RE: XCP-ng 8.3 updates announcements and testing

So, we owe a very big thank you to everyone here for your tests and feedback. The numerous updates that were in the xcp-ng-testing repository are now officially published to everyone:

https://xcp-ng.org/blog/2025/05/26/may-2025-maintenance-update-for-xcp-ng-8-3/

But stay with us, as very soon we'll have a few more updates to test, as well as refreshed installation ISOs!

@Andrew What does a regular linux distro output as a version for the driver? I've been told there's no version in the source code, so does it output anything?

@Andrew Thanks for noticing that. CC @ThierryEscande

@flakpyro No, I'm waiting for more feedback from the devs. All I have from them for now is it looks like either a firmware or a passthrough issue. I don't think we have changed anything to fix it.

New update update candidates for you to test!

Unless major issues are found, this should be the last wave of update candidates before we publish everything as official updates for XCP-ng 8.3.

• cifs-utils: update and rebuild based on the sources for the RHEL9 package. This fixes several low priority CVEs (in the context of XCP-ng) and will make future vulnerability patching easier.
• curl: update to version 8.9.1, based on RHEL 10 package, and apply an additional fix for CVE-2024-8096 (low impact in XCP-ng context).
• intel-e1000e: major driver update, backported from Linux kernel 5.10.179, to fix issues with recent hardware.
• kernel: Fix support of dynamic tracepoints when debugging the dom0 Linux kernel with the perf tool
• ncurses: Revert -devel package ABI to version 5 to avoid potential library conflicts in packages built against it
• openssh: rebuild against updated ncurses package
• python3-docutils: new dependency of cifs-utils
• samba:
  • Fix CVE-2016-2124, a flaw on SMB1 auth. An attacker could retrieve the password by using NT1.
  • Fix CVE-2021-44142, an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code by using VFS_fruit module.
• systemtap: rebuild against updated ncurses package
• xapi: Remove pvsproxy.service from the list of units restarted on xcp-rrdd update. The service in question attempts to start a proprietary component from XenServer that isn't present in XCP-ng, which led to displaying a not so pretty error in the logs.
• xcp-ng-release: Enable missing xcp-rrdd plugins by default. Yes, failure to do so was what caused the empty stats issue you have been seeing in previous update candidates.
• xen: rebuild against updated ncurses package + some fixes.
• xo-lite: Update to 0.10.1.

Test on XCP-ng 8.3

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• cifs-utils: 7.1-2.1
• curl: 8.9.1-5.1.xcpng8.3
• intel-e1000e: 5.10.179-1.xcpng8.3
• kernel: 4.19.19-8.0.38.2.xcpng8.3
• ncurses: 6.4-6.20240309.xcpng8.3
• openssh: 7.4p1-23.3.3.xcpng8.3
• python3-docutils: 0.14-1.el7
• samba: 4.10.16-25.1.xcpng8.3
• systemtap: 4.0-5.2.xcpng8.3
• xapi: 25.6.0-1.5.xcpng8.3
• xcp-ng-release: 8.3.0-32
• xen: 4.17.5-10.1.xcpng8.3
• xo-lite: 0.10.1-1.xcpng8.3

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Special focus:

• We updated the e1000e driver. If you have Intel PCI-Express network chipsets, please test this update and verify that network connectivity and features that you depend on work as expected.
• SMB shares and SRs.
• yum still appearing to work correctly after the update.
• SSH connection to hosts.
• Stats. But I'm sure that's the first thing several among you will test already.

Test window before official release of the updates

Around one week, unless major issues are found.

Yes update candidates that were not urgent security fixes are still in the xcp-ng-testing repository (and more is coming soon, today or on
monday).

Just to be sure, is there an issue for us to investigate here, or expected failure due to version mismatch?

@ph7 As David mentioned, the security updates were released yesterday. They are no longer in the candidates repository, but in the updates repository.

Note that the updates in the testing repository have not yet been released. They include a more recent version of the XAPI. This could explain why you can no longer migrate this VHD between your test and production environments.

Are you trying to perform a live migration or with the VM powered off?

@Greg_E Thanks for letting me know. It is useful to make sure that it's still working on any kind of hardware, but your lab won't participate this time

New security update candidates for you to test!

Yet more vulnerabilities in Intel hardware, addressed in two complementary ways: patching Xen and updating Intel microcode.

Together with this security update, will also publish a patched XAPI to fix a minor issue with information reporting from VM to hypervisor.

Test on XCP-ng 8.2

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-candidates
yum update --enablerepo=xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• microcode_ctl: 2.1-26.xs29.8.xcpng8.2 (weird identifier for historical reasons, but that's actually Intel microcode published by them yesterday)
• xen: 4.13.5-9.49.1.xcpng8.2
• xapi: 1.249.41-1.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~24h. That's an urgent one.