-
I have published the security updates for XCP-ng 8.1, so you can already update your hosts.
The blog post will be published a bit later, at the same time as the XCP-ng 8.0 update.
-
Updates pushed for XCP-ng 8.0, however there remain two CVEs that we couldn't fix, and since XCP-ng 8.0 will soon be EOL, we will probably not fix them: http://xenbits.xen.org/xsa/advisory-331.html and http://xenbits.xen.org/xsa/advisory-332.html
Users of XCP-ng 8.0 should review these and consider upgrading soon. The risk mostly depends on whether there's untrusted workload running in the VMs. If the risk is acceptable, you may wait for the XCP-ng 8.2 release in order to update directly to the LTS.
-
@stormi Updated my 8.0 test server and all seems to be working just fine so far.
-
Blog announcement published yesterday: https://xcp-ng.org/blog/2020/11/02/november-2020-security-updates/
-
New security update candidate - Another Intel CPU vulnerability
Security update candidates are available for testing for XCP-ng 8.1. They address the "Platypus" vulnerability.
Update with:
yum clean all --enablerepo=xcp-ng-testing yum update microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
Feedback welcome before the imminent broad release.
XCP-ng 8.0 will not receive fixes any more
-
Update published. Blog post to follow soon.
Update: https://xcp-ng.org/blog/2020/11/17/security-update-for-platypus-side-channel-attack/
-
New security update candidate - - the third in one month
A vulnerability has been found in the patch that fixed a previous vulnerability. It may allow a privileged user in a guest VM with a PCI passthrough device to compromise the host.
Update candidates are available for XCP-ng 8.1 and 8.2:
yum clean all --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
And reboot.
Please install them and report to confirm that everything is working as expected.
-
@stormi updated my three host playlab (8.2.0 fully patched) with no problem. Kicked around some VMs (starting, stopping, live migration, delete, restore from backup, snapshot) but no serious testing. Everything worked fine.
-
Thanks @gskger for the feedback. The update has been pushed on Wednesday evening and the blog post published yesterday: https://xcp-ng.org/blog/2020/11/26/security-and-bugfix-update-cve/
For XCP-ng 8.2, updates also include UEFI support fixes.
-
@stormi thank you as well for regulary pushing out security updates and bugfixes . Makes me feel comfortable to have a solid virtualization environment (even with a non-commercial homelab) .
-
Thank you for the feedback also Ideally, we'd like to have more people like you!
-
A reminder about this thread and what it's for.
This is where we announce new update candidates for stable releases of XCP-ng, so that you can provide feedback before we push them to the updates repositories for everyone.
For security-related updates, we usually need quick feedback.
Anyone can test. Just:
- Subscribe to this thread (and make sure to enable mail notifications in your forum settings)
- Install the update candidates when we announce one (we usually provide the installation instructions)
- Check that you don't spot any obvious regression. We're not asking that you do extensive QA of the updates for us, just that you can confirm that it works for you.
See you in the next few days for a new batch of security updates
-
New security updates candidates
Update candidates are ready for XCP-ng 8.1 and 8.2.
Install them with:
yum clean all --enablerepo=xcp-ng-testing yum update kernel xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools xenopsd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testing
And reboot.
Please install them and report to confirm that everything is still working as expected. -
Update done, rebooting went well, will start to monitor for anomalities.
No news after this message means good news[17:16 xenserver-2 ~]# yum update kernel xen-dom0-libs xen-dom0-tools xen-hyperv isor xen-libs xen-tools xenopsd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testi ng Loaded plugins: fastestmirror Determining fastest mirrors Excluding mirror: updates.xcp-ng.org * xcp-ng-base: mirrors.xcp-ng.org Excluding mirror: updates.xcp-ng.org * xcp-ng-testing: mirrors.xcp-ng.org Excluding mirror: updates.xcp-ng.org * xcp-ng-updates: mirrors.xcp-ng.org xcp-ng-base/signature | 473 B 00:00 xcp-ng-base/signature | 3.0 kB 00:00 !!! xcp-ng-testing/signature | 473 B 00:00 xcp-ng-testing/signature | 3.0 kB 00:00 !!! xcp-ng-updates/signature | 473 B 00:00 xcp-ng-updates/signature | 3.0 kB 00:00 !!! (1/3): xcp-ng-updates/primary_db | 21 kB 00:00 (2/3): xcp-ng-base/primary_db | 1.2 MB 00:00 (3/3): xcp-ng-testing/primary_db | 47 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package kernel.x86_64 0:4.19.19-7.0.8.1.xcpng8.2 will be updated ---> Package kernel.x86_64 0:4.19.19-7.0.9.1.xcpng8.2 will be an update ---> Package xen-dom0-libs.x86_64 0:4.13.1-9.7.1.xcpng8.2 will be updated ---> Package xen-dom0-libs.x86_64 0:4.13.1-9.8.2.xcpng8.2 will be an update ---> Package xen-dom0-tools.x86_64 0:4.13.1-9.7.1.xcpng8.2 will be updated ---> Package xen-dom0-tools.x86_64 0:4.13.1-9.8.2.xcpng8.2 will be an update ---> Package xen-hypervisor.x86_64 0:4.13.1-9.7.1.xcpng8.2 will be updated ---> Package xen-hypervisor.x86_64 0:4.13.1-9.8.2.xcpng8.2 will be an update ---> Package xen-libs.x86_64 0:4.13.1-9.7.1.xcpng8.2 will be updated ---> Package xen-libs.x86_64 0:4.13.1-9.8.2.xcpng8.2 will be an update ---> Package xen-tools.x86_64 0:4.13.1-9.7.1.xcpng8.2 will be updated ---> Package xen-tools.x86_64 0:4.13.1-9.8.2.xcpng8.2 will be an update ---> Package xenopsd.x86_64 0:0.150.0-1.2.xcpng8.2 will be updated ---> Package xenopsd.x86_64 0:0.150.2-1.1.xcpng8.2 will be an update ---> Package xenopsd-cli.x86_64 0:0.150.0-1.2.xcpng8.2 will be updated ---> Package xenopsd-cli.x86_64 0:0.150.2-1.1.xcpng8.2 will be an update ---> Package xenopsd-xc.x86_64 0:0.150.0-1.2.xcpng8.2 will be updated ---> Package xenopsd-xc.x86_64 0:0.150.2-1.1.xcpng8.2 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: kernel x86_64 4.19.19-7.0.9.1.xcpng8.2 xcp-ng-testing 30 M xen-dom0-libs x86_64 4.13.1-9.8.2.xcpng8.2 xcp-ng-testing 621 k xen-dom0-tools x86_64 4.13.1-9.8.2.xcpng8.2 xcp-ng-testing 2.4 M xen-hypervisor x86_64 4.13.1-9.8.2.xcpng8.2 xcp-ng-testing 2.3 M xen-libs x86_64 4.13.1-9.8.2.xcpng8.2 xcp-ng-testing 36 k xen-tools x86_64 4.13.1-9.8.2.xcpng8.2 xcp-ng-testing 29 k xenopsd x86_64 0.150.2-1.1.xcpng8.2 xcp-ng-testing 74 k xenopsd-cli x86_64 0.150.2-1.1.xcpng8.2 xcp-ng-testing 1.3 M xenopsd-xc x86_64 0.150.2-1.1.xcpng8.2 xcp-ng-testing 3.9 M Transaction Summary ================================================================================ Upgrade 9 Packages Total download size: 40 M Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/9): xen-dom0-libs-4.13.1-9.8.2.xcpng8.2.x86_64.rpm | 621 kB 00:00:00 (2/9): kernel-4.19.19-7.0.9.1.xcpng8.2.x86_64.rpm | 30 MB 00:00:01 (3/9): xen-hypervisor-4.13.1-9.8.2.xcpng8.2.x86_64.rpm | 2.3 MB 00:00:00 (4/9): xen-libs-4.13.1-9.8.2.xcpng8.2.x86_64.rpm | 36 kB 00:00:00 (5/9): xen-tools-4.13.1-9.8.2.xcpng8.2.x86_64.rpm | 29 kB 00:00:00 (6/9): xenopsd-0.150.2-1.1.xcpng8.2.x86_64.rpm | 74 kB 00:00:00 (7/9): xenopsd-cli-0.150.2-1.1.xcpng8.2.x86_64.rpm | 1.3 MB 00:00:00 (8/9): xen-dom0-tools-4.13.1-9.8.2.xcpng8.2.x86_64.rpm | 2.4 MB 00:00:02 (9/9): xenopsd-xc-0.150.2-1.1.xcpng8.2.x86_64.rpm | 3.9 MB 00:00:03 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 6.9 MB/s | 40 MB 00:00:05 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : xen-hypervisor-4.13.1-9.8.2.xcpng8.2.x86_64 1/18 Updating : xen-dom0-libs-4.13.1-9.8.2.xcpng8.2.x86_64 2/18 Updating : xen-libs-4.13.1-9.8.2.xcpng8.2.x86_64 3/18 Updating : xen-tools-4.13.1-9.8.2.xcpng8.2.x86_64 4/18 Updating : xen-dom0-tools-4.13.1-9.8.2.xcpng8.2.x86_64 5/18 Updating : xenopsd-0.150.2-1.1.xcpng8.2.x86_64 6/18 Updating : xenopsd-cli-0.150.2-1.1.xcpng8.2.x86_64 7/18 Updating : xenopsd-xc-0.150.2-1.1.xcpng8.2.x86_64 8/18 Updating : kernel-4.19.19-7.0.9.1.xcpng8.2.x86_64 9/18 Cleanup : xenopsd-xc-0.150.0-1.2.xcpng8.2.x86_64 10/18 Cleanup : xenopsd-cli-0.150.0-1.2.xcpng8.2.x86_64 11/18 Cleanup : xenopsd-0.150.0-1.2.xcpng8.2.x86_64 12/18 Cleanup : kernel-4.19.19-7.0.8.1.xcpng8.2.x86_64 13/18 Cleanup : xen-dom0-tools-4.13.1-9.7.1.xcpng8.2.x86_64 14/18 Cleanup : xen-tools-4.13.1-9.7.1.xcpng8.2.x86_64 15/18 Cleanup : xen-dom0-libs-4.13.1-9.7.1.xcpng8.2.x86_64 16/18 Cleanup : xen-libs-4.13.1-9.7.1.xcpng8.2.x86_64 17/18 Cleanup : xen-hypervisor-4.13.1-9.7.1.xcpng8.2.x86_64 18/18 Verifying : kernel-4.19.19-7.0.9.1.xcpng8.2.x86_64 1/18 Verifying : xen-libs-4.13.1-9.8.2.xcpng8.2.x86_64 2/18 Verifying : xen-dom0-tools-4.13.1-9.8.2.xcpng8.2.x86_64 3/18 Verifying : xenopsd-0.150.2-1.1.xcpng8.2.x86_64 4/18 Verifying : xen-tools-4.13.1-9.8.2.xcpng8.2.x86_64 5/18 Verifying : xen-hypervisor-4.13.1-9.8.2.xcpng8.2.x86_64 6/18 Verifying : xen-dom0-libs-4.13.1-9.8.2.xcpng8.2.x86_64 7/18 Verifying : xenopsd-cli-0.150.2-1.1.xcpng8.2.x86_64 8/18 Verifying : xenopsd-xc-0.150.2-1.1.xcpng8.2.x86_64 9/18 Verifying : xen-hypervisor-4.13.1-9.7.1.xcpng8.2.x86_64 10/18 Verifying : xen-dom0-libs-4.13.1-9.7.1.xcpng8.2.x86_64 11/18 Verifying : xenopsd-xc-0.150.0-1.2.xcpng8.2.x86_64 12/18 Verifying : xen-tools-4.13.1-9.7.1.xcpng8.2.x86_64 13/18 Verifying : xenopsd-cli-0.150.0-1.2.xcpng8.2.x86_64 14/18 Verifying : xen-libs-4.13.1-9.7.1.xcpng8.2.x86_64 15/18 Verifying : xen-dom0-tools-4.13.1-9.7.1.xcpng8.2.x86_64 16/18 Verifying : kernel-4.19.19-7.0.8.1.xcpng8.2.x86_64 17/18 Verifying : xenopsd-0.150.0-1.2.xcpng8.2.x86_64 18/18 Updated: kernel.x86_64 0:4.19.19-7.0.9.1.xcpng8.2 xen-dom0-libs.x86_64 0:4.13.1-9.8.2.xcpng8.2 xen-dom0-tools.x86_64 0:4.13.1-9.8.2.xcpng8.2 xen-hypervisor.x86_64 0:4.13.1-9.8.2.xcpng8.2 xen-libs.x86_64 0:4.13.1-9.8.2.xcpng8.2 xen-tools.x86_64 0:4.13.1-9.8.2.xcpng8.2 xenopsd.x86_64 0:0.150.2-1.1.xcpng8.2 xenopsd-cli.x86_64 0:0.150.2-1.1.xcpng8.2 xenopsd-xc.x86_64 0:0.150.2-1.1.xcpng8.2 Complete!
-
@stormi Same here. Updated my three host playlab (8.2.0 fully patched) with no problem. Starting, stopping, migrating (running/stopped) VMs, storage migration (local, shared SR), creating/snapshoting/deleting VMs (Linux only) worked as well as backup and restore (of one VM). Looks good.
-
@stormi I've updated my R620 running XCP-ng 8.2, and only issue I've observed thus far is the network slowdown that we've been discussing elsewhere.
I need to rebuild the kernel again without the one patch. Has there been any feedback / response from the Xen group?
-
@danp I haven't contacted them globally though I asked a developer individually for guidance on how to move on. My issue is: we do know that for some users there's a performance impact and it's related to the kernel updates, but the results of the tests don't reveal yet the exact updates or patches that are involved, or not for everyone (though the one you found looks definitely a good candidate to explain at least parts of the slowdown). And I want to see where @fohdeesha's attempt at helping everyone get better perfs will lead.
(but let's continue on the dedicated thread)
-
Thanks for all the tests. The security updates have been pushed: https://xcp-ng.org/blog/2020/12/18/december-2020-security-updates/
-
New security update for XCP-ng 8.2 only
See https://xcp-ng.org/forum/post/35658
The interesting story about this one is that it was first reported and debugged on this forum, on the thread linked just above, without us knowing that it would be identified as a security (DoS) issue by Xen developers when we'd report it to them.
Please install it, reboot, and as usual check for any obvious regressions.
-
@stormi Can not speak for the issue solved, but upgrading my three host playlab from XCP-ng 8.2 fully patched worked as well as create, live / storage migrate, copy, delete, snapshot (with/without ram), backup and restore of Linux and Windows 10 VMs. Nice upstream, downstream and forum work .