-
Now live. Thanks everyone!
https://xcp-ng.org/blog/2024/04/13/april-2024-security-update/
-
New update candidates for you to test!
As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users.
The moment to release such a batch has come, grouped with a recent security fix, so here they are, ready for user tests before the final release.
- qemu: security fix to protect hosts from DoS that can be caused by a malicious administrator of a guest (XenServer security bulletin)
- openssh: rebased on CentOS 7's
openssh-7.4p1-23.el7_9
to fix various CVEs. The update also changes the way default ciphers and algorithms are set. See dedicated section below. - curl: updated to version 8.6.0 + patches, to fix several CVEs. Note: in XCP-ng, curl is mostly used by yum for downloading RPMs when updating hosts.
- sudo: updated to a recent release to fix some CVEs (none critical in the context of XCP-ng as far as we can tell)
- Note : XenServer published updates for openssh, curl and sudo together as hotfix XS82ECU1063, whose only description is "This hotfix includes upstream code changes that may reduce false-positive reports for the following CVEs: CVE-2023-38545, CVE-2023-48795 and CVE-2023-28486." We are not sure what this "false-positive reports" statement means, but what appears to us is that anyway the CVEs fixed were clearly either not exploitable, or not critical, in the context of XCP-ng.
- microcode_ctl: updated to Intel's IPU 2024.2 release, + a fix to Gemini Lake 06-7a-01 for a regression that was introduced by IPU 2024.1 (see this forum thread and this one too)
- linux-firmware: updated AMD firmware to the 2024-05-03 drop. What fixes this contains exactly is not described.
- XAPI and related components: synced with Citrix Hypervisor hotfixes XS82ECU1064 and XS82ECU1053. Various fixes. Check the hotfixes descriptions.
- We also added a fix to make the small web server managed by XAPI report accurate mimetypes for files it serves. This is important for XO Lite (which is not installed by default on XCP-ng 8.2, but can be if you need it).
- tzdata: updated timezone data.
- sm: adds the new
largeblock
storage driver, which is a local SR driver which workarounds the current limitation our storage stack has with 4KiB-block-only devices, by transparently emulating a 512B block size (at some performance cost, obviously). More about it in this forum thread.- Also rebased on Citrix Hypervisor's hotfix XS82ECU1065
About OpenSSH, Ciphers and algorithms
To ensure that the lists of authorized Ciphers, algorithms, etc., defined by XenServer's security team are applied, XenServer packagers had decided that any change they had to make would plainly overwrite
/etc/ssh/sshd_config
and/etc/ssh/ssh_config
. Although we discourage customizing XCP-ng's configuration too far, we didn't think it would be acceptable for our users than these files be overwritten without any notice.So we looked for another approach, and decided for this: we don't define these keys (
Ciphers
,MACs
,KexAlgorithms
,HostKeyAlgorithms
) in the configuration files anymore. Now, we define them at build time, directly in the built binaries.If you need to override them, you can still do so in the configuration files. But then this means you become responsible of their future update, whenever a cipher or algorithm starts being considered weak, as this will override the built-in settings defined by our security team.
The update process will attempt to be smart and will remove the definition of the above keys from
/etc/ssh/sshd_config
and/etc/ssh/ssh_config
, but only if you had not touched these lines. If you have brought customizations to these keys, then we will leave them as they were. In this case, this means that any future change our security team may make to the built-in values will not be applied to your hosts, because your changes in the configuration files will override the built-ins.. If you are in this situation, you have to choose: either remove these lines manually, or make sure you keep them updated by yourself according to your security policy.You can check what configuration is applied to your instance of
sshd
with:sshd -T
.Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates reboot
The usual update rules apply: pool coordinator first, etc.
Versions
List based on source RPMs, which can differ from actual built RPMs (for example, the
xapi
source RPM, when built, producesxapi-core
,xapi-xe
andxapi-tests
).- curl-8.6.0-2.1.xcpng8.2
- forkexecd-1.18.3-10.1.xcpng8.2
- gpumon-0.18.0-18.1.xcpng8.2
- linux-firmware-20190314-11.1.xcpng8.2
- message-switch-1.23.2-17.1.xcpng8.2
- microcode_ctl-2.1-26.xs29.2.xcpng8.2
- microsemi-smartpqi-alt-2.1.28_025-1.xcpng8.2
- ocaml-rrd-transport-1.16.1-15.1.xcpng8.2
- ocaml-rrdd-plugin-1.9.1-15.1.xcpng8.2
- ocaml-tapctl-1.5.1-15.1.xcpng8.2
- ocaml-xcp-idl-1.96.7-4.1.xcpng8.2
- ocaml-xen-api-client-1.9.0-18.1.xcpng8.2
- ocaml-xen-api-libs-transitional-2.25.6-7.1.xcpng8.2
- openssh-7.4p1-23.2.1.xcpng8.2
- qemu-4.2.1-4.6.4.1.xcpng8.2
- rrd2csv-1.2.6-15.1.xcpng8.2
- rrdd-plugins-1.10.9-12.1.xcpng8.2
- sm-2.30.8-12.2.xcpng8.2
- sm-cli-0.23.0-61.1.xcpng8.2
- squeezed-0.27.0-18.1.xcpng8.2
- sudo-1.9.15-2.1.xcpng8.2
- tzdata-2024a-1.el7
- varstored-guard-0.6.2-15.xcpng8.2
- vhd-tool-0.43.0-18.1.xcpng8.2
- wsproxy-1.12.0-19.xcpng8.2
- xapi-1.249.36-1.1.xcpng8.2
- xapi-nbd-1.11.0-17.1.xcpng8.2
- xapi-storage-11.19.0_sxm2-17.xcpng8.2
- xapi-storage-script-0.34.1-16.1.xcpng8.2
- xcp-networkd-0.56.2-15.xcpng8.2
- xcp-ng-release-8.2.1-11
- xcp-rrdd-1.33.4-4.1.xcpng8.2
- xenopsd-0.150.19-3.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Extra attention to:
- SSH server, ciphers, configuration files
- checking downloads with curl
- sudo if you use it
Test window before official release of the updates
Release planned either on Friday 14th or Monday 17th.
-
Update done here in my home lab, no issue
-
Only one of my two systems will take the complete update, but that one is working just fine.
The other which I had used in the past as a test server for XOSTOR will not install the sm-2.30.8-12.1.xcpng8.2.x86_64 package looking for a dependency on sm-linstor and not finding it.
-
@JeffBerntsen Indeed, the update for XOSTOR is not ready yet. It will be before we release the updates, but I forgot about you testers
-
@stormi Not a problem. I just wanted to make sure I hadn't done something wrong. As it is, the system is working with all of the updates but that one in place.
-
@stormi Update went well on my two node homelab. VMs and basic operations work as expected. Let's see how things go over the next days. Keep up the good work!
-
@stormi Updated all my normal 8.2 systems updated. All working normally.
-
Thanks everyone for your tests!
We just published the updates: https://xcp-ng.org/blog/2024/06/17/june-2024-security-and-maintenance/
-
@stormi Are these going to be pushed to 8.3 or just part of the final release?
-
@CJ Everything that is relevant for XCP-ng 8.3 is either already built and ready to be pushed (you can pull from
xcp-ng-candidates
if you want it already), or being built/tested. -
New security update candidate (xen, xapi, xsconsole)
Two new XSAs were published on 16th of July.
- XSA-458 guests which have a multi-vector MSI capable device passed through to them can leverage the vulnerability.
- XSA-459 impacts systems running Xapi v3.249.x, which means any up to date XCP-ng 8.2. Note this requires heavy crafting and likely social engineering on the attacker side, see the XSA's "VULNERABLE SYSTEMS" section for more details.
SECURITY UPDATES
xen-*
:- Fix XSA-458 - double unlock in x86 guest IRQ handling. When passing through a multi-vector MSI capable device to a guest, an attacker could use an error handling path that could lead to the issue, no exploitations results have been ruled out: Denial of Service (DoS), crashes, information leaks, or elevation of privilege could all be possible.
xapi
,xsconsole
:- Fix XSA-459 - Xapi: Metadata injection attack against backup/restore functionality. A malicious guest can manipulate its disk to appear to be a metadata
backup, then having about a 50% chance of appearing ahead of a legitimate metadata backup. The more disks the guest has, the higher the chances of this happening are.
- Fix XSA-459 - Xapi: Metadata injection attack against backup/restore functionality. A malicious guest can manipulate its disk to appear to be a metadata
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" "xapi-*" xsconsole --enablerepo=xcp-ng-testing reboot
The usual update rules apply: pool coordinator first, etc.
Versions:
xen
: xen-4.13.5-9.40.2.xcpng8.2xapi
: xapi-1.249.36-1.2.xcpng8.2xsconsole
: xsconsole-10.1.13-1.2.xcpng8.2
What to test
Normal use and anything else you want to test.
Test window before official release of the update
~ 1 day because of security updates.
-
I suppose I need to be a bit more patient
No packages marked for update
-
I indeed forgot to wait for mirrors to sync before posting, my bad, should be good soon
-
@bleader Updated my two node homelab and everything seems to work as expected. Let's see how things go over the next days.
-
@bleader Updated an running on newer and older Intel machines. Running normally so far.
-
Tested in my own lab, no issues so far
-
Update published https://xcp-ng.org/blog/2024/07/18/july-2024-security-updates/
Thank you everyone for your tests!
-
@bleader 2 production polls updated via RPU without issues.
-
New security update candidates (xen, microcode_ctl)
A new XSA was published on August 14th 2024.
Intel published an updated microcode on August 13th 2024.
- XSA-460 passing through some PCI devices after guest creation could lead to any kind of security issue (DoS, privilege escalation, information leak,…) the actual risk depends on the systems and the devices passed through.
- XSA-461 some pass-through use cases when on one or more device when they share resources are actually not possible to be made secure. This XSA updates the Xen documentation to reflect that.
SECURITY UPDATES
xen-*
:- Fix XSA-460 - error handling in x86 IOMMU identity mapping. The handling of errors in the case of mapping Reserved Memory Regions was flawed, potentially keeping the mapping in place, this could allow guests to access memory region they should not be allowed to access. These mapping are typically used when doing pass-through of legacy USB emulation.
- Document XSA-461 - PCI device pass-through with shared resources Files. According to the Xen Project security team, PCI pass-through of devices that share ressources is not possible to be made safe. This updates the documentation to reflect it. Look at the "MITIGATION" section of the XSA for more information regarding the safe cases.
microcode_ctl
: Security updates from Intel:- INTEL-SA-01083
- INTEL-SA-01118
- INTEL-SA-01100
- INTEL-SA-01038
- INTEL-SA-01046
- Plus fixes for a lot of functional issues, see the Release Notes for more details.
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-candidates yum update "xen-*" microcode_ctl --enablerepo=xcp-ng-candidates reboot
The usual update rules apply: pool coordinator first, etc.
Versions:
xen
: 4.13.5-9.40.3.xcpng8.2microcode_ctl
: 2.1-26.xs29.3.xcpng8.2
What to test
Normal use and anything else you want to test. Feedback about PCI pass-through is also welcome.
Test window before official release of the update
~ 2 day because of security updates.