-
@bleader Updated my two node homelab and everything seems to work as expected. Let's see how things go over the next days.
-
@bleader Updated an running on newer and older Intel machines. Running normally so far.
-
Tested in my own lab, no issues so far
-
Update published https://xcp-ng.org/blog/2024/07/18/july-2024-security-updates/
Thank you everyone for your tests!
-
@bleader 2 production polls updated via RPU without issues.
-
New security update candidates (xen, microcode_ctl)
A new XSA was published on August 14th 2024.
Intel published an updated microcode on August 13th 2024.
- XSA-460 passing through some PCI devices after guest creation could lead to any kind of security issue (DoS, privilege escalation, information leak,β¦) the actual risk depends on the systems and the devices passed through.
- XSA-461 some pass-through use cases when on one or more device when they share resources are actually not possible to be made secure. This XSA updates the Xen documentation to reflect that.
SECURITY UPDATES
xen-*
:- Fix XSA-460 - error handling in x86 IOMMU identity mapping. The handling of errors in the case of mapping Reserved Memory Regions was flawed, potentially keeping the mapping in place, this could allow guests to access memory region they should not be allowed to access. These mapping are typically used when doing pass-through of legacy USB emulation.
- Document XSA-461 - PCI device pass-through with shared resources Files. According to the Xen Project security team, PCI pass-through of devices that share ressources is not possible to be made safe. This updates the documentation to reflect it. Look at the "MITIGATION" section of the XSA for more information regarding the safe cases.
microcode_ctl
: Security updates from Intel:- INTEL-SA-01083
- INTEL-SA-01118
- INTEL-SA-01100
- INTEL-SA-01038
- INTEL-SA-01046
- Plus fixes for a lot of functional issues, see the Release Notes for more details.
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-candidates yum update "xen-*" microcode_ctl --enablerepo=xcp-ng-candidates reboot
The usual update rules apply: pool coordinator first, etc.
Versions:
xen
: 4.13.5-9.40.3.xcpng8.2microcode_ctl
: 2.1-26.xs29.3.xcpng8.2
What to test
Normal use and anything else you want to test. Feedback about PCI pass-through is also welcome.
Test window before official release of the update
~ 2 day because of security updates.
-
@bleader Installed and running on pools of 8.2.1 systems.
-
@bleader They're installed and running well on my test lab systems.
-
@bleader Installed on my playlab. Everything looks normal, let's see how it goes.
-
I just pushed an update for
microcode_ctl
, inxcp-ng-candidates
again.It only changes one microcode file,
06-a5-03
(CML-S62, Core Gen 10), which Intel had forgotten to update in their initial release.(We found out and reported it to them)
-
Update published https://xcp-ng.org/blog/2024/08/16/august-security-update/
Thank you all for testing
-
@bleader All pools updated via RPU without issues.