Photo by Johannes Plenio

July 2025 Security and Maintenance Update for XCP-ng 8.2 LTS

Security Jul 3, 2025

New bugfixes, enhancement and security updates are available for XCP-ng 8.2 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

This update primarily brings a security patch described below, along with some less urgent updates to other components.

⚠️
Since this includes a fix for a security vulnerability, all users are strongly advised to update their hosts as soon as possible.
Picture of a green shield

🔒Security Updates

A vulnerability has been discovered in Xen, allowing privileged code in a guest to cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host.

Technical summary for interested readers: Xen intercepts and emulates specific instructions, sometimes by using executable stubs to replay said instructions. However, incorrect metadata in replayed instructions may cause Xen to treat exceptions as fatal rather than handling them gracefully.

xen-* packages were updated to address this vulnerability.

References: XSA-470 - CVE-2025-27465

🪲 Others bugfixes and improvements

  • openssh: Fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")
  • samba: Fix vulnerabilities which are very unlikely to be exploitable on XCP-ng but are reported by security scanners.
  • xcp-ng-release: This update adds a certificate to resolve a TLS handshake error, particularly when deploying XOA from CLI using curl.

📢 XCP-ng 8.2 LTS end of support

💡
XCP-ng 8.2 LTS will no longer be supported as of September 16, 2025.

We therefore strongly encourage you to migrate your pools to XCP-ng 8.3 LTS to continue benefiting from the latest security fixes and improvements.

Tags

Samuel Verschelde

Along with Thierry Escande, Gaël Duperrey

XCP-ng Lead Maintainer, Release Manager and Technical Product Manager. Open Source enthusiast since 2002.