RE: Updates announcements and testing

The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/11/04/november-2022-security-update/

New security update candidates (xen)

Xen is being updated to mitigate some vulnerabilities:

• XSA-326: Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored.
• XSA-419: Xenstore: Cooperating guests can create arbitrary numbers of nodes
• XSA-414: A malicious guest can cause xenstored to crash, resulting in the inability to create new guests or to change the configuration of running guests.
• XSA-415: Xenstore: Guests can create orphaned Xenstore nodes
• XSA-416: Xenstore: Guests can cause Xenstore to not free temporary memory
• XSA-417: Xenstore: Guests can get access to Xenstore nodes of deleted domains
• XSA-418: Xenstore: Guests can crash xenstored via exhausting the stack
• XSA-420: Oxenstored 32->31 bit integer truncation issues. A malicious or buggy guest can write a packet into the xenstore ring which causes 32-bit builds of oxenstored to busy loop.
• XSA-421: Xenstore: Guests can create arbitrary number of nodes via transactions

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.4-9.27.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/10/14/october-2022-security-update/

New security update candidates (xen, linux-firmware, edk2, xapi)

Xen and XAPI are being updated to mitigate some vulnerabilities:

• XSA-410: Two privileged users in two guest VMs, in collaboration, can crash the host or make it unresponsive.
• XSA-411: Correct a flaw in XSA-226 that allows DoS attacks from guest kernels to harm the whole system.
• XSA-413: The management service on the host can become unresponsive or crash by the means of an unauthenticated user on the management network.

In this release, there are also the following fixes and improvements:

• XAPI, issues resolved:

  • When you had an active VIF connected on dom0, you couldn't delete that VIF or the associated network, including VLAN.
  • When certificates contain the \r character, the xe host-get-server-certificate command can incorrectly output it.

• xen, linux-firmware, edk2:

  • Issues resolved:
    • Sometimes a VM freezes when a graphics-intensive application run
    • Sometimes guest UEFI firmware hangs
  • Improvements:
    • AMD microcode is updated to version 2022-09-30
    • Improvements to Xen diagnostics.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update edk2 linux-firmware xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools forkexecd message-switch xapi-core xapi-tests xapi-xe xcp-rrdd xenopsd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testing
reboot

Versions:

• edk2-20180522git4b8552d-1.4.6.xcpng8.2
• linux-firmware-20190314-5.xcpng8.2
• xen-*: 4.13.4-9.26.1.xcpng8.2
• forkexecd-1.18.1-1.1.xcpng8.2
• message-switch-1.23.2-3.2.xcpng8.2
• xapi-*: 1.249.26-2.1.xcpng8.2
• xcp-rrdd-1.33.0-6.1.xcpng8.2
• xenopsd-*: 0.150.12-1.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/10/05/october-2022-maintenance-update/

Update released. Thanks everyone for testing!

https://xcp-ng.org/blog/2022/05/16/may-2022-security-update/

New update candidates (xen, microcode_ctl)

In this release, there are the following fixes and improvements:

• xen, microcode_ctl:
  • Issues resolved: Minor bug fixes.
  • Improvements: Intel microcode is updated to version IPU 2022.3.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:
 * xen-*: 4.13.4-9.28.1.xcpng8.2
 * microcode_ctl: 2:2.1-26.xs23.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

No precise ETA, but the sooner the feedback the better.

New maintenance update candidate (openvswitch, qemu, xen, microcode, xapi, Guest tools...)

Several package updates that we had queued for a future update are ready for you to test them. Some of them were already submitted to you earlier in this thread, and others are new.

The complete list is detailed again in this message.

• xs-openssl:

  • was rebuilt without compression support. Although compression was not offered by default and the clients that connect to port 443 of XCP-ng hosts don't enable compression by default, it's better security-wise not to support it at all (due to CRIME), and this will make security scanners happier.
  • received a patch from RHEL 8's openssl which fixes a potential denial of service: "CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates"

• xcp-ng-xapi-plugins received a few fixes:

  • Avoid accidentally installing updates from repositories that users may have enabled on XCP-ng (even if they should never do this), when using the updater plugin (Xen Orchestra uses it to install updates).
  • In the updater plugin again, error handling was broken: whenever an error would occur (such as a network issue preventing from installing the updates), another error would be raised from the error handler, and thus mask the actual reason for the initial error. That's what happens when you write command with 3 m .

• blktap:

  • received a fix backported from one if Citrix Hypervisor's hotfixes, which addresses a possible segmentation fault if you create a lot of snapshots at the same time.

• sm ("Storage Manager", responsible for the SMAPIv1 storage management layer) received a few fixes:

  • We fixed an issue with local ISO SRs and mountpoints: creating a local ISO SR on a directory that is a mountpoint for another filesystem would unmount it. The patch was not accepted upstream because it touches legacy code that Citrix won't support, according to the developer who answered, but we considered it safe and useful enough to apply it to XCP-ng anyway.
  • The (experimental) MooseFS driver will now default to creating a subdirectory in the mounted directory, to avoid collision between several SRs using the same share.
  • The update also includes the followings fix from one of Citrix Hypervisor's hotfixes: CA-352880: when deleting an HBA SR remove the kernel devices
  • Two other fixes which are hard to explain in user terms but typically don't affect the majority of users.

• xen, microcode_ctl:

  • Update the Intel microcode for IPU 2022.2
  • AMD IOMMU fix
  • Fix others issues like slow boot when VGA is enabled

• Openvswitch:

  • Open vSwitch ignores the bond_updelay setting for LACP bonds.
  • Some packets might be dropped by a link after LACP renegotiation completes, but before bond updelay completes.
  • The openvswitch logrotate script outputs spurious error messages into dead.letter.

• qemu:

  • If you add SR-IOV to a VM with GPU-Passthrough enabled, the VM doesn't boot.

• XAPI:

  • Add the other-config:ethtool-advertise option to the network commands. This option sets the speed and duplex of a NIC as advertised by the auto-negotiation process.
  • Resolve other issues

• XCP-ng Guests tools

  • Integrate last changes from upstream
  • Change the network interface to take in charge last releases with enX interfaces
  • Support RHEL 9, Almalinux 9, Rocky Linux 9, Centos Stream 9...
  • In the RPMs, switch the service to systemd by default and provide legacy RPMs for older systems with simply chkconfig. Not done yet for DEB packages.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update blktap forkexecd gpumon sm sm-cli sm-rawhba xcp-ng-xapi-plugins xs-openssl-libs xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools microcode_ctl openvswitch qemu rrd2csv rrdd-plugins squeezed vhd-tool xenopsd xapi-core xapi-tests xapi-xe varstored-guard xcp-networkd xcp-ng-pv-tools xapi-nbd xapi-storage-script xcp-rrdd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testing
reboot

Versions:

• blktap-3.37.4-1.0.1.xcpng8.2
• forkexecd-1.18.0-3.2.xcpng8.2
• gpumon-0.18.0-4.2.xcpng8.2
• sm-2.30.7-1.3.xcpng8.2
• sm-cli-0.23.0-7.xcpng8.2
• sm-rawhba-2.30.7-1.3.xcpng8.2
• xcp-ng-xapi-plugins-1.7.2-1.xcpng8.2
• xs-openssl-libs-1.1.1k-5.1.xcpng8.2
• xen-dom0-libs-4.13.4-9.25.1.xcpng8.2
• xen-dom0-tools-4.13.4-9.25.1.xcpng8.2
• xen-hypervisor-4.13.4-9.25.1.xcpng8.2
• xen-libs-4.13.4-9.25.1.xcpng8.2
• xen-tools-4.13.4-9.25.1.xcpng8.2
• microcode_ctl-2.1-26.xs22.xcpng8.2
• openvswitch-2.5.3-2.3.12.1.xcpng8.2
• qemu-4.2.1-4.6.2.1.xcpng8.2
• rrd2csv-1.2.5-7.1.xcpng8.2
• rrdd-plugins-1.10.8-5.1.xcpng8.2
• squeezed-0.27.0-5.xcpng8.2
• vhd-tool-0.43.0-4.1.xcpng8.2
• xenopsd-0.150.12-1.1.xcpng8.2
• xapi-core-1.249.25-2.1.xcpng8.2
• xapi-tests-1.249.25-2.1.xcpng8.2
• xapi-xe-1.249.25-2.1.xcpng8.2
• varstored-guard-0.6.2-1.xcpng8.2
• xcp-networkd-0.56.2-1.xcpng8.2
• xcp-ng-pv-tools-8.2.0-11.xcpng8.2
• xapi-nbd-1.11.0-3.2.xcpng8.2
• xapi-storage-script-0.34.1-2.1.xcpng8.2
• xcp-rrdd-1.33.0-5.1.xcpng8.2
• xenopsd-cli-0.150.12-1.1.xcpng8.2
• xenopsd-xc-0.150.12-1.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

We also ask you to give a special attention to the updated guest tools for linux. We tested them on a large variety of linux systems, but we can't cover every special cases in our tests, so your help is more than welcome.

The installation instructions for the tools did not change: see https://xcp-ng.org/docs/guests.html#install-from-the-guest-tools-iso.

/!\ The only tools that were updated are those provided by XCP-ng through the guest tools ISOs. Tools provided by packages in the repositories of various Linux distributions are not maintained directly by us.

Test window before official release of the updates

No precise ETA, but the sooner the feedback the better.

The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/07/15/retbleed-security-patch/

New security update (xen, Intel and AMD CPUs)

Xen is being updated to mitigate hardware vulnerabilities in Intel and AMD CPUs.

• Upstream (Xen project) advisory: XSA-407
• Citrix Hypervisor Security Bulletin: https://support.citrix.com/article/CTX461397/citrix-hypervisor-security-bulletin-for-cve202223816-and-cve202223825

Impact of the vulnerabilities - RETbleed is a speculative execution attack on x86-64 processors, including some recent Intel and AMD chips. You can read the original paper from Computer Security Group at this address: https://comsec.ethz.ch/research/microarch/retbleed/

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.4-9.24.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

New Security Update Candidates (Xen)

Xen is being updated to mitigate some vulnerabilities:

• XSA-427: "Guests running in shadow mode and being subject to migration or snapshotting may be able to cause Denial of Service and other problems, including escalation of privilege". This vulnerability concerns old platforms (Nehalem/Bulldozer families and older) which do not have Hardware Assisted Paging facilitie (EPT/NPT), or modern platforms where this extension is disabled by the firmware or the system software. This also concerns PV guests, which are not officially supported anymore in XCP-ng.

• XSA-428: "Entities controlling HVM guests can run the host out of resources or stall execution of a physical CPU for effectively unbounded periods of time, resulting in a Denial of Servis (DoS) affecting the entire host. Crashes, information leaks, or elevation of privilege cannot be ruled out".
  On the platforms managed by XCP-ng software, with regard of this vulnerability, we would rather talk of "reduction in defence in depth", as the only entity controlling HVM guests is a trusted software (QEMU) running in a trusted domain (dom0).

• XSA-429: The patch completes the original Spectre/Meltdown mitigation work(XSA-254). A malicious PV guest might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. Only AMD and Hygon CPUs which offer SMEP/SMAP facilities are affected. Although PV guests are not officially supported in XCP-ng, we also included a fix for this vulnerability.

Components are also updated to add bugfixes and enhancements:

• Xen
  • Update to Xen 4.13.5
  • Initial Sapphire Rapids support
  • Fix memory corruption issues in the Ocaml bindings.
  • On xenstored live update, validate the config file before launching into the new xenstored

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.5-9.30.3.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

@rjt
These rpms come from the same source rpm and, therefore, from the same SPEC file. So when we build it for changes, the Windows one is built too, even if there is no change on the Windows side.
On this revision, we only add new templates for RHEL 9, AlmaLinux 9, Rocky Linux 9, CentOS Stream 8 and 9, and Oracle Linux 9.
There weren't any changes to the Windows templates.

As far as i know, there is no need to restart the server when updating only sudo.

This update covers the recent security flaw: CVE-2023-22809.

A post will come soon in the update topic about it.

New Update Candidates (xen, xapi, templates)

• Xen: Enable AVX-512 by default for EPYC Zen4 (Genoa)
• Xapi: Redirect http requests on the host webpage to https by default.
• Guest templates:
  • Add the following templates: RHEL 9, AlmaLinux 9, Rocky Linux 9, CentOS Stream 8 & 9, Oracle Linux 9

Test on XCP-ng 8.2

From an up to date host:

For Xen, Xapi and Guest templates:

yum clean metadata --enablerepo=xcp-ng-testing
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools xapi-core xapi-tests xapi-xe guest-templates-json guest-templates-json-data-linux guest-templates-json-data-other guest-templates-json-data-windows --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.4-9.29.1.xcpng8.2
• xapi-*: 1.249.26-2.2.xcpng8.2
• guest-templates-json-*: 1.9.6-1.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

No precise ETA, but the sooner the feedback the better.

New update candidates (xen, microcode_ctl)

In this release, there are the following fixes and improvements:

• xen, microcode_ctl:
  • Issues resolved: Minor bug fixes.
  • Improvements: Intel microcode is updated to version IPU 2022.3.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:
 * xen-*: 4.13.4-9.28.1.xcpng8.2
 * microcode_ctl: 2:2.1-26.xs23.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

No precise ETA, but the sooner the feedback the better.

The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/11/04/november-2022-security-update/

New security update candidates (xen)

Xen is being updated to mitigate some vulnerabilities:

• XSA-326: Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored.
• XSA-419: Xenstore: Cooperating guests can create arbitrary numbers of nodes
• XSA-414: A malicious guest can cause xenstored to crash, resulting in the inability to create new guests or to change the configuration of running guests.
• XSA-415: Xenstore: Guests can create orphaned Xenstore nodes
• XSA-416: Xenstore: Guests can cause Xenstore to not free temporary memory
• XSA-417: Xenstore: Guests can get access to Xenstore nodes of deleted domains
• XSA-418: Xenstore: Guests can crash xenstored via exhausting the stack
• XSA-420: Oxenstored 32->31 bit integer truncation issues. A malicious or buggy guest can write a packet into the xenstore ring which causes 32-bit builds of oxenstored to busy loop.
• XSA-421: Xenstore: Guests can create arbitrary number of nodes via transactions

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
reboot

Versions:

• xen-*: 4.13.4-9.27.1.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/10/14/october-2022-security-update/

New security update candidates (xen, linux-firmware, edk2, xapi)

Xen and XAPI are being updated to mitigate some vulnerabilities:

• XSA-410: Two privileged users in two guest VMs, in collaboration, can crash the host or make it unresponsive.
• XSA-411: Correct a flaw in XSA-226 that allows DoS attacks from guest kernels to harm the whole system.
• XSA-413: The management service on the host can become unresponsive or crash by the means of an unauthenticated user on the management network.

In this release, there are also the following fixes and improvements:

• XAPI, issues resolved:

  • When you had an active VIF connected on dom0, you couldn't delete that VIF or the associated network, including VLAN.
  • When certificates contain the \r character, the xe host-get-server-certificate command can incorrectly output it.

• xen, linux-firmware, edk2:

  • Issues resolved:
    • Sometimes a VM freezes when a graphics-intensive application run
    • Sometimes guest UEFI firmware hangs
  • Improvements:
    • AMD microcode is updated to version 2022-09-30
    • Improvements to Xen diagnostics.

Test on XCP-ng 8.2

From an up to date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update edk2 linux-firmware xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools forkexecd message-switch xapi-core xapi-tests xapi-xe xcp-rrdd xenopsd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testing
reboot

Versions:

• edk2-20180522git4b8552d-1.4.6.xcpng8.2
• linux-firmware-20190314-5.xcpng8.2
• xen-*: 4.13.4-9.26.1.xcpng8.2
• forkexecd-1.18.1-1.1.xcpng8.2
• message-switch-1.23.2-3.2.xcpng8.2
• xapi-*: 1.249.26-2.1.xcpng8.2
• xcp-rrdd-1.33.0-6.1.xcpng8.2
• xenopsd-*: 0.150.12-1.2.xcpng8.2

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

~2 days.

The update is published. Thanks for your tests!

Blog post: https://xcp-ng.org/blog/2022/10/05/october-2022-maintenance-update/