Updates announcements and testing
-
Tested and working here
-
@gduperrey Applicable to 8.3?
-
@gduperrey Succesfully updated my two host pool. Let's see how the weekend goes with some tests.
-
@JamesG No, it's just for XCP-ng 8.2
-
The updates have been published; thank you for testing them out.
https://xcp-ng.org/blog/2024/03/29/march-2024-maintenance-update/
-
New security update candidate (xen)
Three new XSAs were published on 9th of April.
Notes:
- XSA-456 was published on various public mailing list but its entry is not yet on the xenbits page, hence the different link for this one.
- XSAs description to be completed later, early posting to provide more chances to run tests before final release.
- XSA-454 impacts all host running HVM or PVH guests on x86_64, therefore all supported architectures on XCP-ng.
- XSA-455 relates to XSA-407 (Branch Type Confusion) having a logical error, check its
VULNERABLE SYSTEMS
section for impacted systems. - XSA-456 should only impact Intel CPU as it is understood at this time.
SECURITY UPDATES
xen-*
:- Fix XSA-454 - x86 HVM hypercalls may trigger Xen bug check. HVM and PVH guests can DoS a host in some cases calling 32-bit-mode hypercalls with parameters that will lead the hypercall sanity checks to trigger a crash.
- Fix XSA-455 - x86: Incorrect logic for BTC/SRSO mitigations. Fix for XSA-407 was not properly used, meaning an attacker could be able to infer memory from host or other guests. All versions since 4.13.4-9.24.1 are vulnerable.
- Fix XSA-456 - x86: Native Branch History Injection. An attacker could infer memory of host or other guests by using the Native Branch History Ijnection flaw. This is an evolution of Spectre-BHB which was previously considered not to be a risk for Xen.
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" --enablerepo=xcp-ng-testing reboot
The usual update rules apply: pool coordinator first, etc.
Versions:
xen
: 4.13.5-9.40.1.xcpng8.2
What to test
Normal use and anything else you want to test.
Test window before official release of the updates
~1 days because of security updates.
-
@bleader Did they get published to the right directory? I don't see anything in testing (stuff is in incoming).
-
My bad, we were a bit late and I tried to be quick and forgot to move it... Just did that, should be good soon, it needs some time to sync repos.
-
Tested in my home lab, no explosion
-
@bleader Updated my homelab without any issues
-
@bleader Seems to be running just fine on my test servers as well.
-
@bleader Installed and running.
-
Now live. Thanks everyone!
https://xcp-ng.org/blog/2024/04/13/april-2024-security-update/