had lower privileges. To proactively prevent future vulnerabilities that may leverage the privileges of these components, we have now implemented privilege reduction for them. Credit goes to the Xen Project and to XenServer developers for the initial deprivileging work, which we have ported to XCP-ng.

We also updated OpenSSL to fix various vulnerabilities in this component.

🔒 Fixed vulnerabilities

🔸Follow-up to XSA-443: CVE-2023-34325 - "Multiple vulnerabilities in libfsimage disk handling". As the Xen Security Team "is no longer confident in the suitability of libfsimage when run against guest controlled input with super user privileges", uses of this library have been replaced wherever possible, and the remaining ones were made to run in deprivileged mode.

The updated components are: Xen, the Linux kernel, the storage manager (sm), fuse-libs, e2fsprogs and all of XAPI components.

🔸OpenSSL: We updated the OpenSSL version in the xs-openssl-libs package to address several CVEs fixed in upstream releases since our last update.


Samuel Verschelde

XCP-ng release manager: pushes the big red "Release" button. Part developer, part packager, part QA, part manager. Open Source enthusiast since 2002.