-
New updates (xen, Intel & AMD microcode)
- Update the Intel microcode for the "IPU 2022.1" vulnerability (and other vulnerabilities and bugs)
- "A potential security vulnerability in some Intel
Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability." - See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00617.html
- "A potential security vulnerability in some Intel
- Update AMD microcode for Fam17h and Fam19h
- Citrix also released an update for Xen. As we had already anticipated the patches they added (that fixed regressions introduced by the fixes to the XSA-400 vulnerabilities), it does not change anything for XCP-ng. We synced our RPM with theirs anyway to make future updates easier.
Citrix' hotfix: https://support.citrix.com/article/CTX459703
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update microcode_ctl linux-firmware "xen-*" --enablerepo=xcp-ng-testing rebootVersions:
- xen-*: 4.13.4-9.22.1.xcpng8.2
- microcode_ctl: 2:2.1-26.xs21.xcpng8.2
- linux-firmware: 20190314-4.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~3 days.
- Update the Intel microcode for the "IPU 2022.1" vulnerability (and other vulnerabilities and bugs)
-
@gduperrey It's working for me, but my CPUs are not covered by the update. Normal operations seem normal.
-
@gduperrey Seems fine here as well under basic usage.
-
@gduperrey Skylake-S Xeon here w/o patched bios, works fine so far.
edit: double checked /proc/cpuinfo, seems the ucode update is applying correctly, so, yeah, it worked.
-
Tested on my EPYC test bench (so not really relevant), but at least nothing broke
-
@gduperrey Updated my two host playlab (Dell Optiplex 9010, Intel i5-3550 CPU). Everything works as expected, but I doubt my CPUs are relevant for the update either.
I have a strange
INTERNAL_ERROR((Failure "Expected string, got 'N'"))error with Xen Orchestra (from 3rd party script update to commita1bcd) when creating a new Debian 11 VM as part of my test procedure, but I could continue with XCP-ng Center. Just found and will follow xoce INTERNAL_ERROR while trying to create VM. -
Yes, it's likely unrelated
Thanks for the report @gskger ! -
Update released. Thanks everyone for testing!
https://xcp-ng.org/blog/2022/05/16/may-2022-security-update/
-
New update candidate: uefistored
As microsoft.com recently blocked the user agent our
secureboot-certsscript uses to download UEFI Secure Boot certificates from them, we took the following actions:- Documented how to download and install the certificates manually: https://xcp-ng.org/docs/guides.html#install-the-default-uefi-certificates-manually
- Changed the user agent in
secureboot-certsto make the automated download and installation possible again. - Added a new
--user-agentparameter tosecureboot-certs installto let you override the default easily in case of future need. - Improved the error message in case of download failure to 1. let users know about the
--user-agentparameter and 2. provide the link towards the manual installation instructions.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update uefistored --enablerepo=xcp-ng-testingNo toolstack restart or reboot needed.
Versions:
- uefistored: 1.1.5-1.xcpng8.2.x86_64
What to test
UEFI VMs. Secure Boot. Installation of certificates using
secureboot-certs install: manual install, automated install with default user agent, automated install with--user-agentparameter.Test window before official release of the updates
~ 1 week. Maybe more if it allows to synchronise with other updates not too far in the future.
-
@stormi It installs and runs....
The "help" does not mention the user-agent option.
-
@Andrew That's because
installis a sub-command:secureboot-certs install -h.Anyway, if download fails (you can test by using "test" as the user agent for example), the option will be mentioned.
-
To me, this
uefistoredupdate is ready, but I'll group it with the next updates.Test feedback remains welcome.
-
New security update (xen)
Impact: when the conditions are met (roughly: CPU Model, PV guest + PCI passthrough or race condition exploitation), an attacker in a malicious VM may escalate privilege and control the whole host.
Upstream (Xen project) references: XSA-401 and XSA-402
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing rebootVersions:
- xen-*: 4.13.4-9.22.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
@stormi Update worked fine and no problems so far. Did the usual tests to create, move, snapshot, backup and restored some Linux and Windows VMs.
-
@stormi I've had it running for 24 hours on several active machines doing the usual jobs. Seems good.
-
Same here
-
Update released (xen + uefistored). Thanks for your tests!
Blog: https://xcp-ng.org/blog/2022/06/13/june-security-update-1/
-
New security update (xen, Intel CPUs)
Xen is being updated to mitigate hardware vulnerabilities in Intel CPUs.
- Upstream (Xen project) advisory: XSA-404
- Citrix Hypervisor Security Bulletin (which also covers vulnerabilities that we already fixed in the previous update): https://support.citrix.com/article/CTX460064/citrix-hypervisor-security-update
Impact of the vulnerabilities - I'll quote Citrix' security team here: "may allow code inside a guest VM to access very small sections of memory data that are actively being used elsewhere on the system"
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing rebootVersions:
- xen-*: 4.13.4-9.23.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
@stormi
This seems to be working well on my test pool. -
Same here
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login