New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.
The Xen Project published two XSAs on the 30th of January, but only one of them actually has a direct impact for XCP-ng. Therefore this update only contains the fix for this impacting one.
🔒 Fixed vulnerability
XSA-449: CVE-2023-46839 - pci: phantom functions assigned to incorrect contexts. When doing PCI passthrough with a device using phantom functions, and reassigning the device to a new guest, a malicious guest could access memory from the guest previously using the device.
🔓 Fix not included
XSA-450: CVE-2023-46840 - VT-d: Failure to quarantine devices in !HVM builds. As mentionned in the title of the XSA, this only affects Xen builds without HVM support, this is not the case of the build included in XCP-ng and we are therefore not impacted. That's why we chose not to include this fix in the short timeframe we allow for publishing security updates. This will likely be integrated in a further update, but not requiring a security release on its own. Sidenote, this was identified by Teddy Astie from Vates, thanks to him!