-
New security update candidates for XCP-ng 8.2 LTS (xen, microcode_ctl)
Two new XSAs were published on November 12th 2024.
Intel published a microcode update on the November 12th 2024.NOTE: This was published soon after the previous testing updates, therefore, we did not publish the previous and everything will be published altogether.
- XSA-463 an unprivileged guest making two quick accesses to the VGA memory can deadlock a host.
- XSA-464 an unprivileged PVH guest may access sensitive information from the host, control domain or other guests.
SECURITY UPDATES
xen-*:- Fix XSA-463 - Deadlock in x86 HVM standard VGA handling. A mistake in the locking of process of the "standard" VGA memory makes it possible for a guest to make 2 quick accesses and create a deadlock that will hang the host.
- Fix XSA-464 - libxl leaks data to PVH guests via ACPI tables. The ACPI tables for PVH guests initialization left the excess memory space with its previous content, which was then copied to the guest memory as it was, resulting in possible leak of sensitive information. This doesn't affect XCP-ng in its normal configuration, as only HVM and PV-in-PVH (not affected) guests are supported.
microcode_ctl:- Latest Intel microcode update, published on November the 12th:
- Security updates for INTEL-SA-01101
- Security updates for INTEL-SA-01079
- Updated security updates for INTEL-SA-01097
- Updated security updates for INTEL-SA-01103
- Multiple other updates for functional issues.
- Latest Intel microcode update, published on November the 12th:
Test on XCP-ng 8.2
Install all the current update candidates: the ones we already made users test to prepare for the next train of updates, and the new ones which fix security vulnerabilities. We will release them all together.
yum clean metadata --enablerepo=xcp-ng-candidates,xcp-ng-testing yum update --enablerepo=xcp-ng-candidates,xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
Versions:
Security updates:
xen: 4.13.5-9.45.1.xcpng8.2microcode_ctl: 2.1-26.xs29.6.xcpng8.2
The rest of the packages is described in the previous update candidate announcement.
What to test
Normal use and anything else you want to test.
Test window before official release of the update
~ 2 days because of security updates.
-
We also need you to test updates for XCP-ng 8.3. I created a new thread dedicated to XCP-ng 8.3, and renamed this present thread to make it dedicated to XCP-ng 8.2.
Please ensure you follow the new thread if you plan to help on testing XCP-ng 8.3.
New thread: https://xcp-ng.org/forum/topic/9964/xcp-ng-8-3-updates-announcements-and-testing
-
@gduperrey Installed and running on active pools.
-
Tested internally here, working as expected
-
Seems to be working well on my test servers.
-
We have identified an issue related to Xostor and HA management in the
http-nbd-transfer-1.4.0-1.xcpng8.2package. We therefore prefer to remove it from these updates while waiting for a future corrected version.For those who have tested these updates and who have Xostor on their test pool, we invite you to downgrade this package to version 1.3.0 with the following command:
yum downgrade http-nbd-transfer -
@gduperrey, that doesn't seem to work for me. I receive an error from yum:
No Match for available package: http-nbd-transfer-1.3.0-1.xcpng8.2.x86_64
Nothing to do -
@JeffBerntsen Do you have XOSTOR on the pool?
-
Update published: https://xcp-ng.org/blog/2024/11/15/november-2024-security-and-maintenance-update-for-xcp-ng-8-2-lts/
Thank you for the tests!
-
@stormi said in XCP-ng 8.2 updates announcements and testing:
@JeffBerntsen Do you have XOSTOR on the pool?
Not yet, but was planning to add it to this test pool so thought I should downgrade beforehand. Does that particular patch only apply to systems with XOSTOR already installed?
-
This package is installed by Xostor. If you have not installed it yet, it is not present on the system and has not been updated.
The right package, in the right version, will be installed when you will install Xostor to test it. -
@gduperrey, I suspected that was the case after seeing that message but wanted to make sure. Thanks!
-
New update candidates for you to test!
A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.
iperf3: Upgrade to version 3.9-13 from CentOS 7- Includes a security fix for CVE-2023-38403
kernel: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.linux-firmware: Update AMD microcode to the 2024-11-21 drop- Updates firmware for families 17h and 19h CPUs
netdata: Fixed an issue that could occur when quickly uninstalling the package, right after an unfinished installation, and leave a service in an undetermined status.openssh:- Synchronized with hotfix XS82ECU1072 from Citrix.
- Security fix for CVE-2024-6387
socat: Update the package to version1.7.4.1which includes a fix for a buffer overflow and security fixes.sudo: Synchronized with hotfix XS82ECU1072 from Citrix.intel-igc: This driver replacesigc-moduleto maintain consistency with the change made in this direction in 8.3.
vendor-drivers: Updated to pullintel-igcinstead ofigc-module, following the package renaming.xcp-ng-deps: Addedvim-minimalas a dependency, so it is always present on XCP-ng systems.xcp-ng-release:- Synchronized with hotfix XS82ECU1072 from Citrix.
- Upstream changelog: "Start dhclient on iSCSI BFS interfaces".
xenserver-status-report:- Synchronized with hotfix XS82ECU1072 from Citrix.
- Update from version
1.3.16-3to1.3.17
Optional packages:
- Alternate Driver: Updated to newer version.
broadcom-bnxt-en-alt: From version 1.10.2_227.0.130.0 to 1.10.3_231.0.162.0- More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
Versions
intel-igc: 5.10.214-3.1.xcpng8.2iperf3: 3.9-13.xcpng8.2kernel: 4.19.19-7.0.23.2.xcpng8.2linux-firmware: 20190314-11.2.xcpng8.2netdata: 1.19.0-6.xcpng8.2openssh: 7.4p1-23.3.1.xcpng8.2socat: 1.7.4.1-6.xcpng8.2sudo: 1.9.15-4.1.xcpng8.2vendor-drivers: 1.0.2-1.7.xcpng8.2xcp-ng-deps: 8.2.0-13xcp-ng-release: 8.2.1-14xenserver-status-report: 1.3.17-1.xcpng8.2
Optional packages:
- Alternate drivers:
broadcom-bnxt-en-alt: 1.10.3_231.0.162.0-1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
None defined, but early feedback is always better than late feedback, which is in turn better than no feedback
-
Installed and seems to be working well on my test systems.
-
@gduperrey Updates installed and working on busy hosts/pools.
-
Hi all,
A little while ago XSA-466 came out. I couldn't find this on the forum / blog and would like to double-check whether xcp-ng is still vulnerable or not.
The post is here: https://xenbits.xen.org/xsa/advisory-466.html
I believe the fix for this would need to be in the xcp-ng host kernel?
Cheers!
Niels -
Hello @NielsH, no, that XSA is on the guest side, the fixes will be in the kernel used by the guest, unless we missed something, there is currently nothing to be done on the host kernel side.
-
@bleader said in XCP-ng 8.2 updates announcements and testing:
Hello @NielsH, no, that XSA is on the guest side, the fixes will be in the kernel used by the guest, unless we missed something, there is currently nothing to be done on the host kernel side.
Hi @bleader
Thanks for your response!As these vulnerabilities are sometimes very unclear impact-wise; could you perhaps clarify for me:
Does this mean an untrusted VM, that chooses not to run this kernel, could potentially cause harm for the host or to other VMs?Or is the impact only within the context of the VM, i.e. guest user processes might be able to read data from other processes only inside that VM?
Thanks again!
-
To be honnest, I'm unsure, generally the XSAs have pretty clear impact description, here it just states:
resulting in e.g. guest user processes
being able to read data they ought not have access to.No detail here if that's only inside the guest or if it could maybe reach data outside its domain scope. So I would not be able to say, but generally it is pretty clear in XSAs when there is a risk of accessing other guests data, my assumption would be that this is only inside the guest domain.
-
@bleader I'll guess it's a VM guest process to process memory issue as the Xen patch is just for documentation of the issue.
The patch to Xen is simply a documentation update to clarify that an OS author might not want to use a hypercall page.
