November 2024 Security and Maintenance Update for XCP-ng 8.2 LTS

New bugfix, enhancement and security updates are available for XCP-ng 8.2 LTS.

📔

To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

We usually queue non-critical fixes or improvements for a grouped release, to avoid unnecessary maintenance tasks on your pools. This is one such grouped release, grouped along with a set of security updates.

⚠️

Given this groups maintenance updates and security updates, it is strongly advised for all users to update their hosts.

🔒 Security Updates

xen:
- We synchronized with the hotfix from Citrix XS82ECU1078.
- XSA-463 - CVE-2024-45818 - Deadlock in x86 HVM standard VGA handling. Due to the way the locking process of the "standard" VGA memory is done, it is possible for consecutive accesses to try to get the lock before it was released, leading to a deadlock. Therefore, an unprivileged guest accessing the VGA memory multiple times in a short timeframe could trigger a deadlock of the whole host.
- XSA-464 - CVE-2024-45819 - libxl leaks data to PVH guests via ACPI tables. The ACPI tables for PVH guests initialization left the excess memory space with its previous content, which was then copied to the guest memory as it was, resulting in possible leak of sensitive information. This doesn't affect XCP-ng in its normal configuration, as only HVM and PV-in-PVH (not affected) guests are supported.
microcode_ctl: Updated to Intel's latest microcode, published the 12th of November, containing mitigations for multiple Intel Security Advisories:
- Security updates for INTEL-SA-01101
- Security updates for INTEL-SA-01079
- Updated security updates for INTEL-SA-01097
- Updated security updates for INTEL-SA-01103
- Multiple other updates for functional issues.
curl: Backport fixes for several CVEs: CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, CVE-2024-6197, CVE-2024-7264.
openssl: Update to version 1.0.2k-26 from CentOS 7 updates and backports of available CVE fixes from openssl upstream. Update from CentOS 7 Includes fixes for CVE-2021-3712, CVE-2022-2078 and CVE-2023-0286. Backports are fixing CVE-2019-1547, CVE-2019-1551 and CVE-2019-1563.
xs-openssl: Rebased on version 1.1.1k-12 from CentOS 8 Stream. Include fixes for CVE-2023-5678, CVE-2023-3446, CVE-2023-3817 and a proper fix for CVE-2020-25659.

✨ What changed

This update also brings non-urgent bugfixes, compatibility improvements, as well as some small enhancements, to a variety of components.

XAPI

In XCP-ng, XAPI is the core API and toolset that enables the management of virtual machines, networking, storage, and resource allocation.

We synchronized XAPI with Citrix Hypervisor 8.2 CU1 hotfix XS82ECU1074:

Enhancement: robustification of the command xe host-emergency-ha-disable
Correction of different issues:
- Performing a hard shutdown of a VM may hang due to unnecessary RBCA permission checks. An icon (yellow triangle) may then be displayed on some management applications, indicating that the shutdown process did not complete successfully.
- Canceling a hard shutdown of a hung VM fails because the cancel function only checks for proper shutdowns.
- Migrating VMs from 8.2.1 to 8.3 with the xe vm-migrate command may fail with the error 'Failure: Unknown tag/contents'.
- You may encounter a 500 error (internal server error) when trying to retrieve RRD measurements from a powered off virtual machine.

blktap

blktap is a user-level disk I/O interface.

Synchronized with Citrix Hypervisor 8.2 CU1 hotfix XS82ECU1075: Improvements on coalesce performance.

sm

sm is the default Storage Management stack supported by the XAPI that contains a plugin set of different storage layers (NFS, ext4, LVM...).

Synchronized with Citrix Hypervisor 8.2 CU1 hotfix XS82ECU1075:
- Updated multipath.conf for several SANs
- Fix for CA-393194: Find the real PV in a VG before removing the VG.

🪲 Others bugfixes and improvements

guest-templates-json:
- Add generic templates for Linux BIOS and UEFI.
- Synchronized with hotfix XS82ECU1085:
  - Oracle 8 requires minimum 2 vCPUS.
  - Added template for Ubuntu 24.04
xcp-ng-xapi-plugins: Enhance error reporting when a command run on a host fails.
xenserver-status-report: Update to latest version, synchronized with XS82ECU1058.
python-defusedxml: Added as a new dependency of xenserver-status-report.
xsconsole: Synchronized with hotfix XS82ECU1074: Fix for a time-out when creating an iSCSI SR.
zstd: Update to version 1.5.5 to avoid an extremely rare case of corruption.

🔧 Updates for alternate drivers

As explained in our documentation, XCP-ng occasionally provides alternate drivers for users who have issues with the main drivers installed with XCP-ng. We just released two updates, rebuilt from the driver disks published by XenServer for Citrix Hypervisor 8.2 CU1. We added a newer version of an existing driver, based on manufacturer sources:

intel-i40e-alt: From version 2.22.20-3.1 to 2.22.20-5.1
mellanox-mlnxen-alt: From version 5.9.0.5.5.0-1.1 to 5.9.0.5.5.0-1.2
New alternate driver mlx4-modules-alt: To resolve some issues with CX3 cards and SR-IOV, we added an updated version 4.9-7.1.0.0-LTS of this driver.

You can consult the list of drivers with an alternate version on Github.

🔧 Update for alternate kernel

Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.