XCP-ng 8.3 updates announcements and testing

gduperrey

New update candidate for you to test!

A new non-urgent update is ready for user testing before a future collective release. Below are the details.

A bug was found in the Emergency Network Reset due to desynchronisation between xsconsole and XAPI. This issue prevented the Emergency Network Reset from working at all. This update includes the fixes from the upstream xsconsole project to fix it.

---

Maintenance updates

• xsconsole
  • Backport sync of network reset trigger file path with XAPI to fix emergency network reset
  • Backport fix for pool.conf IPv6 to avoid IPv6 truncation

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

Reboot is not strictly necessary, but the xsconsole instance running on the first virtual terminal of your host won't be restarted otherwise. If you do not reboot, make sure to start xsconsole from another terminal after the update.

The usual update rules apply: pool coordinator first, etc.

Versions:

• xsconsole: 11.0.8-1.2.xcpng8.3

What to test

Normal xsconsole usage, is still useful feedback. However, if possible, the most helpful test would be performing an Emergency Network Reset through xsconsole, making actual configuration changes and verifying that they are correctly applied after reboot.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

gduperrey

New update candidate for you to test!

A new non-urgent update is ready for user testing before a future collective release. Below are the details.

---

Maintenance updates

• broadcom-bnxt-en: Update driver to version 1.10.3_232.0.155.5

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

A reboot is preferable to load the new version of the driver.

The usual update rules apply: pool coordinator first, etc.

Versions:

• broadcom-bnxt-en: 1.10.3_232.0.155.5-1.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

gduperrey

Updates published: https://xcp-ng.org/blog/2025/09/01/september-2025-maintenance-update-for-xcp-ng-8-3/

Thank you for the tests!

manilx

@gduperrey Installed at HomeLab. No issues.
Running via
yum clean metadata ; yum update

john.c

@manilx said in XCP-ng 8.3 updates announcements and testing:

@gduperrey Installed at HomeLab. No issues.
Running via
yum clean metadata ; yum update

You must have been looking forward to this improvement for quite a while. Once it reaches the point where it can be rolled into production, your AMD Epyc servers will get to see a boost, the Linux guests any way.

manilx

@john.c Will apply to business EPYC servers right away

manilx

@john.c Updated our 2 production pools, with RPU.

RPU emptied the master, rebooted BUT then nothing else.
It should have moved all VM's to the other host, patched/rebooted and then migrating the VM's where they were.
This did not happen. I had to manually empty the other hosts, patch, reboot and migrate the VM's.

flakpyro

@gduperrey Installed on about 50 servers across various pools and remote sites. No issues. Ran a couple backup jobs as well which completed without issue.

Greg_E

@manilx

Once in a while my rpu will do this, then I handle it manually. Been happening more often since the 8.3 upgrade, but not enough to post about it yet since we are only a couple of updates into the LTS. Still watching though and will probably do this patch on wednesday.

Greg_E

I got my production system updated yesterday, no issues or oddities with the RPU.

I'm still surprised by how much faster the VMs migrate host to host than they did with 8.2.x, it's like a 4:1 or 5:1 change on my production system. Haven't had time to fool with my lab and see what's what.

gduperrey

New security update candidates for you to test!

News XSAs (Xen Security Advisory) were published on the 9th of September, and updates to Xen & XAPI address them.

• xapi:

  • Fix XSA-474 — A Denial of Service can be caused by buggy or malicious inputs to XAPI (CVE-2025-58146). There are several vulnerabilities identified in XAPI:
    • Input sanitisation mismatch in notifications — While updates to the XAPI database correctly sanitise input strings, the system generates notifications using the unsanitised version. This flaw causes the database’s event thread to crash, halting further processing.
    • Inconsistent UTF-8 handling — XAPI’s UTF-8 encoder follows version 3.0 of the Unicode specification, whereas some of the libraries it relies on enforce the stricter version 3.1 standard. As a result, certain strings may be accepted as valid UTF-8 by XAPI but rejected by other components. If such strings are entered into the database, the database can subsequently fail to load.
    • Lack of sanitisation in Map/Set updates — When updating Map/Set objects in the XAPI database, no sanitisation is applied to the inputs, which introduces additional risks.

• xen-*:

  • Fix XSA-472 — Potential risks include Denial of Service (DoS) impacting the whole host, information exposure, or escalation of privileges. There are several vulnerabilities associated with the way guest memory pages are handled and accessed in the Viridian code:
    • NULL pointer dereference during reference TSC area update — This issue occurs when the system tries to update the reference TSC area but encounters a NULL pointer. (CVE-2025-27466)
    • NULL pointer dereference when delivering synthetic timer messages — This happens if the code assumes the SIM page is already mapped when a synthetic timer message must be delivered. (CVE-2025-58142)
    • Race condition in reference TSC page mapping — A guest system can trigger Xen to release a memory page while it is still referenced in the guest’s physical-to-machine (p2m) page tables. (CVE-2025-58143)

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-candidates
yum update --enablerepo=xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• xapi: 25.6.0-1.12.xcpng8.3
• xen: 4.17.5-15.3.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

~2 days.

Andrew

@gduperrey 8.3 Pools updated and running. RPU worked 99%...failed with a host out of memory error on the last migrations (pool is N+2, so no reason). Single hosts are updated as usual.

flakpyro

@gduperrey Updated my usual test hosts, (Minisforum and Supermicro X11) as well as an two sets of 2 host AMD pools (one pool of HP DL320 Gen10s and another of Asus Epyc servers of some sort, and lastly a Dell R360 without issue.

ph7

@gduperrey
Ran updates on my old hosts
i7 gen4 and ryzen5
nothing exploded yet after ~10h of "testing"

bufanda

@gduperrey Installed on my Lab-Pool with teo HP EliteDesk 800 G3's no issues during and after upgrade. migration, creating, and deleteing of VMs wihtout issues too.

gduperrey

Updates published: https://xcp-ng.org/blog/2025/09/11/september-2025-security-update-for-xcp-ng-8-3-lts/

Thank you for the tests!

manilx

@gduperrey Installed @home and @business. RPU had no issues this time.

marcoi

updated on my three servers no issues.

Greg_E

@gduperrey

Nothing really to add, my 3 host Intel production pool updated just fine. The load balancer is always a little weird, but I'm sure it is calculated based on CPU and RAM assigned to each VM, where I split things up based on workload.

It's a small system, and the real workload is handled by 3 Windows VMs so I tend to split them up onto one of the three hosts.

I may get to my lab in the next couple of days, but it isn't doing work so testing is kind of pointless right now. The only thing "doing work" is a VM with XO from sources.