-
New security update candidates (xen, linux-firmware, edk2, xapi)
Xen and XAPI are being updated to mitigate some vulnerabilities:
- XSA-410: Two privileged users in two guest VMs, in collaboration, can crash the host or make it unresponsive.
- XSA-411: Correct a flaw in XSA-226 that allows DoS attacks from guest kernels to harm the whole system.
- XSA-413: The management service on the host can become unresponsive or crash by the means of an unauthenticated user on the management network.
In this release, there are also the following fixes and improvements:
-
XAPI, issues resolved:
- When you had an active VIF connected on dom0, you couldn't delete that VIF or the associated network, including VLAN.
- When certificates contain the \r character, the xe host-get-server-certificate command can incorrectly output it.
-
xen, linux-firmware, edk2:
- Issues resolved:
- Sometimes a VM freezes when a graphics-intensive application run
- Sometimes guest UEFI firmware hangs
- Improvements:
- AMD microcode is updated to version 2022-09-30
- Improvements to Xen diagnostics.
- Issues resolved:
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update edk2 linux-firmware xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools forkexecd message-switch xapi-core xapi-tests xapi-xe xcp-rrdd xenopsd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testing rebootVersions:
- edk2-20180522git4b8552d-1.4.6.xcpng8.2
- linux-firmware-20190314-5.xcpng8.2
- xen-*: 4.13.4-9.26.1.xcpng8.2
- forkexecd-1.18.1-1.1.xcpng8.2
- message-switch-1.23.2-3.2.xcpng8.2
- xapi-*: 1.249.26-2.1.xcpng8.2
- xcp-rrdd-1.33.0-6.1.xcpng8.2
- xenopsd-*: 0.150.12-1.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
@gduperrey
Installed on my test lab systems, 2 very old AMD systems with shared NFS storage with a mix of different types of guests. All working so far. -
@gduperrey Update installed successfully on my 2 host playlab with shared NFS TrueNAS Core storage on a 10G network. Let's see how VM usage works during the next days.
-
@gduperrey So far, so good with normal operations.... I'm not affected by the issues but updated everything anyway (15 hosts). Intel Xeon, E5, Core 7th/10th/11th, AMD Opteron, AMD Zen3...
-
The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/10/14/october-2022-security-update/
-
New security update candidates (xen)
Xen is being updated to mitigate some vulnerabilities:
- XSA-326: Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored.
- XSA-419: Xenstore: Cooperating guests can create arbitrary numbers of nodes
- XSA-414: A malicious guest can cause xenstored to crash, resulting in the inability to create new guests or to change the configuration of running guests.
- XSA-415: Xenstore: Guests can create orphaned Xenstore nodes
- XSA-416: Xenstore: Guests can cause Xenstore to not free temporary memory
- XSA-417: Xenstore: Guests can get access to Xenstore nodes of deleted domains
- XSA-418: Xenstore: Guests can crash xenstored via exhausting the stack
- XSA-420: Oxenstored 32->31 bit integer truncation issues. A malicious or buggy guest can write a packet into the xenstore ring which causes 32-bit builds of oxenstored to busy loop.
- XSA-421: Xenstore: Guests can create arbitrary number of nodes via transactions
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing rebootVersions:
- xen-*: 4.13.4-9.27.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
@gduperrey I upgraded my home/lab machines. One replication backup machine updated. No problems so far but I was not affected by any of the bugs.
-
Tested here, seems to work
-
@gduperrey Updated my playlab and did some basic tests (create, copy, snapshot, (life-) migrate VMs and disks). Looking good so far.
-
@gduperrey Tested and working in my lab as well. So far, so good...
-
The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/11/04/november-2022-security-update/ -
@gduperrey Rolling update of my homelab through Xen Orchestra worked flawlessly. Thanks!
-
New update candidates (xen, microcode_ctl)
In this release, there are the following fixes and improvements:
- xen, microcode_ctl:
- Issues resolved: Minor bug fixes.
- Improvements: Intel microcode is updated to version IPU 2022.3.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing rebootVersions:
* xen-*: 4.13.4-9.28.1.xcpng8.2
* microcode_ctl: 2:2.1-26.xs23.xcpng8.2What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
No precise ETA, but the sooner the feedback the better.
- xen, microcode_ctl:
-
Applied on my EPYC host at home. Nothing specific to report
-
So far fine on an epyc 7002 and a xeon e5 v3
-
@gduperrey Installed on several old and new Intel machines. Working as expected.
-
Updated my playlab and nothing to report. Looks good.
-
New security update candidate (kernel)
The linux kernel in XCP-ng's domain control is being updated to fix vulnerabilities which may allow a guest to crash to host or make it unresponsive. Even without a malicious attacker, users had reported such issues triggered by the Qlogic/Broadcom netxtreme 2 and the Cisco
enicdrivers.It also contains two fixes for issues that were debugged by the XCP-ng developers and the user community, and reported to XenServer developers at the time:
- Samba shares failing to reconnect after an unexpected disconnection.
- Display issue with Intel NUCs and other hardware, due to a bug in EFI Framebuffer support.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update kernel --enablerepo=xcp-ng-testing rebootVersions:
- kernel: 4.19.19-7.0.15.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
Tested and working it on my local EPYC box
-
Same on my playlab. Updated both hosts and no issues so far.
