New security and maintenance updates are available for the only currently supported release of XCP-ng: 8.2 LTS.
Xen and linux-firmware in the controller domain are updated to fix several vulnerabilities.
We also publish with them maintenance updates which we got ready and tested during the public testing window of the security updates.
🔒 Fixed vulnerabilities
XSA-445: CVE-2023-46835 - "x86/AMD: mismatch in IOMMU quarantine page table levels". On x86 AMD systems with IOMMU hardware, a device in quarantine mode, using dom_io, could access leaked data from previously quarantined pages. This is not enabled by default in XCP-ng, but can still be enabled at Xen boot time.
XSA-446: CVE-2023-46836 - "x86: BTC/SRSO fixes not fully effective". A PV guest could infer memory content from other guests. We do not recommend using PV guests and have been suggesting switching to HVM for a while, so if that's not your case yet, we strongly encourage you to consider doing the switch.
✨ Other changes - Improvements
We also published non security updates at the same time, to pave the way for the upcoming refreshed installation ISOs.
CVE-2023-20592 - Update AMD microcode to 2023-10-19 drop, updating the family 19h, so Zen 3, Zen3+. AMD Advisory here. XCP-ng does not support SEV yet and is not directly impacted by it.
Updating your hardware's firmware remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.
A small change to suppress unnecessary logging every 5s into
Updated timezones with latest CentOS 7 update of
In preparation of the upcoming refreshed installation ISOs for XCP-ng 8.2.1, we integrated new drivers into XCP-ng:
igc-module: Intel device drivers for I225/I226
r8125-module: Realtek r8125 device drivers
mpi3mr-module: Broadcom mpi3mr RAID device driver