July 2025 Security Update #2 for XCP-ng 8.3 LTS
New security and bugfix updates are available for XCP-ng 8.3 LTS.
Host reboots are necessary after this update.
📋Summary
We already published updates this month, new hardware vulnerability in several AMD CPUs were disclosed since. So we are back with new updates, to address these. Updated microcode mitigate them, and Xen is updated to leverage the changes in the updated microcode. We also publish other non-urgent updates which we had in the pipe for the next update release.
🔒Security Updates
New speculative side-channel attacks have been discovered, affecting systems running AMD Fam19h CPUs (Zen3/4 microarchitectures). An attacker could infer data from other contexts. There are no current mitigations, but AMD is producing microcode to address the issue, and patches for Xen are available. These attacks, named Transitive Scheduler Attacks (TSA) by AMD, include CVE-2024-36350 (TSA-SQ) and CVE-2024-36357 (TSA-L1).
Updated packages in XCP-ng:
amd-microcode: Update to 20250626-1 as redistributed by XenServer.xen-*packages were updated to address this vulnerability.
References: XSA-471 - CVE-2024-36350 (TSA-SQ) - CVE-2024-36357 (TSA-L1)
Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.
🪲 Other bugfixes and improvements
http-nbd-transfer:- Fix missing import exceptions in log files.
- Fix a potential HA startup failure with LINSTOR.
xo-lite: update to 0.12.1- [Charts] Fix tooltip overflow when too close to the edge.
- [Host/VM/Dashboard] Fix timestamp on some charts.
About XCP-ng 8.2 LTS
These hardware vulnerabilities also affect XCP-ng 8.2 LTS. Fixes will be released shortly, as they require some additional preparation for this version.