XCP-ng 8.3 updates announcements and testing

MathieuRA

Hi @rzr,
When you say, "XO still showed host 2 needing patching", does that mean XO is still showing missing patches?

If so, can you run the following command: xe host-call-plugin host-uuid=<uuid-host2> plugin=updater.py fn=check_update

marcoi

after i manually applied the patches, i used XO to reboot the host 2.
After the host 2 rebooted, XO still showed the task running and the host2 showed it needed to be patched. I rebooted XO and the task is still there ( been there for 13 hours now lol. ) but now host 2 shows patched

Pilow

@marcoi perhaps a restart toolstack would correct the phantom task ?
but at the end of patching of the master a restart toolstack should have happened already, automatically...

rzr

New security update candidates for XCP-ng 8.3 LTS (kernel)

This release batch contains security fix on kernel, version update, some bug fixes and a few improvements.

What changed

Virtualization & System

• kernel: Fix Vulnerability: CVE-2026-46243

  • Fixed the CIFSwitch security vulnerability that could allow privilege escalation from a user with low privileges.

• intel-microcode: Fix a hang on boot on some platforms (Revert Granite Rapids AP/SP ucode back to IPU 2026.1)

Drivers

• intel-ice: Update to 2.4.5
  • Adds support for E825-C and E830.
  • Adds support for Link Aggregation (LAG).
  • Various stability, performance, and bug-fix updates.

Versions:

• intel-ice: 1.15.5-2.xcpng8.3 -> 2.4.5-8.1.1.xcpng8.3
• intel-microcode: 20260416-1.xcpng8.3 -> 20260416-2.xcpng8.3
• kernel: 4.19.19-8.0.46.5.xcpng8.3 -> 4.19.19-8.0.46.6.xcpng8.3

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

What to test

As usual, normal use and anything else you want to test.

Test window before official release of the updates

~3 days

We would like to thank users who reported feedback since our last call for testing:

@Andrew, @acebmxer, @flakpyro, @jeffberntsen, @majorp93, @marcoi, @ph7, @pilow, @probain.

acebmxer

@rzr

Installed updates on home lab. No issues to report initially other then nslookup still an issue.

[10:54 xcp-ng-haznrrtw ~]# nslookup vates.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   vates.com
Address: 104.21.52.238
Name:   vates.com
Address: 172.67.205.118

openssl_link.c:132: INSIST(dst__memory_pool != ((void *)0)) failed, back trace
#0 0x7f163cd960e7 in ??
#1 0x7f163cd9603a in ??
#2 0x7f163d9a3780 in ??
#3 0x7f163c1aedf6 in ??
#4 0x7f163c1f5464 in ??
#5 0x7f163c1f5732 in ??
#6 0x7f163c1f4b8d in ??
#7 0x7f163a95fbd9 in ??
#8 0x7f163a95fc27 in ??
#9 0x7f163a94844c in ??
#10 0x405818 in ??
Aborted (core dumped)
[12:50 xcp-ng-haznrrtw ~]# 

flakpyro

Installed on my usual hosts, one of which has an E810 and used the ICE driver, no issues so far however i am not using LACP bonding on that host.

rzr

@acebmxer said:

@rzr
No issues to report initially other then nslookup still an issue.

openssl_link.c:132: INSIST(dst__memory_pool != ((void *)0)) failed, back trace

Yes I looked at it, it looks like it's a design isssue that was fixed in later version of bind.

In details If I understand correctly this patched version of nslookup is facing a SIGARBT caused by an assert on previously cleanup resources (dst__memory_pool) which is unexpected in finishing part of the openssl thread (dst__openssl_destroy).

This bind patched version (where ssl support is in progress) is also known to have memory leaks, but those are resolved in later version, so until we catch up you'll probably have to live with this little annoyance on process exit unless we find (and validate) a better fix.

Andrew

@rzr Installed and running. Not expecting any issues because I'm not using SMB/CIFS, ice card, or CPU with affected microcode.

Rolling pool reboot failed me again... This time it got stuck evacuating a host with no VMs.

bufanda

@rzr Installed on my usual lab pool. No immediate issues seen.

ph7

@rzr

manilx

@Andrew I have the RPU failing most of the time now also. I have reported and opened a ticket. No solution so far. It's a hit and miss and beginning to be a PITA.

Pilow

@manilx yup, same here
we evacuate & roll patch manually because RPU is inconsistent in achieving a full pool update nowadays

maximum hosts in pools are 3, so it is still easy to process manually
thoses with 5-6+ hosts must be more painful

olivierlambert

That would be interesting to group your findings/issues on RPU in a dedicated topic, because I don't think the logic changed recently So it's an interesting investigation to make.

JeffBerntsen

@rzr
Seems to be working well on my test systems as well.

marcoi

update to latest test patches on 2nd pool. no issue. LACP worked, started UB26 VM on host 4 and live migrated to host 3.

MajorP93

@rzr Installed those security update candidates in my XCP-ng test environment.
So far no issues whatsoever. Basic operations all work. VMs running etc.

rzr

rzr said:

New security update candidates for XCP-ng 8.3 LTS (kernel)

Test window before official release of the updates

~3 days

The testing window is extended a bit, expect also a next batch (to be tested later this month).

It has been planned to group updates for the convenience of administrators (stay tuned in blog).

Meanwhile If you didn't notice yet, an updated xen-4.17.6-9.2.xcpng8.3 package landed in testing repo, it addresses some low risk vulnerabilities as reported at:

• VSA-2026-017 (XSA-491, CVE-2026-42487)
• VSA-2026-018 (XSA-492, CVE-2026-42489 - CVE-2026-42490),
• VSA-2026-019 (CVE-2025-10263, XSA-493)
• VSA-2026-020 (CVE-2026-42488, XSA-494)

More to come soon

bufanda

@rzr Installed all currently available patches on my lab pool. No issue so far in normal use.

JeffBerntsen

@rzr

Installed on my test systems and all seems well so far.

acebmxer

@rzr

I also installed updates this morning no new issues to report.