New security and maintenance update candidate for you to test!
A hardware issue was found in AMD Zen 5 CPU devices, related to how random numbers are generated. It's best fixed via a firmware update, but we also provide updated microcode to mitigate it, and Xen is updated to support loading the newer microcode. We also publish other non-urgent updates which we had in the pipe for the next update release.
Security updates:
amd-microcode: This release fixes vulnerability CVE-2025-62626 in AMD Zen 5 CPUs microcode that may generate excessive number of zeros in random outputs, potentially compromising cryptographic security.
xen:
Introduce support for the new Linux AMD microcode container format (multiple blobs per CPU),
Address the XSA-476 vulnerability (CVE-2025-58149), low severity on XCP-ng (affects an unsupported feature of Xen)
Enable passthrough of devices on non-zero PCI segments.
Improve performance of resumed or migrated VMs by supporting superpage restoration
Fix detection of the Self Snooping feature on capable Intel CPUs
gpumon, xcp-featured: rebuilt for updated XAPI
qemu:
Synchronize with XenServer's fix for the Windows Server 2025 NVMe write cache issue that we fixed previously
Fix device passthrough with devices in a PCI segment different from 0
sm:
Upstream changes:
Robustify CBT enable/disable calls to prevent errors.
Various fixes regarding SCSI commands/functions.
Add tolerance in the GC during leaf coalesce.
Improves GC logging and corrects rare race conditions.
Our changes
Use serial instead of SCSI ID for SR on USB devices to prevent bad match.
Explicit error message during LVM metadata generation when VDI type is missing.
Correct and robustify LINSTOR deletion algorithm to manage in-use volumes.
Avoid throwing LINSTOR exceptions in case of impossible temporary volume deletion in order to properly terminate higher-level API calls.
Prevent XOSTOR operations if LINSTOR versions mismatches on a pool.
varstored:
Restore and update the default dbx for new VMs. That's the main change for users: we now embed the latest UEFI certificates with XCP-ng, making pools ready for secure boot out of the box. We'll update the documentation to explain how to handle the transition for existing pools (ranging from "nothing to do" to "do something to ensure that future certificate updates become automatically the pool's default).
Fix the format of the default included KEK/db/dbx to ensure safe updates
Fix an issue with UEFI variable length limit
xapi:
Support up to 16 VIFs (virtual network interfaces) per VM (previously: 7)
Runnable metrics:
runnable_any
runnable_vcpus
Various fixes, optimizations, small improvements, and foundational changes (such as getting prepared for a newer version of ocaml)
gpumon xcp-featured: rebuild for updated XAPI.
xcp-ng-pv-tools:
Properly detect Red Hat 10 and its derivatives, when installing the Linux guest agent
Update Windows Tools to 9.1.100
xcp-ng-release: fix benign "unary operator expected" error, displayed when connecting from some terminal software
xha: Nothing of note, minor changes such as logging typos...
xo-lite: version 0.17.0
[VM/New] Fix the default topology by setting the platform:cores-per-socket value correctly (PR #9136)
[Host/HostSystemResourceManagement] Fix display when control domain memory is undefined (PR [#9197])
xsconsole: Prepare for a future feature.
Optional packages updated:
qlogic-netxtreme2-alt: alternate driver for NetXtreme2 updated to version 7.15.24.
qlogic-qla2xxx-alt: alternate driver qla2xxx updated to version 10.02.14.01_k
Test on XCP-ng 8.3
yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot
The usual update rules apply: pool coordinator first, etc.
Versions:
amd-microcode: 20251203-1.1.xcpng8.3
gpumon: 24.1.0-71.1.xcpng8.3
qemu: 4.2.1-5.2.15.1.xcpng8.3
sm: 3.2.12-16.1.xcpng8.3
varstored: 1.2.0-3.4.xcpng8.3
xapi: 25.33.1-2.1.xcpng8.3
xcp-featured: 1.1.8-3.xcpng8.3
xcp-ng-pv-tools: 8.3-15.xcpng8.3
xcp-ng-release: 8.3.0-35
xen: 4.17.5-23.1.xcpng8.3
xha: 25.2.0-1.1.xcpng8.3
xo-lite: 0.17.0-1.xcpng8.3
xsconsole: 11.0.9.1-1.1.xcpng8.3.3
Optional packages:
qlogic-netxtreme2-alt: 7.15.24-1.xcpng8.3
qlogic-qla2xxx-alt: 10.02.14.01_k-1.xcpng8.3
What to test
Normal use and anything else you want to test.
Test window before official release of the updates
2 days.
