RE: XCP-ng 8.2 updates announcements and testing

XCP-ng 8.2 has just reached its end of life, but the adventure continues with XCP-ng 8.3 (and other versions to come). You can read the communication on this point on our blog: https://xcp-ng.org/blog/2025/09/16/xcp-ng-8-2-lts-reached-its-end-of-life/

To continue benefiting from updates and developments, we invite you, if you haven't already done so, to upgrade your systems to XCP-ng 8.3.

A relevant thread has been around for quite some time if you want to participate in early testing of the updates: https://xcp-ng.org/forum/topic/9964/xcp-ng-8-3-updates-announcements-and-testing/

Updates published: https://xcp-ng.org/blog/2025/09/11/september-2025-security-update-for-xcp-ng-8-3-lts/

Thank you for the tests!

Updates published: https://xcp-ng.org/blog/2025/09/11/september-2025-security-update-for-xcp-ng-8-2-lts/

Thank you for the tests!

I had this tab still open which lets me realize that despite we packaged vmfs6-tools and updated the documentation at https://docs.xcp-ng.org/installation/migrate-to-xcp-ng/#local-migration-same-host, we didn't inform you here.

Now it's done

New security update candidates for you to test!

A new XSA (Xen Security Advisory) was published on the 9th of September, and an update to Xen addresses it.

---

• xen-*:
  • Fix XSA-472 — Potential risks include Denial of Service (DoS) impacting the whole host, information exposure, or escalation of privileges. There are several vulnerabilities associated with the way guest memory pages are handled and accessed in the Viridian code:
    • NULL pointer dereference during reference TSC area update — This issue occurs when the system tries to update the reference TSC area but encounters a NULL pointer. (CVE-2025-27466)
    • NULL pointer dereference when delivering synthetic timer messages — This happens if the code assumes the SIM page is already mapped when a synthetic timer message must be delivered. (CVE-2025-58142)
    • Race condition in reference TSC page mapping — A guest system can trigger Xen to release a memory page while it is still referenced in the guest’s physical-to-machine (p2m) page tables. (CVE-2025-58143)

Test on XCP-ng 8.2

yum clean metadata --enablerepo=xcp-ng-candidates
yum update --enablerepo=xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• xen: 4.13.5-9.49.4.xcpng8.2

What to test

• Normal use and anything else you want to test.

Test window before official release of the updates

~2 days.

Remarks

Another XSA (474) was released the same day regarding XAPI. Since the attack vector differs and is not easily exploitable in 8.2, we have not released a patch for it, unlike in 8.3.

As a reminder, XCP-ng 8.2 LTS will no longer be supported as of September 16, 2025.

We therefore strongly encourage you to migrate your pools to XCP-ng 8.3 LTS to continue benefiting from the latest security fixes and improvements.

New security update candidates for you to test!

News XSAs (Xen Security Advisory) were published on the 9th of September, and updates to Xen & XAPI address them.

• xapi:

  • Fix XSA-474 — A Denial of Service can be caused by buggy or malicious inputs to XAPI (CVE-2025-58146). There are several vulnerabilities identified in XAPI:
    • Input sanitisation mismatch in notifications — While updates to the XAPI database correctly sanitise input strings, the system generates notifications using the unsanitised version. This flaw causes the database’s event thread to crash, halting further processing.
    • Inconsistent UTF-8 handling — XAPI’s UTF-8 encoder follows version 3.0 of the Unicode specification, whereas some of the libraries it relies on enforce the stricter version 3.1 standard. As a result, certain strings may be accepted as valid UTF-8 by XAPI but rejected by other components. If such strings are entered into the database, the database can subsequently fail to load.
    • Lack of sanitisation in Map/Set updates — When updating Map/Set objects in the XAPI database, no sanitisation is applied to the inputs, which introduces additional risks.

• xen-*:

  • Fix XSA-472 — Potential risks include Denial of Service (DoS) impacting the whole host, information exposure, or escalation of privileges. There are several vulnerabilities associated with the way guest memory pages are handled and accessed in the Viridian code:
    • NULL pointer dereference during reference TSC area update — This issue occurs when the system tries to update the reference TSC area but encounters a NULL pointer. (CVE-2025-27466)
    • NULL pointer dereference when delivering synthetic timer messages — This happens if the code assumes the SIM page is already mapped when a synthetic timer message must be delivered. (CVE-2025-58142)
    • Race condition in reference TSC page mapping — A guest system can trigger Xen to release a memory page while it is still referenced in the guest’s physical-to-machine (p2m) page tables. (CVE-2025-58143)

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-candidates
yum update --enablerepo=xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• xapi: 25.6.0-1.12.xcpng8.3
• xen: 4.17.5-15.3.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

~2 days.

@john.c OK, that will be useful when the repo is signed, but for now I don't see what adverse effect it can have. Do I miss something?

Also we try to avoid breaking support for older OS versions, so we'll likely continue to advertise the old format for older versions of Debian.

@flakpyro the old format is still supported, and actually the [trusted=yes] in the old-style configuration shown in the release notes does work in my quick test with our own Debian 13 hub template.