-
This seems to be working fine on my two test systems but I don't do PCI passthrough.
-
@bleader I installed it on a bunch of busy hosts. All are fine, but none used PCI passthrough. The Rolling Pool Reboot in XO was very helpful.
-
The update has been published, thanks for testing.
https://xcp-ng.org/blog/2024/02/02/february-2024-security-update/
-
D Danp forked this topic on
-
New security update candidate (xen, microcode_ctl)
Two new XSAs were published on 12th of March, in cunjunction with microcode updates from Intel.
- XSA-452 The mitigation is currently off by default as it impacts only Atom CPUs, but can be enabled on Xen command line.
- XSA-453 This is a variation of Spectre-v1, which impacts a large panel of recent CPUs and architectures. This seems to not really be exploitable on Xen without specific changes and is not considered an emergency.
SECURITY UPDATES
xen-*:
* Fix XSA-452 - x86: Register File Data Sampling. Data from floating point, vector and integer register could be infered by an attacker on Atom processors, including data from a privileged context.
* Fix XSA-453 - GhostRace: Speculative Race Conditions. As mentioned, this is a Spectre-v1 variation that can allow an attacker to infer memory accross host and guests through a Use-After-Free flaw.microcode_ctl: Security updates from intel:- INTEL-SA-INTEL-SA-00972
- INTEL-SA-INTEL-SA-00982
- INTEL-SA-INTEL-SA-00898
- INTEL-SA-INTEL-SA-00960
- INTEL-SA-INTEL-SA-01045
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" microcode_ctl --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
Versions:
xen: 4.13.5-9.39.1.xcpng8.2microcode_ctl: 2.1-26.xs28.1.xcpng8.2
What to test
Normal use and anything else you want to test.
Test window before official release of the update
2 days because of security updates.
-
This is installed and working on my two test systems but they're both AMD so I'm not able to test the updated microcode.
-
@bleader Updates running on several old and new intel machines (including microcode update). Working fine so far. Rolling Pool Reboot is a helpful feature.
-
The update has been published, thank you for testing it out.
https://xcp-ng.org/blog/2024/03/15/march-2024-security-update/
-
New update candidates for you to test!
As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users.
The moment to release such a batch has come, so here they are, ready for user tests before the final release.
openvswitch:- CVE-2023-1668: Correct a flaw when processing an IP packet with protocol 0.
- CVE-2023-5366: Apply the patch for OpenFlow and neightbor discovery target with IPv6
- CVE-2023-3966: Correct a vulnerabity with "crafted Geneve packets causing invalid memory accesses and potential denial of service".
blktap:- Synced with XS82ECU1056:
- Bugfix for time out on NFS tasks which can sometimes exceed the configured value.
- Improve the error handling for some lost iSCSI connection.
- Synced with XS82ECU1056:
sm:- Support NFS servers which only offer NFSv4. The discovery process for such servers differs from that of servers which offer also NFSv3, so the SR driver had to be improved.
- Synced with XS82ECU1056: bugfix on the path checker for DELL EqualLogic with iSCSI protocol
- Synced with XS82ECU1060: bugfix for when a host is unable to log into all iSCSI portals because there are separate independent Target Portal Groups inside the IQN.
util-linux: preparatory steps to support 4k-only disks.xapi: Bugfix in a testing framework.xcp-ng-pv-tools: Small fixes regarding VM stats reporting.xcp-ng-xapi-plugins: Add check_installed function in updater plugin to test installed packages. This is a prerequisite for the upcoming XOSTOR release.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing blktap openvswitch sm-* util-linux xapi-* xcp-ng-pv-tools xcp-ng-xapi-plugins rebootThe usual update rules apply: pool coordinator first, etc.
Versions
blktap: 3.37.4-3.1.xcpng8.2openvswitch: 2.5.3-2.3.12.2.xcpng8.2sm: 2.30.8-10.1.xcpng8.2util-linux: 2.23.2-52.1.xcpng8.2xapi: 1.249.32-2.2.xcpng8.2xcp-ng-pv-tools: 8.2.0-12.xcpng8.2xcp-ng-xapi-plugins: 1.10.0-1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~1 week.
-
@gduperrey Updates installed and running.
-
They're running without problems for me on my test systems
-
Tested and working here
-
@gduperrey Applicable to 8.3?
-
@gduperrey Succesfully updated my two host pool. Let's see how the weekend goes with some tests.
-
@JamesG No, it's just for XCP-ng 8.2
-
The updates have been published; thank you for testing them out.
https://xcp-ng.org/blog/2024/03/29/march-2024-maintenance-update/
-
New security update candidate (xen)
Three new XSAs were published on 9th of April.
Notes:- XSA-456 was published on various public mailing list but its entry is not yet on the xenbits page, hence the different link for this one.
- XSAs description to be completed later, early posting to provide more chances to run tests before final release.
- XSA-454 impacts all host running HVM or PVH guests on x86_64, therefore all supported architectures on XCP-ng.
- XSA-455 relates to XSA-407 (Branch Type Confusion) having a logical error, check its
VULNERABLE SYSTEMSsection for impacted systems. - XSA-456 should only impact Intel CPU as it is understood at this time.
SECURITY UPDATES
xen-*:- Fix XSA-454 - x86 HVM hypercalls may trigger Xen bug check. HVM and PVH guests can DoS a host in some cases calling 32-bit-mode hypercalls with parameters that will lead the hypercall sanity checks to trigger a crash.
- Fix XSA-455 - x86: Incorrect logic for BTC/SRSO mitigations. Fix for XSA-407 was not properly used, meaning an attacker could be able to infer memory from host or other guests. All versions since 4.13.4-9.24.1 are vulnerable.
- Fix XSA-456 - x86: Native Branch History Injection. An attacker could infer memory of host or other guests by using the Native Branch History Ijnection flaw. This is an evolution of Spectre-BHB which was previously considered not to be a risk for Xen.
Test on XCP-ng 8.2
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
Versions:
xen: 4.13.5-9.40.1.xcpng8.2
What to test
Normal use and anything else you want to test.
Test window before official release of the updates
~1 days because of security updates.
-
@bleader Did they get published to the right directory? I don't see anything in testing (stuff is in incoming).
-
My bad, we were a bit late and I tried to be quick and forgot to move it... Just did that, should be good soon, it needs some time to sync repos.
-
Tested in my home lab, no explosion
-
@bleader Updated my homelab without any issues
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login