-
New update candidates for you to test!
A new batch of non-urgent updates is ready for user tests before a future collective release. Below are the details about these.
intel-igc: Fix a possible update issue due to a recent package name change.microcode_ctl:- Latest Intel release microcode-20250211:
- Security updates for:
- INTEL-SA-01166, INTEL-SA-01213, INTEL-SA-01139, INTEL-SA-01228
- Updates for multiple functional issues
- Upstream update drops files for older Sapphire Rapids steppings, we kept the previous versions
- Security updates for:
- Latest Intel release microcode-20250211:
netdata:- Update to Netdata v1.44.3
- Fix dmesg warnings due to setuid+capabilities on xenstat plugin
- The freeipmi plugin now comes in a separate package
- Improve systemd service restart with a custom script waiting for Netdata to be fully up-and-running before stopping it.
- Update to Netdata v1.44.3
openvswitch:- Synchorized with XS82ECU1081. Alignement with the hotfix, no functional changes.
- Fix CVE-2022-4337 & CVE-2022-4338 when parsing malformed AutoAttach
qemu: Fix CVE-2023-3354, which could cause QEMU to crash when handling multiple VNC connections. If an incorrect response is received while closing a connection—whether due to a bug or intentional manipulation—it could trigger this issue.xapi:- Synchronized with XS82ECU1084: Fixes a behavior that could occur when changing masters in a pool with a large number of hosts. In this context, it was sometimes no longer possible to connect certain pool management software.
xcp-ng-xapi-plugins:- Add new service plugin to manage (start, stop, ...) XCP-ng services
- Add a new ipmitool plugin to get information from ipmitool that:
- Returns information about sensors
- Returns IPMI LAN information
xen:- Synchronized with hotfix XS82ECU1082 from Citrix
- Fix watchdog setup on Intel Sapphire Rapids and Emerald Rapids platforms.
- Reduce PCI config reads
- Prevent early exit from i8259 loop detection on systems with multiple IO-APICs
- Fix incomplete reduction of PCI config reads
- Fix XSA-467 / CVE-2025-1713
- Synchronized with hotfix XS82ECU1082 from Citrix
XOSTOR:
sm(specific release for XOSTOR): Ensure that coalesces run correctly on LINSTOR volumes that have been previously resized.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
If you are using XOSTOR on your test servers, be sure to read our documentation on updating XOSTOR. You will need to enable an additional repo. Replace the
yum updatecommand above with this one:yum update --enablerepo=xcp-ng-testing,xcp-ng-linstor-testingVersions
intel-igc: 5.10.214-3.3.xcpng8.2microcode_ctl: 2.1-26.xs29.7.xcpng8.2netdata: 1.44.3-1.2.xcpng8.2openvswitch: 2.5.3-2.3.14.2.xcpng8.2qemu: 4.2.1-4.6.4.2.xcpng8.2xapi: 1.249.41-1.1.xcpng8.2xcp-ng-xapi-plugins: 1.12.0-2.xcpng8.2xen: 4.13.5-9.48.2.xcpng8.2
If you're using XOSTOR, there is also this version:
sm: 2.30.8-13.2.0.linstor.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better. It would be nice if you could specify in your feedback if you are using Xostor or not.
Test window before official release of the updates
~ 4/5 days
-
Home host, no XOSTOR, updated fine, no issue with my usual VMs.
-
Installed on my test server, not running XOSTOR, everything seems to be working fine so far.
-
Update published: https://xcp-ng.org/blog/2025/03/12/march-2025-security-and-maintenance-update-for-xcp-ng-8-2-lts/
Thank you for the tests!
-
New security update candidates for you to test!
Yet more vulnerabilities in Intel hardware, addressed in two complementary ways: patching Xen and updating Intel microcode.
Together with this security update, will also publish a patched XAPI to fix a minor issue with information reporting from VM to hypervisor.
Test on XCP-ng 8.2
From an up-to-date host:
yum clean metadata --enablerepo=xcp-ng-candidates yum update --enablerepo=xcp-ng-candidates rebootThe usual update rules apply: pool coordinator first, etc.
Versions
microcode_ctl: 2.1-26.xs29.8.xcpng8.2 (weird identifier for historical reasons, but that's actually Intel microcode published by them yesterday)xen: 4.13.5-9.49.1.xcpng8.2xapi: 1.249.41-1.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~24h. That's an urgent one.
-
Installed and seems to be running fine so far on my test systems.
-
@stormi I needed an excuse to reboot all my hosts... Upgraded and running on stable pools. I see the Intel 11th gen new microcode. All working normally at this time.
-
Update published: https://xcp-ng.org/blog/2025/05/14/may-2025-security-update-for-xcp-ng-8-2-8-3/
Thank your for the tests.
-
Updated our own prod via XO RPU, everything is working fine
-
New update candidates for you to test!
A new batch of non-urgent updates is ready for user tests before a future collective release.
openssh: Fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")samba: Fix vulnerabilities which are very unlikely to be exploitable on XCP-ng but are reported by security scanners.xcp-ng-release: This update adds a certificate to resolve a TLS handshake error, particularly when deploying XOA from CLI usingcurl.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing rebootThe usual update rules apply: pool coordinator first, etc.
No specific steps for these updates for XOSTOR users.
Versions
openssh: 7.4p1-23.3.2.xcpng8.2samba: 4.10.16-25.el7_9xcp-ng-release: 8.2.1-16
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
None defined, but early feedback is always better than late feedback, which is in turn better than no feedback
