XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    XCP-ng 8.2 updates announcements and testing

    Scheduled Pinned Locked Moved News
    715 Posts 67 Posters 1.6m Views 84 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Online
      Andrew Top contributor @stormi
      last edited by

      @stormi I needed an excuse to reboot all my hosts... Upgraded and running on stable pools. I see the Intel 11th gen new microcode. All working normally at this time.

      1 Reply Last reply Reply Quote 2
      • bleaderB Offline
        bleader Vates πŸͺ XCP-ng Team
        last edited by

        Update published: https://xcp-ng.org/blog/2025/05/14/may-2025-security-update-for-xcp-ng-8-2-8-3/

        Thank your for the tests.

        1 Reply Last reply Reply Quote 3
        • olivierlambertO Offline
          olivierlambert Vates πŸͺ Co-Founder CEO
          last edited by

          Updated our own prod via XO RPU, everything is working fine πŸ™‚

          1 Reply Last reply Reply Quote 2
          • stormiS Offline
            stormi Vates πŸͺ XCP-ng Team
            last edited by stormi

            New update candidates for you to test!

            A new batch of non-urgent updates is ready for user tests before a future collective release.

            • openssh: Fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")
            • samba: Fix vulnerabilities which are very unlikely to be exploitable on XCP-ng but are reported by security scanners.
            • xcp-ng-release: This update adds a certificate to resolve a TLS handshake error, particularly when deploying XOA from CLI using curl.

            Test on XCP-ng 8.2

            From an up to date host:

            yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

            The usual update rules apply: pool coordinator first, etc.

            No specific steps for these updates for XOSTOR users.

            Versions

            • openssh: 7.4p1-23.3.2.xcpng8.2
            • samba: 4.10.16-25.el7_9
            • xcp-ng-release: 8.2.1-16

            What to test

            Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

            Test window before official release of the updates

            None defined, but early feedback is always better than late feedback, which is in turn better than no feedback πŸ™‚

            1 Reply Last reply Reply Quote 3
            • gduperreyG Offline
              gduperrey Vates πŸͺ XCP-ng Team
              last edited by

              New security and maintenance update candidate

              A new XSA (Xen Security Advisory) was published on the 1st of July, and an update to Xen addresses it. We also publish other non-urgent updates which we had in the pipe for the next release.

              Security updates

              • xen-*:
                • Fix XSA-470 - An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host.

              Maintenance updates

              • openssh: fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")
              • samba: fix low priority CVEs on client side.
              • xcp-ng-release: this update adds a certificate to resolve a TLS handshake error, particularly when deploying xoa.io.

              Test on XCP-ng 8.2

              yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

              The usual update rules apply: pool coordinator first, etc.

              Versions:

              • openssh: 7.4p1-23.3.2.xcpng8.2
              • samba: 4.10.16-25.el7_9
              • xcp-ng-release: 8.2.1-16
              • xen: 4.13.5-9.49.2.xcpng8.2

              What to test

              Normal use and anything else you want to test.

              Test window before official release of the updates

              ~2 days.

              A 1 Reply Last reply Reply Quote 1
              • A Online
                Andrew Top contributor @gduperrey
                last edited by

                @gduperrey Installed and running on a few pools. Working correctly as expected.

                1 Reply Last reply Reply Quote 2
                • gduperreyG Offline
                  gduperrey Vates πŸͺ XCP-ng Team
                  last edited by

                  Updates published: https://xcp-ng.org/blog/2025/07/03/july-2025-security-and-maintenance-update-for-xcp-ng-8-2-lts/

                  Thank you for the tests!

                  1 Reply Last reply Reply Quote 1
                  • gduperreyG Offline
                    gduperrey Vates πŸͺ XCP-ng Team
                    last edited by

                    New security update candidate

                    A new XSA (Xen Security Advisory) was published on the 8th of July, and an update to Xen addresses it.

                    Security updates

                    • linux-firmware: Update to 20250626-1 as redistributed by XenServer.
                    • xen-*:
                      • Fix XSA-471 - New speculative side-channel attacks have been discovered, affecting systems running all versions of Xen and AMD Fam19h CPUs (Zen3/4 microarchitectures). An attacker could infer data from other contexts. There are no current mitigations, but AMD is producing microcode to address the issue, and patches for Xen are available. These attacks, named Transitive Scheduler Attacks (TSA) by AMD, include CVE-2024-36350 (TSA-SQ) and CVE-2024-36357 (TSA-L1).

                    Test on XCP-ng 8.2

                    yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

                    The usual update rules apply: pool coordinator first, etc.

                    Versions:

                    • linux-firmware: 20190314-11.3.xcpng8.2
                    • xen: 4.13.5-9.49.3.xcpng8.2

                    What to test

                    On Intel platform:

                    • Normal use and anything else you want to test.

                    On AMD platform zen3 or zen4:

                    • Normal use of course
                    • On a Linux guest, with cpuid installed, run the command following command:
                    lscpu | grep -q AMD && lscpu | grep -qi "cpu family.* 25$" && [ $(($(cpuid -1 -r -l 0x80000021 | grep eax | sed -r 's/.*eax=([^ ]+) .*/\1/') & 0x20)) -eq 32 ] && echo OK

                    This should print OK if your system is protected against XSA-471.

                    Test window before official release of the updates

                    ~3 days.

                    1 Reply Last reply Reply Quote 0
                    • gduperreyG Offline
                      gduperrey Vates πŸͺ XCP-ng Team
                      last edited by

                      Updates published: https://xcp-ng.org/blog/2025/07/29/july-2025-security-update-2-for-xcp-ng-8-2-lts/

                      Thank you for the tests!

                      1 Reply Last reply Reply Quote 2
                      • gduperreyG Offline
                        gduperrey Vates πŸͺ XCP-ng Team
                        last edited by

                        New security update candidates for you to test!

                        A new XSA (Xen Security Advisory) was published on the 9th of September, and an update to Xen addresses it.

                        • xen-*:
                          • Fix XSA-472 β€” Potential risks include Denial of Service (DoS) impacting the whole host, information exposure, or escalation of privileges. There are several vulnerabilities associated with the way guest memory pages are handled and accessed in the Viridian code:
                            • NULL pointer dereference during reference TSC area update β€” This issue occurs when the system tries to update the reference TSC area but encounters a NULL pointer. (CVE-2025-27466)
                            • NULL pointer dereference when delivering synthetic timer messages β€” This happens if the code assumes the SIM page is already mapped when a synthetic timer message must be delivered. (CVE-2025-58142)
                            • Race condition in reference TSC page mapping β€” A guest system can trigger Xen to release a memory page while it is still referenced in the guest’s physical-to-machine (p2m) page tables. (CVE-2025-58143)

                        Test on XCP-ng 8.2

                        yum clean metadata --enablerepo=xcp-ng-candidates
yum update --enablerepo=xcp-ng-candidates
reboot

                        The usual update rules apply: pool coordinator first, etc.

                        Versions:

                        • xen: 4.13.5-9.49.4.xcpng8.2

                        What to test

                        • Normal use and anything else you want to test.

                        Test window before official release of the updates

                        ~2 days.

                        Remarks

                        Another XSA (474) was released the same day regarding XAPI. Since the attack vector differs and is not easily exploitable in 8.2, we have not released a patch for it, unlike in 8.3.

                        As a reminder, XCP-ng 8.2 LTS will no longer be supported as of September 16, 2025.

                        We therefore strongly encourage you to migrate your pools to XCP-ng 8.3 LTS to continue benefiting from the latest security fixes and improvements.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post