-
New Security Update Candidates (Xen)
Xen is being updated to mitigate some vulnerabilities:
- XSA-439: CVE-2023-20588. On AMD Zen1 CPUs, "an attacker might be able to infer data from a different execution context on the same CPU core."
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" --enablerepo=xcp-ng-testing reboot
Version:
- xen: 4.13.5-9.36.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
We will soon publish the security update. Few hours left for community feedback before the release.
-
@stormi I don't have a Zen 1 system... But I do have the update running on several systems for a day.
-
Tested on my Zen2 system, no issues.
-
Tested in my test lab and no problems but no Zen CPUs either.
-
Thanks for the tests! The update was published: https://xcp-ng.org/blog/2023/09/29/september-2023-security-update/
-
New security and maintenance updates
Xen and the linux kernel in the controller domain are updated to fix several vulnerabilities.
We also publish several maintenance updates which were ready and waiting for the next push.
Security updates
xen-*
:- Fix XSA-440 - xenstored: A transaction conflict can crash C Xenstored. XCP-ng uses the ocaml version of xenstored by default, so the issue only concerns users who deliberately switched to C Xenstored.
- Fix XSA-442 - x86/AMD: missing IOMMU TLB flushing. Privilege escalation, DoS, information leaks, on some AMD systems, from VMs with PCI passthrough.
- Fix XSA-443 - Multiple vulnerabilities in libfsimage disk handling. Privilege escalation from PV guests through flaws in libfsimage. Remember that PV guests are not security-supported in XCP-ng 8.2. Despite this, this fix is provided for users who still have PV guests, but we still urge them to convert their VMs to HVM.
- Fix XSA-444 - x86/AMD: Debug Mask handling. DoS provoked from a guest.
kernel
:- Fix XSA-441 - Possible deadlock in Linux kernel event handling. As we understand it, the denial of service would not be possible in XCP-ng's default configuration, but we provide the patched kernel as defence in depth.
Other updates
sm
(Storage Manager): improvements around the handling of user customizations on multipath configuration- Do not overwrite multipath.conf if users made changes
- Add warning to multipath.conf to prevent future modifications (for users which haven't modified it yet, that is, the vast majority)
- Add /etc/multipath/conf.d/custom.conf for user customization
guest-templates-json*
: sync with latest Citrix Hypervisor hotfixes. We already had templates for Debian 11, Debian 12, Rocky Linux 9 and CentOS Stream 9 in XCP-ng 8.2. The only new template is Ubuntu 2204.irqbalance
: backport of hotfix XS82ECU1048. "Enable interrupt balancing for Fibre Channel (FC) PCI devices. This improves performance on fast FC HBA SRs, especially if multipathing is used."
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" kernel sm sm-rawhba irqbalance "guest-templates-json*" --enablerepo=xcp-ng-testing reboot
The usual update rules apply: pool coordinator first, etc.
If you are a user of XOSTOR, change the last parameter to
--enablerepo=xcp-ng-testing,xcp-ng-linstor-testing
to pick the linstor-compatible version of thesm
update.Versions
xen-*
: 4.13.5-9.36.3.xcpng8.2kernel
: 4.19.19-7.0.17.2.xcpng8.2sm
: 2.30.8-2.3.xcpng8.2irqbalance
: 1.0.7-16.xcpng8.2guest-templates-json*
: 1.10.6-1.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days due to the security updates.
-
Tested on my EPYC host, no issue at all
-
Installed yesterday on my R620; no issues experienced thus far.
-
@stormi I have had the updates running for a day on a few machines.
-
I have it running on my test servers, an HP MicroServer and a ProLiant DL165 G7. No problems so far.
-
Thanks for your tests!
Update published: https://xcp-ng.org/blog/2023/10/12/october-2023-security-update/
-
\o/ well done, thanks everyone!
-
New security update candidates
As promised in the previous security update, here's a new one which goes further, for better defence-in-depth.
Security updates
- Xen, XAPI and all its components, sm, libfuse, e2fsprogs: various patches to either deprivilege any component which uses libfsimage, or remove its use altogether. The previous security update fix the urgent flaws described in XSA-443, and this update takes further measures as defence-in-depth.
xs-openssl
: rebased on a more recent release from RHEL/CentOS, which fixes various CVEskernel
: nothing to declare. We just rebuilt it after syncing with XenServer's latest hotfix, but there are no source code changes.
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing reboot
The usual update rules apply: pool coordinator first, etc.
If you are a user of XOSTOR, do not install this update candidate. A linstor-compatible version of the sm update is still being prepared.
Versions
blktap
: 3.37.4-2.1.xcpng8.2device-mapper-multipath*
: 0.4.9-136.xcpng8.2e2fsprogs*
: 1.47.0-1.1.xcpng8.2forkexecd
: 1.18.3-3.1.xcpng8.2fuse-libs
(added): 2.9.2-10.xcpng8.2gpumon
: 0.18.0-11.1.xcpng8.2kernel
: 4.19.19-7.0.18.1.xcpng8.2message-switch
: 1.23.2-10.1.xcpng8.2rrd2csv
: 1.2.6-8.1.xcpng8.2rrdd-plugins
: 1.10.9-5.1.xcpng8.2sm
: 2.30.8-7.1.xcpng8.2sm-cli
: 0.23.0-54.1.xcpng8.2sm-rawhba
: 2.30.8-7.1.xcpng8.2squeezed
: 0.27.0-11.1.xcpng8.2varstored-guard
: 0.6.2-8.xcpng8.2vhd-tool
: 0.43.0-11.1.xcpng8.2wsproxy
: 1.12.0-12.xcpng8.2xapi-core
: 1.249.32-2.1.xcpng8.2xapi-nbd
: 1.11.0-10.1.xcpng8.2xapi-storage
: 11.19.0_sxm2-10.xcpng8.2xapi-storage-script
: 0.34.1-9.1.xcpng8.2xapi-tests
: 1.249.32-2.1.xcpng8.2xapi-xe
: 1.249.32-2.1.xcpng8.2xcp-networkd
: 0.56.2-8.xcpng8.2xcp-rrdd
: 1.33.2-7.1.xcpng8.2xen-*
: 4.13.5-9.37.1.xcpng8.2xenopsd*
: 0.150.17-2.1.xcpng8.2xs-openssl-libs
: 1.1.1k-9.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~3 days
-
@stormi You want us to load ALL of 8.2 testing? There are a few things that show up that were not on your list.... This type of update (and all of the ones in the past) should be in a staging directory so we don't get unintended updates.
-
@Andrew Yes. The only other packages in the testing repo are packages that will be pushed to the updates repo at the same time as the rest, but won't be selected by yum as updates for your system.
If you see anything suspicious in the output of yum update, before pressing
y
, just tell, but I haven't put anything in the testing repo which is not supposed to be published in the next updates. -
Tested here, nothing special to report
-
Installed on a test system and all is working well for me so far.
-
Update published. Thanks for the tests!
https://xcp-ng.org/blog/2023/10/27/october-2023-security-update-2/
-
@stormi Following the warning in this patch set's announcement, I did not install it on my XOSTOR setup. Is it safe to do so now?