November 2024 Security Update for XCP-ng 8.3

New security updates are available for XCP-ng 8.3.

📔
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

On the 12th of November, Intel published an update for their microcode that fixes multiple security issues as well as some functional issues.

On November 12, the Xen Project disclosed two security vulnerabilities through Xen Security Advisories (XSAs).

🔒 Security Updates

  • xen:
    • XSA-463 - CVE-2024-45818 - Deadlock in x86 HVM standard VGA handling. Due to the way the locking process of the "standard" VGA memory is done, it is possible for consecutive accesses to try to get the lock before it was released, leading to a deadlock. Therefore, an unprivileged guest accessing the VGA memory multiple times in a short timeframe could trigger a deadlock of the whole host.
    • XSA-464 - CVE-2024-45819 - libxl leaks data to PVH guests via ACPI tables. The ACPI tables for PVH guests initialization left the excess memory space with its previous content, which was then copied to the guest memory as it was, resulting in possible leak of sensitive information. This doesn't affect XCP-ng in its normal configuration, as only HVM and PV-in-PVH (not affected) guests are supported.
  • intel-microcode: Updated to Intel's latest microcode, published the 12th of November, containing mitigations for multiple Intel Security Advisories:

✨ Other improvement

  • xo-lite: Updated to version 0.5.0. XO Lite is designed to auto-update from the Xen Orchestra website (all updates remain local to your browser) or to fall back to the version embedded with XCP-ng if the client has no internet access. A packaging mistake in XO Lite broke this offline functionality, and this update resolves it.