Updates announcements and testing
-
@hecki That's what it was (with extra steps also such as putting hosts in maintenance mode), but this will change in the next release of Xen Orchestra as Rolling Pool Update will now evacuate, update then reboot every host one by one
-
Looks like yet another security patch from Xenserver available now
-
@NielsH No, they just updated the existing advisory. See "UPDATES IN VERSION 2".
-
@stormi Ah phew, good to hear we won't have to update everything so quickly again
-
New security updates (xen, Intel microcode)
Impact: host crash by exploiting PCI passthrough from a VM
Citrix' security bulletin: https://support.citrix.com/article/CTX390511
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing rebootVersions:
- xen-*: 4.13.4-9.21.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
Tested here on one home lab machine, it works
-
@stormi Post update, things are working as normal on my hosts.
-
updated and all fine
-
@stormi Seems to be working well for me too.
-
Thanks for your tests. Xen developers have found an issue in the patches so I will provide a new test package when ready. The issue is rather specific so I doubt your hosts will be affected, but if you prefer to revert you can with:
yum downgrade "xen-*". -
So, new packages are now available for this security update, which now have fixes for the regressions the previous fixes caused.
Note that you were really unlikely to be directly affected by those regressions. They have been detected by code analysis tools, but all other CI tests did already pass with the previous update (Xen's CI, Citrix' CI, XCP-ng's CI).
Install the update with:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing rebootVersion for xen-*: 4.13.4-9.21.1.xcpng8.2
If I could get feedback on it within 24h, this would be wonderful.
-
Tested and OK here
-
@stormi Updates ran fine. Systems seem to be working.
-
just joining the crowd of "seems fine"
-
Thank you everyone.
The update is published: https://xcp-ng.org/blog/2022/04/11/april-2022-security-update/
-
New updates (xen, Intel & AMD microcode)
- Update the Intel microcode for the "IPU 2022.1" vulnerability (and other vulnerabilities and bugs)
- "A potential security vulnerability in some Intel
Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability." - See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00617.html
- "A potential security vulnerability in some Intel
- Update AMD microcode for Fam17h and Fam19h
- Citrix also released an update for Xen. As we had already anticipated the patches they added (that fixed regressions introduced by the fixes to the XSA-400 vulnerabilities), it does not change anything for XCP-ng. We synced our RPM with theirs anyway to make future updates easier.
Citrix' hotfix: https://support.citrix.com/article/CTX459703
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update microcode_ctl linux-firmware "xen-*" --enablerepo=xcp-ng-testing rebootVersions:
- xen-*: 4.13.4-9.22.1.xcpng8.2
- microcode_ctl: 2:2.1-26.xs21.xcpng8.2
- linux-firmware: 20190314-4.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~3 days.
- Update the Intel microcode for the "IPU 2022.1" vulnerability (and other vulnerabilities and bugs)
-
@gduperrey It's working for me, but my CPUs are not covered by the update. Normal operations seem normal.
-
@gduperrey Seems fine here as well under basic usage.
-
@gduperrey Skylake-S Xeon here w/o patched bios, works fine so far.
edit: double checked /proc/cpuinfo, seems the ucode update is applying correctly, so, yeah, it worked.
-
Tested on my EPYC test bench (so not really relevant), but at least nothing broke
