March 2025 Security and Maintenance Update for XCP-ng 8.2 LTS
New bugfixes, enhancement and security updates are available for XCP-ng 8.2 LTS.
📔
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.
🔒 Security Updates
microcode_ctl: updated to Intel's latest microcode, published on the 11th of February, containing mitigations for multiple Intel Security Advisories:- Updates for multiple functional issues
⚠️
Updated firmware is provided as a convenience to help mitigate hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.
Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.
openvswitch:- Synchronized with XS82ECU1081. Alignment with the hotfix, no functional changes.
- Fix CVE-2022-4337 & CVE-2022-4338, both CVEs are related to LLDP's AutoAttach TLV's parsing, this could lead to memory overread and lead to undefined behaviors.
qemu: fix CVE-2023-3354, which could cause QEMU to crash when handling multiple VNC connections. If an incorrect response is received while closing a connection, whether due to a bug or intentional manipulation, it could trigger this issue.xen:- Synchronized with hotfix XS82ECU1082 from XenServer
- Fix watchdog setup on Intel Sapphire Rapids and Emerald Rapids platforms
- Reduce PCI config reads
- Prevent early exit from i8259 loop detection on systems with multiple IO-APICs
- Fix incomplete reduction of PCI config reads
- Synchronized with hotfix XS82ECU1082 from XenServer
- Fix XSA-467 / CVE-2025-1713:
When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock.
✨ What changed
This update brings non-urgent bugfixes, compatibility improvements, as well as some small enhancements, to a variety of components.
intel-igc: fix a possible update issue due to a recent package name change.
XAPI
In XCP-ng, XAPI is the core API and toolset that enables the management of virtual machines, networking, storage, and resource allocation.
We synchronized XAPI with Citrix Hypervisor 8.2 CU1 hotfix XS82ECU1084: fixes a behavior that could occur when changing masters in a pool with a large number of hosts. In this context, it was sometimes no longer possible to connect certain pool management software.
xcp-ng-xapi-plugins
- Add new service plugin to manage (start, stop, ...) XCP-ng services. This will be used by Xen Orchestra to handle XOSTOR software updates.
- We've introduced a new
ipmitoolplugin within thexcp-ng-xapi-pluginspackage. This plugin enables Xen Orchestra to directly display sensor and IPMI LAN information, initially implemented to support hardware from our partner 2CRSI. This addition also opens potential for future integrations involving detailed hardware data visualization directly within Xen Orchestra.
Xen Orchestra 5.101
Discover the highlights of Xen Orchestra 5.101, from GFS retention and vTPM restore to enhanced UI features, CloudBase Init support, and more community-driven updates!
Olivier Lambert
⛃ XOSTOR
If you are using XOSTOR, be sure to read our documentation on updating it.
sm(specific release for XOSTOR): ensure that coalesces run correctly on LINSTOR volumes that have been previously resized.
🔧 Optional packages
netdata: update to version 1.44.3- Fix dmesg warnings due to setuid+capabilities on xenstat plugin
- The freeipmi plugin now comes in a separate package
- Improve systemd service restart with a custom script waiting for Netdata to be fully up-and-running before stopping it.
