- 
 The update has been published, thanks for testing. https://xcp-ng.org/blog/2024/02/02/february-2024-security-update/ 
- 
 D Danp forked this topic on D Danp forked this topic on
- 
 New security update candidate (xen, microcode_ctl)Two new XSAs were published on 12th of March, in cunjunction with microcode updates from Intel. - XSA-452 The mitigation is currently off by default as it impacts only Atom CPUs, but can be enabled on Xen command line.
- XSA-453 This is a variation of Spectre-v1, which impacts a large panel of recent CPUs and architectures. This seems to not really be exploitable on Xen without specific changes and is not considered an emergency.
 SECURITY UPDATES- xen-*:
 * Fix XSA-452 - x86: Register File Data Sampling. Data from floating point, vector and integer register could be infered by an attacker on Atom processors, including data from a privileged context.
 * Fix XSA-453 - GhostRace: Speculative Race Conditions. As mentioned, this is a Spectre-v1 variation that can allow an attacker to infer memory accross host and guests through a Use-After-Free flaw.
- microcode_ctl: Security updates from intel:
- INTEL-SA-INTEL-SA-00972
- INTEL-SA-INTEL-SA-00982
- INTEL-SA-INTEL-SA-00898
- INTEL-SA-INTEL-SA-00960
- INTEL-SA-INTEL-SA-01045
 Test on XCP-ng 8.2yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" microcode_ctl --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc. Versions:- xen: 4.13.5-9.39.1.xcpng8.2
- microcode_ctl: 2.1-26.xs28.1.xcpng8.2
 What to testNormal use and anything else you want to test. Test window before official release of the update2 days because of security updates. 
- 
 This is installed and working on my two test systems but they're both AMD so I'm not able to test the updated microcode. 
- 
 @bleader Updates running on several old and new intel machines (including microcode update). Working fine so far. Rolling Pool Reboot is a helpful feature. 
- 
 The update has been published, thank you for testing it out. https://xcp-ng.org/blog/2024/03/15/march-2024-security-update/ 
- 
 New update candidates for you to test!As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users. The moment to release such a batch has come, so here they are, ready for user tests before the final release. - openvswitch:- CVE-2023-1668: Correct a flaw when processing an IP packet with protocol 0.
- CVE-2023-5366: Apply the patch for OpenFlow and neightbor discovery target with IPv6
- CVE-2023-3966: Correct a vulnerabity with "crafted Geneve packets causing invalid memory accesses and potential denial of service".
 
- blktap:- Synced with XS82ECU1056:
- Bugfix for time out on NFS tasks which can sometimes exceed the configured value.
- Improve the error handling for some lost iSCSI connection.
 
 
- Synced with XS82ECU1056:
- sm:- Support NFS servers which only offer NFSv4. The discovery process for such servers differs from that of servers which offer also NFSv3, so the SR driver had to be improved.
- Synced with XS82ECU1056: bugfix on the path checker for DELL EqualLogic with iSCSI protocol
- Synced with XS82ECU1060: bugfix for when a host is unable to log into all iSCSI portals because there are separate independent Target Portal Groups inside the IQN.
 
- util-linux: preparatory steps to support 4k-only disks.
- xapi: Bugfix in a testing framework.
- xcp-ng-pv-tools: Small fixes regarding VM stats reporting.
- xcp-ng-xapi-plugins: Add check_installed function in updater plugin to test installed packages. This is a prerequisite for the upcoming XOSTOR release.
 Test on XCP-ng 8.2From an up to date host: yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing blktap openvswitch sm-* util-linux xapi-* xcp-ng-pv-tools xcp-ng-xapi-plugins rebootThe usual update rules apply: pool coordinator first, etc. Versions- blktap: 3.37.4-3.1.xcpng8.2
- openvswitch: 2.5.3-2.3.12.2.xcpng8.2
- sm: 2.30.8-10.1.xcpng8.2
- util-linux: 2.23.2-52.1.xcpng8.2
- xapi: 1.249.32-2.2.xcpng8.2
- xcp-ng-pv-tools: 8.2.0-12.xcpng8.2
- xcp-ng-xapi-plugins: 1.10.0-1.xcpng8.2
 What to testNormal use and anything else you want to test. The closer to your actual use of XCP-ng, the better. Test window before official release of the updates~1 week. 
- 
 @gduperrey Updates installed and running. 
- 
 They're running without problems for me on my test systems 
- 
 Tested and working here  
- 
 @gduperrey Applicable to 8.3? 
- 
 @gduperrey Succesfully updated my two host pool. Let's see how the weekend goes with some tests. 
- 
 @JamesG No, it's just for XCP-ng 8.2 
- 
 The updates have been published; thank you for testing them out. https://xcp-ng.org/blog/2024/03/29/march-2024-maintenance-update/ 
- 
 New security update candidate (xen)Three new XSAs were published on 9th of April. 
  Notes: Notes:- XSA-456 was published on various public mailing list but its entry is not yet on the xenbits page, hence the different link for this one.
- XSAs description to be completed later, early posting to provide more chances to run tests before final release.
 
 - XSA-454 impacts all host running HVM or PVH guests on x86_64, therefore all supported architectures on XCP-ng.
- XSA-455 relates to XSA-407 (Branch Type Confusion) having a logical error, check its VULNERABLE SYSTEMSsection for impacted systems.
- XSA-456 should only impact Intel CPU as it is understood at this time.
 SECURITY UPDATES- xen-*:- Fix XSA-454 - x86 HVM hypercalls may trigger Xen bug check. HVM and PVH guests can DoS a host in some cases calling 32-bit-mode hypercalls with parameters that will lead the hypercall sanity checks to trigger a crash.
- Fix XSA-455 - x86: Incorrect logic for BTC/SRSO mitigations. Fix for XSA-407 was not properly used, meaning an attacker could be able to infer memory from host or other guests. All versions since 4.13.4-9.24.1 are vulnerable.
- Fix XSA-456 - x86: Native Branch History Injection. An attacker could infer memory of host or other guests by using the Native Branch History Ijnection flaw. This is an evolution of Spectre-BHB which was previously considered not to be a risk for Xen.
 
 Test on XCP-ng 8.2yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc. Versions:- xen: 4.13.5-9.40.1.xcpng8.2
 What to testNormal use and anything else you want to test. Test window before official release of the updates~1 days because of security updates. 
- 
 @bleader Did they get published to the right directory? I don't see anything in testing (stuff is in incoming). 
- 
 My bad, we were a bit late and I tried to be quick and forgot to move it... Just did that, should be good soon, it needs some time to sync repos. 
- 
 Tested in my home lab, no explosion  
- 
 @bleader Updated my homelab without any issues 
- 
 @bleader Seems to be running just fine on my test servers as well. 
- 
 @bleader Installed and running. 




