RE: Updates announcements and testing

The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/11/04/november-2022-security-update/

New security update candidates (xen)

Xen is being updated to mitigate some vulnerabilities:

• XSA-326: Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored.
• XSA-419: Xenstore: Cooperating guests can create arbitrary numbers of nodes
• XSA-414: A malicious guest can cause xenstored to crash, resulting in the inability to create new guests or to change the configuration of running guests.
• XSA-415: Xenstore: Guests can create orphaned Xenstore nodes
• XSA-416: Xenstore: Guests can cause Xenstore to not free temporary memory
• XSA-417: Xenstore: Guests can get access to Xenstore nodes of deleted domains
• XSA-418: Xenstore: Guests can crash xenstored via exhausting the stack
• XSA-420: Oxenstored 32->31 bit integer truncation issues. A malicious or buggy guest can write a packet into the xenstore ring which causes 32-bit builds of oxenstored to busy loop.
• XSA-421: Xenstore: Guests can create arbitrary number of nodes via transactions

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.4-9.27.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/10/14/october-2022-security-update/

New security update candidates (xen, linux-firmware, edk2, xapi)

Xen and XAPI are being updated to mitigate some vulnerabilities:

• XSA-410: Two privileged users in two guest VMs, in collaboration, can crash the host or make it unresponsive.
• XSA-411: Correct a flaw in XSA-226 that allows DoS attacks from guest kernels to harm the whole system.
• XSA-413: The management service on the host can become unresponsive or crash by the means of an unauthenticated user on the management network.

In this release, there are also the following fixes and improvements:

• XAPI, issues resolved:

  • When you had an active VIF connected on dom0, you couldn't delete that VIF or the associated network, including VLAN.
  • When certificates contain the \r character, the xe host-get-server-certificate command can incorrectly output it.

• xen, linux-firmware, edk2:

  • Issues resolved:
    • Sometimes a VM freezes when a graphics-intensive application run
    • Sometimes guest UEFI firmware hangs
  • Improvements:
    • AMD microcode is updated to version 2022-09-30
    • Improvements to Xen diagnostics.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update edk2 linux-firmware xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools forkexecd message-switch xapi-core xapi-tests xapi-xe xcp-rrdd xenopsd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testing
reboot

Versions:

• edk2-20180522git4b8552d-1.4.6.xcpng8.2
• linux-firmware-20190314-5.xcpng8.2
• xen-*: 4.13.4-9.26.1.xcpng8.2
• forkexecd-1.18.1-1.1.xcpng8.2
• message-switch-1.23.2-3.2.xcpng8.2
• xapi-*: 1.249.26-2.1.xcpng8.2
• xcp-rrdd-1.33.0-6.1.xcpng8.2
• xenopsd-*: 0.150.12-1.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/10/05/october-2022-maintenance-update/

Update released. Thanks everyone for testing!

https://xcp-ng.org/blog/2022/05/16/may-2022-security-update/

New Security Update Candidates (Xen)

Xen is being updated to mitigate some vulnerabilities:

• XSA-439: CVE-2023-20588. On AMD Zen1 CPUs, "an attacker might be able to infer data from a different execution context on the same CPU core."

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" --enablerepo=xcp-ng-testing
reboot

Version:

• xen: 4.13.5-9.36.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

Update published. Thanks for the tests!

https://xcp-ng.org/blog/2023/08/14/august-2023-security-update/

New Security Update Candidates (kernel, Xen, linux-firmware, microcode_ctl, XAPI...)

Xen is being updated to mitigate some vulnerabilities:

• XSA-432: CVE-2023-34319. Under Linux, a buffer overrun in netback can be triggered due to unusual packets. This behavior was due to the fix of the XSA-423 which didn't account an extreme case of an entire packet being split into as many pieces as permitted by the protocol and still being smaller than the area that's dealt with to keep all headers together. It is possible to crash a host from a vm, with malicious and privileged code.

• XSA-434: CVE-2023-20569. Researchers from ETH Zurich have extended their prior research (XSA-422, Branch Type Confusion, a.k.a Retbleed) and have discovered INCEPTION, also known as RAS (Return Address Stack) Poisoning, and Speculative Return Stack Overflow. An attacker might be able to infer the contents of memory belonging to other guests.

• XSA-435: CVE-2022-40982. A security issue in certain Intel CPUs may allow an attacker to infer data from different contexts on the same core.

Components are also updated to add bugfixes and enhancements:

• guest-templates-json: Added Debian 12 Bookworm

• XAPI:

  • Several hotfixes and improvements from XS82ECU1033
  • From XS82ECU1045 Significant performance improvements on a set of CPU features for servers with Cascade Lake or later Intel CPUs.

• microcode_ctl: Update to IPU 2023.3

• linux-firmware: Expose additional features for Intel CPUs, especially for Cascade Lake or later Intel CPUs. Updated to latest AMD firmware for processor family 19h.

• Xen: Expose MSR_ARCH_CAPS to guests on all Intel hardware by default.

• blktap, nbd: An update of the packages for Xostor.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" microcode_ctl linux-firmware kernel forkexecd gpumon message-switch "ocaml-*" rrd2csv rrdd-plugins sm-cli squeezed varstored-guard vhd-tool wsproxy "xapi-*" xcp-networkd xcp-rrdd "xenopsd*" xs-opam-repo "guest-templates-*" blktap xcp-ng-linstor nbd tzdata grub* lldpad xcp-ng-xapi-plugins --enablerepo=xcp-ng-testing
reboot

Version:

• forkexecd: 1.18.3-2.1.xcpng8.2
• gpumon: 0.18.0-10.1.xcpng8.2
• kernel: 4.19.19-7.0.17.1.xcpng8.2
• linux-firmware: 20190314-9.1.xcpng8.2
• message-switch: 1.23.2-9.1.xcpng8.2
• microcode_ctl: 2.1-26.xs26.1.xcpng8.2
• ocaml-rrd-transport: 1.16.1-7.1.xcpng8.2
• ocaml-rrdd-plugin: 1.9.1-7.1.xcpng8.2
• ocaml-tapctl: 1.5.1-7.1.xcpng8.2
• ocaml-xcp-idl: 1.96.5-1.1.xcpng8.2
• ocaml-xen-api-client: 1.9.0-10.1.xcpng8.2
• ocaml-xen-api-libs-transitional: 2.25.5-4.1.xcpng8.2
• rrd2csv: 1.2.6-7.1.xcpng8.2
• rrdd-plugins: 1.10.9-4.1.xcpng8.2
• sm-cli: 0.23.0-53.1.xcpng8.2
• squeezed-0.27.0-10.1.xcpng8.2
• varstored-guard: 0.6.2-7.xcpng8.2
• vhd-tool: 0.43.0-10.1.xcpng8.2
• wsproxy: 1.12.0-11.xcpng8.2
• xapi: 1.249.32-1.1.xcpng8.2
• xapi-nbd: 1.11.0-9.1.xcpng8.2
• xapi-storage: 11.19.0_sxm2-9.xcpng8.2
• xapi-storage-script: 0.34.1-8.1.xcpng8.2
• xcp-networkd: 0.56.2-7.xcpng8.2
• xcp-rrdd: 1.33.2-6.1.xcpng8.2
• xen: 4.13.5-9.36.1.xcpng8.2
• xenopsd: 0.150.17-1.1.xcpng8.2
• xs-opam-repo: 6.35.11-1.xcpng8.2
• guest-templates-json: 1.9.6-1.3.xcpng8.2
• blktap-3.37.4-1.0.2.xcpng8.2
• tzdata-2022a-1.el7
• xcp-ng-linstor-1.1-3.xcpng8.2
• nbd-3.24-1.xcpng8.2
• grub-2.02-3.2.0.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

Hello,

Yes, these patches will become available in XCP-ng. We're working on it to release as soon as possible. We'd like to release them this week, so we do everything we can for that.

There will be a post here for the tests and for the final release.

New Security Update Candidates (Xen)

Xen is being updated to mitigate some vulnerabilities:

• XSA-439: CVE-2023-20588. On AMD Zen1 CPUs, "an attacker might be able to infer data from a different execution context on the same CPU core."

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" --enablerepo=xcp-ng-testing
reboot

Version:

• xen: 4.13.5-9.36.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

Update published. Thanks for the tests!

https://xcp-ng.org/blog/2023/08/14/august-2023-security-update/

New Security Update Candidates (kernel, Xen, linux-firmware, microcode_ctl, XAPI...)

Xen is being updated to mitigate some vulnerabilities:

• XSA-432: CVE-2023-34319. Under Linux, a buffer overrun in netback can be triggered due to unusual packets. This behavior was due to the fix of the XSA-423 which didn't account an extreme case of an entire packet being split into as many pieces as permitted by the protocol and still being smaller than the area that's dealt with to keep all headers together. It is possible to crash a host from a vm, with malicious and privileged code.

• XSA-434: CVE-2023-20569. Researchers from ETH Zurich have extended their prior research (XSA-422, Branch Type Confusion, a.k.a Retbleed) and have discovered INCEPTION, also known as RAS (Return Address Stack) Poisoning, and Speculative Return Stack Overflow. An attacker might be able to infer the contents of memory belonging to other guests.

• XSA-435: CVE-2022-40982. A security issue in certain Intel CPUs may allow an attacker to infer data from different contexts on the same core.

Components are also updated to add bugfixes and enhancements:

• guest-templates-json: Added Debian 12 Bookworm

• XAPI:

  • Several hotfixes and improvements from XS82ECU1033
  • From XS82ECU1045 Significant performance improvements on a set of CPU features for servers with Cascade Lake or later Intel CPUs.

• microcode_ctl: Update to IPU 2023.3

• linux-firmware: Expose additional features for Intel CPUs, especially for Cascade Lake or later Intel CPUs. Updated to latest AMD firmware for processor family 19h.

• Xen: Expose MSR_ARCH_CAPS to guests on all Intel hardware by default.

• blktap, nbd: An update of the packages for Xostor.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" microcode_ctl linux-firmware kernel forkexecd gpumon message-switch "ocaml-*" rrd2csv rrdd-plugins sm-cli squeezed varstored-guard vhd-tool wsproxy "xapi-*" xcp-networkd xcp-rrdd "xenopsd*" xs-opam-repo "guest-templates-*" blktap xcp-ng-linstor nbd tzdata grub* lldpad xcp-ng-xapi-plugins --enablerepo=xcp-ng-testing
reboot

Version:

• forkexecd: 1.18.3-2.1.xcpng8.2
• gpumon: 0.18.0-10.1.xcpng8.2
• kernel: 4.19.19-7.0.17.1.xcpng8.2
• linux-firmware: 20190314-9.1.xcpng8.2
• message-switch: 1.23.2-9.1.xcpng8.2
• microcode_ctl: 2.1-26.xs26.1.xcpng8.2
• ocaml-rrd-transport: 1.16.1-7.1.xcpng8.2
• ocaml-rrdd-plugin: 1.9.1-7.1.xcpng8.2
• ocaml-tapctl: 1.5.1-7.1.xcpng8.2
• ocaml-xcp-idl: 1.96.5-1.1.xcpng8.2
• ocaml-xen-api-client: 1.9.0-10.1.xcpng8.2
• ocaml-xen-api-libs-transitional: 2.25.5-4.1.xcpng8.2
• rrd2csv: 1.2.6-7.1.xcpng8.2
• rrdd-plugins: 1.10.9-4.1.xcpng8.2
• sm-cli: 0.23.0-53.1.xcpng8.2
• squeezed-0.27.0-10.1.xcpng8.2
• varstored-guard: 0.6.2-7.xcpng8.2
• vhd-tool: 0.43.0-10.1.xcpng8.2
• wsproxy: 1.12.0-11.xcpng8.2
• xapi: 1.249.32-1.1.xcpng8.2
• xapi-nbd: 1.11.0-9.1.xcpng8.2
• xapi-storage: 11.19.0_sxm2-9.xcpng8.2
• xapi-storage-script: 0.34.1-8.1.xcpng8.2
• xcp-networkd: 0.56.2-7.xcpng8.2
• xcp-rrdd: 1.33.2-6.1.xcpng8.2
• xen: 4.13.5-9.36.1.xcpng8.2
• xenopsd: 0.150.17-1.1.xcpng8.2
• xs-opam-repo: 6.35.11-1.xcpng8.2
• guest-templates-json: 1.9.6-1.3.xcpng8.2
• blktap-3.37.4-1.0.2.xcpng8.2
• tzdata-2022a-1.el7
• xcp-ng-linstor-1.1-3.xcpng8.2
• nbd-3.24-1.xcpng8.2
• grub-2.02-3.2.0.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

Hello,

Yes, these patches will become available in XCP-ng. We're working on it to release as soon as possible. We'd like to release them this week, so we do everything we can for that.

There will be a post here for the tests and for the final release.

New Security Update Candidates (Xen and AMD CPUs) for Zenbleed

Xen is being updated to mitigate hardware vulnerabilities in AMD CPUs.

• Upstream (Xen project) advisory: XSA-433
  • Citrix Hypervisor Security Update for CVE-2023-20593

This issue affects systems running AMD Zen 2 CPUs. Under specific microarchitectural circumstances, it may allow an attacker to potentially access sensitive information.

As this flaw can be critical for AMD Zen 2 users, we integrated the patch into our 8.3. You can read about this vulnerability on our blog here. This update includes the latest bugfix of this patch from upstream. You can read about it here on the blog.

Test on XCP-ng 8.3

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" amd-microcode --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: xen-4.13.5-10.42.3.xcpng8.3
• amd-microcode: amd-microcode-20220930-2.1.xcpng8.3

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

Update published. Thanks for the tests!

https://xcp-ng.org/blog/2023/08/04/erratum-july-2023-security-update-zenbleed/

New Security Update Candidates (Xen)

Xen is being updated to correct a flaw in the latest patch (XSA-433) for Zenbleed and AMD CPUs.

• Upstream (Xen project) advisory: XSA-433

The patch provided with earlier versions was buggy by unintentionally disabling more bits than expected in the control register due to bad integer variable truncation.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" --enablerepo=xcp-ng-testing
reboot

Version:

• xen-*: 4.13.5-9.35.1.xcpng8.2

If you didn't already applied the previous updates, we invite you to also update linux-firmware.

yum update linux-firmware
reboot

Version:

• linux-firmware: 20190314-8.1.xcpng8.2

One reboot for the two updates is enough.

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~1 days. We'll release before the WE if our internal tests are fine.

Update published. Thanks for the tests!

https://xcp-ng.org/blog/2023/07/27/july-2023-security-update-zenbleed/

New Security Update Candidates (Xen and AMD CPUs)

Xen is being updated to mitigate hardware vulnerabilities in AMD CPUs.

• Upstream (Xen project) advisory: XSA-433
  • Citrix Hypervisor Security Update for CVE-2023-20593

This issue affects systems running AMD Zen 2 CPUs. Under specific microarchitectural circumstances, it may allow an attacker to potentially access sensitive information.

Components are also updated to add bugfixes and enhancements:

• Xen:
  • Now, MPX feature is disabled by default. Cross-pool migration and upgrade will be simplified as VMs can migrate more easily from pools with Intel SkyLake, CascadeLake, or CooperLake hardware to pools with later Intel hardware (such as IceLake).
    A reboot is necessary after updating to benefit from this feature.
  • Improvements to latency with a limit on the scheduler loadbalancing. This improves performance on large systems with high CPU utilization.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" linux-firmware --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.5-9.34.1.xcpng8.2
• linux-firmware: 20190314-8.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

We began to work on the patch yesterday evening. We will publish it for testers later today, and if everything is fine, for everyone after two days (and success in our tests, of course).