-
@gduperrey
Installed on my test lab systems, 2 very old AMD systems with shared NFS storage with a mix of different types of guests. All working so far. -
@gduperrey Update installed successfully on my 2 host playlab with shared NFS TrueNAS Core storage on a 10G network. Let's see how VM usage works during the next days.
-
@gduperrey So far, so good with normal operations.... I'm not affected by the issues but updated everything anyway (15 hosts). Intel Xeon, E5, Core 7th/10th/11th, AMD Opteron, AMD Zen3...
-
The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/10/14/october-2022-security-update/
-
New security update candidates (xen)
Xen is being updated to mitigate some vulnerabilities:
- XSA-326: Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored.
- XSA-419: Xenstore: Cooperating guests can create arbitrary numbers of nodes
- XSA-414: A malicious guest can cause xenstored to crash, resulting in the inability to create new guests or to change the configuration of running guests.
- XSA-415: Xenstore: Guests can create orphaned Xenstore nodes
- XSA-416: Xenstore: Guests can cause Xenstore to not free temporary memory
- XSA-417: Xenstore: Guests can get access to Xenstore nodes of deleted domains
- XSA-418: Xenstore: Guests can crash xenstored via exhausting the stack
- XSA-420: Oxenstored 32->31 bit integer truncation issues. A malicious or buggy guest can write a packet into the xenstore ring which causes 32-bit builds of oxenstored to busy loop.
- XSA-421: Xenstore: Guests can create arbitrary number of nodes via transactions
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing rebootVersions:
- xen-*: 4.13.4-9.27.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
@gduperrey I upgraded my home/lab machines. One replication backup machine updated. No problems so far but I was not affected by any of the bugs.
-
Tested here, seems to work
-
@gduperrey Updated my playlab and did some basic tests (create, copy, snapshot, (life-) migrate VMs and disks). Looking good so far.
-
@gduperrey Tested and working in my lab as well. So far, so good...
-
The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/11/04/november-2022-security-update/ -
@gduperrey Rolling update of my homelab through Xen Orchestra worked flawlessly. Thanks!
-
New update candidates (xen, microcode_ctl)
In this release, there are the following fixes and improvements:
- xen, microcode_ctl:
- Issues resolved: Minor bug fixes.
- Improvements: Intel microcode is updated to version IPU 2022.3.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing rebootVersions:
Ā * xen-*: 4.13.4-9.28.1.xcpng8.2
Ā * microcode_ctl: 2:2.1-26.xs23.xcpng8.2What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
No precise ETA, but the sooner the feedback the better.
- xen, microcode_ctl:
-
Applied on my EPYC host at home. Nothing specific to report
-
So far fine on an epyc 7002 and a xeon e5 v3
-
@gduperrey Installed on several old and new Intel machines. Working as expected.
-
Updated my playlab and nothing to report. Looks good.
-
New security update candidate (kernel)
The linux kernel in XCP-ng's domain control is being updated to fix vulnerabilities which may allow a guest to crash to host or make it unresponsive. Even without a malicious attacker, users had reported such issues triggered by the Qlogic/Broadcom netxtreme 2 and the Cisco
enicdrivers.It also contains two fixes for issues that were debugged by the XCP-ng developers and the user community, and reported to XenServer developers at the time:
- Samba shares failing to reconnect after an unexpected disconnection.
- Display issue with Intel NUCs and other hardware, due to a bug in EFI Framebuffer support.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update kernel --enablerepo=xcp-ng-testing rebootVersions:
- kernel: 4.19.19-7.0.15.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
Tested and working it on my local EPYC box
-
Same on my playlab. Updated both hosts and no issues so far.
-
Both sets of updates installed and tested in my lab with no problems so far.
