-
Update published: https://xcp-ng.org/blog/2025/03/12/march-2025-security-and-maintenance-update-for-xcp-ng-8-2-lts/
Thank you for the tests!
-
New security update candidates for you to test!
Yet more vulnerabilities in Intel hardware, addressed in two complementary ways: patching Xen and updating Intel microcode.
Together with this security update, will also publish a patched XAPI to fix a minor issue with information reporting from VM to hypervisor.
Test on XCP-ng 8.2
From an up-to-date host:
yum clean metadata --enablerepo=xcp-ng-candidates yum update --enablerepo=xcp-ng-candidates rebootThe usual update rules apply: pool coordinator first, etc.
Versions
microcode_ctl: 2.1-26.xs29.8.xcpng8.2 (weird identifier for historical reasons, but that's actually Intel microcode published by them yesterday)xen: 4.13.5-9.49.1.xcpng8.2xapi: 1.249.41-1.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~24h. That's an urgent one.
-
Installed and seems to be running fine so far on my test systems.
-
@stormi I needed an excuse to reboot all my hosts... Upgraded and running on stable pools. I see the Intel 11th gen new microcode. All working normally at this time.
-
Update published: https://xcp-ng.org/blog/2025/05/14/may-2025-security-update-for-xcp-ng-8-2-8-3/
Thank your for the tests.
-
Updated our own prod via XO RPU, everything is working fine
-
New update candidates for you to test!
A new batch of non-urgent updates is ready for user tests before a future collective release.
openssh: Fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")samba: Fix vulnerabilities which are very unlikely to be exploitable on XCP-ng but are reported by security scanners.xcp-ng-release: This update adds a certificate to resolve a TLS handshake error, particularly when deploying XOA from CLI usingcurl.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
No specific steps for these updates for XOSTOR users.
Versions
openssh: 7.4p1-23.3.2.xcpng8.2samba: 4.10.16-25.el7_9xcp-ng-release: 8.2.1-16
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
None defined, but early feedback is always better than late feedback, which is in turn better than no feedback
-
New security and maintenance update candidate
A new XSA (Xen Security Advisory) was published on the 1st of July, and an update to Xen addresses it. We also publish other non-urgent updates which we had in the pipe for the next release.
Security updates
xen-*:- Fix XSA-470 - An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host.
Maintenance updates
openssh: fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")samba: fix low priority CVEs on client side.xcp-ng-release: this update adds a certificate to resolve a TLS handshake error, particularly when deploying xoa.io.
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
Versions:
openssh: 7.4p1-23.3.2.xcpng8.2samba: 4.10.16-25.el7_9xcp-ng-release: 8.2.1-16xen: 4.13.5-9.49.2.xcpng8.2
What to test
Normal use and anything else you want to test.
Test window before official release of the updates
~2 days.
-
@gduperrey Installed and running on a few pools. Working correctly as expected.
-
Updates published: https://xcp-ng.org/blog/2025/07/03/july-2025-security-and-maintenance-update-for-xcp-ng-8-2-lts/
Thank you for the tests!
