July 2025, Security Update #2 for XCP-ng 8.2 LTS

New security updates are available for XCP-ng 8.2 LTS.

📔

To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

We already published updates this month, but new hardware vulnerability in several AMD CPUs were disclosed since. So we are back with new updates, to address these. Updated microcode mitigate them, and Xen is updated to leverage the changes in the updated microcode.

⚠️

Since this includes a fix for a security vulnerability, all users are strongly advised to update their hosts as soon as possible.

🔒Security Updates

New speculative side-channel attacks have been discovered, affecting systems running AMD Fam19h CPUs (Zen3/4 microarchitectures). An attacker could infer data from other contexts. There are no current mitigations, but AMD is producing microcode to address the issue, and patches for Xen are available. These attacks, named Transitive Scheduler Attacks (TSA) by AMD, include CVE-2024-36350 (TSA-SQ) and CVE-2024-36357 (TSA-L1).

linux-firmware: Update to 20250626-1 as redistributed by XenServer.
xen-* packages were updated to address this vulnerability.

References: XSA-471 - CVE-2024-36350 (TSA-SQ) - CVE-2024-36357 (TSA-L1)

⚠️

Updated firmware is provided as a convenience to help mitigate hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.

📢 XCP-ng 8.2 LTS end of support

💡

XCP-ng 8.2 LTS will no longer be supported as of September 16, 2025.

We therefore strongly encourage you to migrate your pools to XCP-ng 8.3 LTS to continue benefiting from the latest security fixes and improvements.