February 2024 Security Update

Security Feb 2, 2024

New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

The Xen Project published two XSAs on the 30th of January, but only one of them actually has a direct impact for XCP-ng. Therefore this update only contains the fix for this impacting one.

🔒 Fixed vulnerability

XSA-449: CVE-2023-46839 - pci: phantom functions assigned to incorrect contexts. When doing PCI passthrough with a device using phantom functions, and reassigning the device to a new guest, a malicious guest could access memory from the guest previously using the device.

🔓 Fix not included

XSA-450: CVE-2023-46840 - VT-d: Failure to quarantine devices in !HVM builds. As mentionned in the title of the XSA, this only affects Xen builds without HVM support, this is not the case of the build included in XCP-ng and we are therefore not impacted. That's why we chose not to include this fix in the short timeframe we allow for publishing security updates. This will likely be integrated in a further update, but not requiring a security release on its own. Sidenote, this was identified by Teddy Astie from Vates, thanks to him!


David Morel

Hypervisor & Kernel Software Engineer at Vates and XCP-ng Security Coordinator. Open Source enthousiast, using IRC for everything. Raccoons lover.