-
@gduperrey Installed and running on active pools.
-
Tested internally here, working as expected
-
Seems to be working well on my test servers.
-
We have identified an issue related to Xostor and HA management in the
http-nbd-transfer-1.4.0-1.xcpng8.2package. We therefore prefer to remove it from these updates while waiting for a future corrected version.For those who have tested these updates and who have Xostor on their test pool, we invite you to downgrade this package to version 1.3.0 with the following command:
yum downgrade http-nbd-transfer -
@gduperrey, that doesn't seem to work for me. I receive an error from yum:
No Match for available package: http-nbd-transfer-1.3.0-1.xcpng8.2.x86_64
Nothing to do -
@JeffBerntsen Do you have XOSTOR on the pool?
-
Update published: https://xcp-ng.org/blog/2024/11/15/november-2024-security-and-maintenance-update-for-xcp-ng-8-2-lts/
Thank you for the tests!
-
@stormi said in XCP-ng 8.2 updates announcements and testing:
@JeffBerntsen Do you have XOSTOR on the pool?
Not yet, but was planning to add it to this test pool so thought I should downgrade beforehand. Does that particular patch only apply to systems with XOSTOR already installed?
-
This package is installed by Xostor. If you have not installed it yet, it is not present on the system and has not been updated.
The right package, in the right version, will be installed when you will install Xostor to test it. -
@gduperrey, I suspected that was the case after seeing that message but wanted to make sure. Thanks!
-
New update candidates for you to test!
A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.
iperf3: Upgrade to version 3.9-13 from CentOS 7- Includes a security fix for CVE-2023-38403
kernel: Backport of a fix to correct cooling fan rotation speed on some Lenovo servers. For more information, you can read this thread on the forum.linux-firmware: Update AMD microcode to the 2024-11-21 drop- Updates firmware for families 17h and 19h CPUs
netdata: Fixed an issue that could occur when quickly uninstalling the package, right after an unfinished installation, and leave a service in an undetermined status.openssh:- Synchronized with hotfix XS82ECU1072 from Citrix.
- Security fix for CVE-2024-6387
socat: Update the package to version1.7.4.1which includes a fix for a buffer overflow and security fixes.sudo: Synchronized with hotfix XS82ECU1072 from Citrix.intel-igc: This driver replacesigc-moduleto maintain consistency with the change made in this direction in 8.3.
vendor-drivers: Updated to pullintel-igcinstead ofigc-module, following the package renaming.xcp-ng-deps: Addedvim-minimalas a dependency, so it is always present on XCP-ng systems.xcp-ng-release:- Synchronized with hotfix XS82ECU1072 from Citrix.
- Upstream changelog: "Start dhclient on iSCSI BFS interfaces".
xenserver-status-report:- Synchronized with hotfix XS82ECU1072 from Citrix.
- Update from version
1.3.16-3to1.3.17
Optional packages:
- Alternate Driver: Updated to newer version.
broadcom-bnxt-en-alt: From version 1.10.2_227.0.130.0 to 1.10.3_231.0.162.0- More information about drivers and current versions is on the drivers page: (https://github.com/xcp-ng/xcp/wiki/Drivers).
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
Versions
intel-igc: 5.10.214-3.1.xcpng8.2iperf3: 3.9-13.xcpng8.2kernel: 4.19.19-7.0.23.2.xcpng8.2linux-firmware: 20190314-11.2.xcpng8.2netdata: 1.19.0-6.xcpng8.2openssh: 7.4p1-23.3.1.xcpng8.2socat: 1.7.4.1-6.xcpng8.2sudo: 1.9.15-4.1.xcpng8.2vendor-drivers: 1.0.2-1.7.xcpng8.2xcp-ng-deps: 8.2.0-13xcp-ng-release: 8.2.1-14xenserver-status-report: 1.3.17-1.xcpng8.2
Optional packages:
- Alternate drivers:
broadcom-bnxt-en-alt: 1.10.3_231.0.162.0-1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
None defined, but early feedback is always better than late feedback, which is in turn better than no feedback
-
Installed and seems to be working well on my test systems.
-
@gduperrey Updates installed and working on busy hosts/pools.
-
Hi all,
A little while ago XSA-466 came out. I couldn't find this on the forum / blog and would like to double-check whether xcp-ng is still vulnerable or not.
The post is here: https://xenbits.xen.org/xsa/advisory-466.html
I believe the fix for this would need to be in the xcp-ng host kernel?
Cheers!
Niels -
Hello @NielsH, no, that XSA is on the guest side, the fixes will be in the kernel used by the guest, unless we missed something, there is currently nothing to be done on the host kernel side.
-
@bleader said in XCP-ng 8.2 updates announcements and testing:
Hello @NielsH, no, that XSA is on the guest side, the fixes will be in the kernel used by the guest, unless we missed something, there is currently nothing to be done on the host kernel side.
Hi @bleader
Thanks for your response!As these vulnerabilities are sometimes very unclear impact-wise; could you perhaps clarify for me:
Does this mean an untrusted VM, that chooses not to run this kernel, could potentially cause harm for the host or to other VMs?Or is the impact only within the context of the VM, i.e. guest user processes might be able to read data from other processes only inside that VM?
Thanks again!
-
To be honnest, I'm unsure, generally the XSAs have pretty clear impact description, here it just states:
resulting in e.g. guest user processes
being able to read data they ought not have access to.No detail here if that's only inside the guest or if it could maybe reach data outside its domain scope. So I would not be able to say, but generally it is pretty clear in XSAs when there is a risk of accessing other guests data, my assumption would be that this is only inside the guest domain.
-
@bleader I'll guess it's a VM guest process to process memory issue as the Xen patch is just for documentation of the issue.
The patch to Xen is simply a documentation update to clarify that an OS author might not want to use a hypercall page.
