March 2026 Maintenance Updates for XCP-ng 8.3 LTS

Update Mar 10, 2026

New maintenance updates are available for XCP-ng 8.3 LTS.

📔

To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

The updated packages bring a series improvements and bug fixes.

Although this update does not address any immediately exploitable vulnerabilities, it improves the system’s current and future security by upgrading to OpenSSL 3 and strengthening cryptographic protections.

🔒OpenSSL 3

OpenSSL was updated to version 3.0.9. This is a major version jump from the previous versions, 1.0.2 and 1.1 (both patched against vulnerabilities, but becoming obsolete and harder to maintain).

As a consequence, many system packages were rebuilt and are part of this update. In the general case, this doesn't change anything functionnally. There is one notable exception, related to Xen Orchestra's SDN controller plugin. See callout below.

To enable backward compatibility with older deprecated APIs, a new package, openssl-compat-10 has been introduced.

⚠️

️Xen Orchestra's sdn_controller users should be aware that the newer OpenSSL will cause XCP-ng to reject previously generated self-signed certificates for the SDN Controller: they must be updated manually, following this guide.

🔒 Upcoming hardening for SSH

The hardening effort doesn't stop with OpenSSL. OpenSSH will also be upgraded as part of a subsequent update planned in the coming weeks.

⚠️

As part of this upcoming OpenSSH update, weak algorithms will be disabled. This will affect the connection via old SSH keys in conjunction with old SSH clients. We urge our users to use up to date SSH clients and keys that conform to today's best security practices.

Note: for any interested user, the OpenSSH update was already both validated internally and by the user community (thanks Andrew for your feedback on the connection issues!) and is already available in our test repositories. Join the thread for more information.

🏃Performance improvement for live migration on AMD

Patches contributed by XenServer developers bring a significant improvement in live migration performance on AMD systems under heavy load.

Optimizations implemented for Intel CPUs were missing for their AMD counterparts.

💽 intel-microcode

Intel issued a Security Advisory (INTEL-SA) that is addressed by a new microcode release. The microcode update addresses the following vulnerability:

The intel-microcode package was updated to include this new release. The release number of the updated package is 20260115-1.

⚠️

Updated firmware is provided as a convenience to help mitigate hardware vulnerabilities and other bugs. Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.

References: INTEL-SA-01083 - CVE-2025-31648

Although this is not strictly a security update, it includes numerous package updates to accommodate the transition to OpenSSL 3. Several potential security issues are addressed as part of this update. The most significant changes are summarized below.

mdadm

CVE-2023-28938 Uncontrolled resource consumption vulnerability that could allow local attackers to cause denial of service through specially crafted input.

openssl

CVE-2020-1968 Raccoon attack
CVE-2021-4160 BN_mod_exp may produce incorrect results on MIPS
CVE-2022-0778 Infinite loop in BN_mod_sqrt() reachable when parsing certificates
CVE-2022-1292 The c_rehash script allows command injection
CVE-2022-2068 The c_rehash script allows command injection
CVE-2022-4304 Timing Oracle in RSA Decryption
CVE-2023-0215 Use-after-free following BIO_new_NDEF
CVE-2023-0464 Excessive Resource Usage Verifying X.509 Policy Constraints
CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored
CVE-2023-0466 Certificate policy check not enabled
CVE-2023-2650 Possible DoS translating ASN.1 object identifiers

wget

CVE-2018-0494 Fixed a cookie injection vulnerability that allowed arbitrary cookie values to be injected into the cookie jar.
CVE-2019-5953 Fixed a buffer overflow vulnerability in the handling of HTTP Set-Cookie headers with specially crafted values.
CVE-2021-31879 Fixed an authorization header disclosure vulnerability where credentials could be sent to unintended hosts during redirects.

🪲 Other bugfixes and improvements

Virtualization & System

xen:Updated to minor release 4.17.6.
qemu: Bug fixes
varstored: Update to 1.3.1, no functional changes.

Control Plane

XAPI, XCP-ng's control plane, was updated to version 26.1.3.

User agents of clients connecting to the API are now tracked. Fetchable by using Host.get_tracked_user_agents.
Now it's possible to delete a VM with a snapshot that has a vTPM associated.
Speed up exports for mostly empty disks.
Now the tags of VDIs are copied when they are cloned or snapshotted.
Fixed Rolling Pool Update scenario where pool members don't get enabled.
Added API for controlling NTP.
Fixed falling back to full backups instead of delta backups in cases where a VM was hosted in a local SR with more than 256 disks. This could also cause migrations to fail.
Added API to limit the number of VNC connections to a single VM.

UI

XO Lite was updated to version 0.19.0

[VM/New] Added vTPM support.
[VM/New] Fix wording in "Memory" section.
[TreeView] Scroll to current item in list view.
CHANGELOG

Storage (general)

Improve the robustness of the garbage collector when a host is offline.
Fix a disk coalesce issue related to LVM VDIs sometimes being inactive.
Fix garbage collector failures related to stale metadata wrongly indicating that there is not enough space available.
Improve error messages when the VDI type is missing on LVM VDIs.
Fix a crash happening when scanning a SR with corrupt VHDs.
Add scini device support (Dell PowerFlex).

Storage (XOSTOR)

Various bugfixes, stability improvements

drbd: Reduce the I/O load and time during resync.
drbd-reactor: Misc event improvements.
linstor:
- Resource delete: Fixed rare race condition where a delayed DRBD event causes "resource not found".
- Misc changes to improve robustness LINSTOR API calls and checks.
sm:
- Robustify LINSTOR VDI resize and improve error messages.
- Improve LINSTOR SR scan performance.
- Ensure a XOSTOR volume can't be destroyed if used by any process.
- Detect the controller's location more quickly.
- Avoid issuing errors if the size of a volume cannot be fetched after a bad delete call.
python-linstor: Update to 1.27.1.
linstor-client: Update to 1.27.1.

Misc

The shell command history now record timestamps to improve user support.
Several minor version updates in various system components (ipmitool, libarchive, trousers, wget...).

Drivers

broadcom-bnxt-en: Update to v1.10.3_237.1.20.0. No functional changes expected.
intel-i40e : Update to 2.25.11
- PTP-related kernel crash bugfixes for Intel i40e driver version 2.25.11.
- ️⚠️ Search online for the "intel <model-name> compatibility matrix" and make sure to update the Non-Volatile Memory in the network card with the matching NVM version, after updating the driver.
- This is also applicable for the intel-i40e-alt flavour of the driver package.
intel-ixgbe: Update to 6.2.5. More Ethernet PCI Express 10 Gigabit Intel NIC devices are handled (E600 et E610 series).

Recommended for you

Update

January 2026 Security and Maintenance Updates for XCP-ng 8.3 LTS

a month ago • 2 min read

Update

December 2025 Security and Maintenance Updates for XCP-ng 8.3 LTS

3 months ago • 5 min read

Update

XCP-ng 8.3 Varstored Update: Unbootable VM Risk and Remediation

4 months ago • 8 min read