Patch for CVE-2025-27466, CVE-2025-58142, CVE-2025-58143
-
Hey all,
I couldn't find any information regarding this, so here I go again and posting on the forms.
Are the patches for xcp-ng available to upgrade Xen to version 4.17.5-15.3 ?
Currently when I run the
xl info | grep xen_versionI get
xen_version: 4.17.5-15I would like to upgrade to patch some of the vulnerabilities found recently:
september-2025-security-updateXOA is not showing any available patches. Running yum update on the hosts also don't show any update.
Cheers
-
Hello, the blog post you linked is our announcement that these have been fixed on our side. As you don't have any updates in XOA or yum commands, it means that you're on the latest version already.
The reported version of xen through
xl infoil the base version, the .3 is our own patch or build iteration, therefore not reflected in that command.If you want to be sure, the best way is to compare the
yum info xen-hypervisorversion to the one present in the blog post. -
@bleader Thank for the response. The command you provided indeed does report back the latest version:
Version : 4.17.5 Release : 15.3.xcpng8.3Not sure why the security teams still reports it as not patched.
-
It likely depends how they check:
- if they use xl info they cannot know if it is the latest
- if this is an automated SBOM scan, there is no database containing our version to assess it was patched
At least that's the only ways I have in mind right now
Could be interesting if you can get the info on how it is checked and where they expect to find the information.
-
@bleader just checked the Excel assessment file I got from the security team. They used Crowdstrike (sensor is not installed on xcp-ng hosts).
The funny thing is, the asset that it reports as vulnerable is the VM that is running XOA (official image provided by XCP-NG). It is deployed recently, so everything is up-to-date, but even then I don't understand how it reports the XOA VM as the one containing the vulnerabilities.
