-
Update published: https://xcp-ng.org/blog/2025/03/12/march-2025-security-and-maintenance-update-for-xcp-ng-8-2-lts/
Thank you for the tests!
-
New security update candidates for you to test!
Yet more vulnerabilities in Intel hardware, addressed in two complementary ways: patching Xen and updating Intel microcode.
Together with this security update, will also publish a patched XAPI to fix a minor issue with information reporting from VM to hypervisor.
Test on XCP-ng 8.2
From an up-to-date host:
yum clean metadata --enablerepo=xcp-ng-candidates yum update --enablerepo=xcp-ng-candidates reboot
The usual update rules apply: pool coordinator first, etc.
Versions
microcode_ctl
: 2.1-26.xs29.8.xcpng8.2 (weird identifier for historical reasons, but that's actually Intel microcode published by them yesterday)xen
: 4.13.5-9.49.1.xcpng8.2xapi
: 1.249.41-1.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~24h. That's an urgent one.
-
Installed and seems to be running fine so far on my test systems.
-
@stormi I needed an excuse to reboot all my hosts... Upgraded and running on stable pools. I see the Intel 11th gen new microcode. All working normally at this time.
-
Update published: https://xcp-ng.org/blog/2025/05/14/may-2025-security-update-for-xcp-ng-8-2-8-3/
Thank your for the tests.
-
Updated our own prod via XO RPU, everything is working fine
-
New update candidates for you to test!
A new batch of non-urgent updates is ready for user tests before a future collective release.
openssh
: Fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")samba
: Fix vulnerabilities which are very unlikely to be exploitable on XCP-ng but are reported by security scanners.xcp-ng-release
: This update adds a certificate to resolve a TLS handshake error, particularly when deploying XOA from CLI usingcurl
.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing reboot
The usual update rules apply: pool coordinator first, etc.
No specific steps for these updates for XOSTOR users.
Versions
openssh
: 7.4p1-23.3.2.xcpng8.2samba
: 4.10.16-25.el7_9xcp-ng-release
: 8.2.1-16
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
None defined, but early feedback is always better than late feedback, which is in turn better than no feedback
-
New security and maintenance update candidate
A new XSA (Xen Security Advisory) was published on the 1st of July, and an update to Xen addresses it. We also publish other non-urgent updates which we had in the pipe for the next release.
Security updates
xen-*
:- Fix XSA-470 - An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host.
Maintenance updates
openssh
: fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")samba
: fix low priority CVEs on client side.xcp-ng-release
: this update adds a certificate to resolve a TLS handshake error, particularly when deploying xoa.io.
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing reboot
The usual update rules apply: pool coordinator first, etc.
Versions:
openssh
: 7.4p1-23.3.2.xcpng8.2samba
: 4.10.16-25.el7_9xcp-ng-release
: 8.2.1-16xen
: 4.13.5-9.49.2.xcpng8.2
What to test
Normal use and anything else you want to test.
Test window before official release of the updates
~2 days.
-
@gduperrey Installed and running on a few pools. Working correctly as expected.
-
Updates published: https://xcp-ng.org/blog/2025/07/03/july-2025-security-and-maintenance-update-for-xcp-ng-8-2-lts/
Thank you for the tests!
-
New security update candidate
A new XSA (Xen Security Advisory) was published on the 8th of July, and an update to Xen addresses it.
Security updates
linux-firmware
: Update to 20250626-1 as redistributed by XenServer.xen-*
:- Fix XSA-471 - New speculative side-channel attacks have been discovered, affecting systems running all versions of Xen and AMD Fam19h CPUs (Zen3/4 microarchitectures). An attacker could infer data from other contexts. There are no current mitigations, but AMD is producing microcode to address the issue, and patches for Xen are available. These attacks, named Transitive Scheduler Attacks (TSA) by AMD, include CVE-2024-36350 (TSA-SQ) and CVE-2024-36357 (TSA-L1).
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing reboot
The usual update rules apply: pool coordinator first, etc.
Versions:
linux-firmware
: 20190314-11.3.xcpng8.2xen
: 4.13.5-9.49.3.xcpng8.2
What to test
On Intel platform:
- Normal use and anything else you want to test.
On AMD platform zen3 or zen4:
- Normal use of course
- On a Linux guest, with
cpuid
installed, run the command following command:
lscpu | grep -q AMD && lscpu | grep -qi "cpu family.* 25$" && [ $(($(cpuid -1 -r -l 0x80000021 | grep eax | sed -r 's/.*eax=([^ ]+) .*/\1/') & 0x20)) -eq 32 ] && echo OK
This should print
OK
if your system is protected against XSA-471.Test window before official release of the updates
~3 days.