Patch for CVE-2025-27466, CVE-2025-58142, CVE-2025-58143

bjdemon

Hey all,

I couldn't find any information regarding this, so here I go again and posting on the forms.

Are the patches for xcp-ng available to upgrade Xen to version 4.17.5-15.3 ?

Currently when I run the

xl info | grep xen_version

I get

xen_version: 4.17.5-15

I would like to upgrade to patch some of the vulnerabilities found recently:
september-2025-security-update

XOA is not showing any available patches. Running yum update on the hosts also don't show any update.

Cheers

bleader

Hello, the blog post you linked is our announcement that these have been fixed on our side. As you don't have any updates in XOA or yum commands, it means that you're on the latest version already.

The reported version of xen through xl info il the base version, the .3 is our own patch or build iteration, therefore not reflected in that command.

If you want to be sure, the best way is to compare the yum info xen-hypervisor version to the one present in the blog post.

bjdemon

@bleader Thank for the response. The command you provided indeed does report back the latest version:

Version     : 4.17.5
Release     : 15.3.xcpng8.3

Not sure why the security teams still reports it as not patched.

bleader

It likely depends how they check:

if they use xl info they cannot know if it is the latest
if this is an automated SBOM scan, there is no database containing our version to assess it was patched

At least that's the only ways I have in mind right now

Could be interesting if you can get the info on how it is checked and where they expect to find the information.