The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/11/04/november-2022-security-update/
Best posts made by gduperrey
-
RE: Updates announcements and testing
-
RE: Updates announcements and testing
New security update candidates (xen)
Xen is being updated to mitigate some vulnerabilities:
- XSA-326: Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored.
- XSA-419: Xenstore: Cooperating guests can create arbitrary numbers of nodes
- XSA-414: A malicious guest can cause xenstored to crash, resulting in the inability to create new guests or to change the configuration of running guests.
- XSA-415: Xenstore: Guests can create orphaned Xenstore nodes
- XSA-416: Xenstore: Guests can cause Xenstore to not free temporary memory
- XSA-417: Xenstore: Guests can get access to Xenstore nodes of deleted domains
- XSA-418: Xenstore: Guests can crash xenstored via exhausting the stack
- XSA-420: Oxenstored 32->31 bit integer truncation issues. A malicious or buggy guest can write a packet into the xenstore ring which causes 32-bit builds of oxenstored to busy loop.
- XSA-421: Xenstore: Guests can create arbitrary number of nodes via transactions
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.4-9.27.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
RE: Updates announcements and testing
The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/10/14/october-2022-security-update/
-
RE: Updates announcements and testing
New security update candidates (xen, linux-firmware, edk2, xapi)
Xen and XAPI are being updated to mitigate some vulnerabilities:
- XSA-410: Two privileged users in two guest VMs, in collaboration, can crash the host or make it unresponsive.
- XSA-411: Correct a flaw in XSA-226 that allows DoS attacks from guest kernels to harm the whole system.
- XSA-413: The management service on the host can become unresponsive or crash by the means of an unauthenticated user on the management network.
In this release, there are also the following fixes and improvements:
-
XAPI, issues resolved:
- When you had an active VIF connected on dom0, you couldn't delete that VIF or the associated network, including VLAN.
- When certificates contain the \r character, the xe host-get-server-certificate command can incorrectly output it.
-
xen, linux-firmware, edk2:
- Issues resolved:
- Sometimes a VM freezes when a graphics-intensive application run
- Sometimes guest UEFI firmware hangs
- Improvements:
- AMD microcode is updated to version 2022-09-30
- Improvements to Xen diagnostics.
- Issues resolved:
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update edk2 linux-firmware xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools forkexecd message-switch xapi-core xapi-tests xapi-xe xcp-rrdd xenopsd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testing reboot
Versions:
- edk2-20180522git4b8552d-1.4.6.xcpng8.2
- linux-firmware-20190314-5.xcpng8.2
- xen-*: 4.13.4-9.26.1.xcpng8.2
- forkexecd-1.18.1-1.1.xcpng8.2
- message-switch-1.23.2-3.2.xcpng8.2
- xapi-*: 1.249.26-2.1.xcpng8.2
- xcp-rrdd-1.33.0-6.1.xcpng8.2
- xenopsd-*: 0.150.12-1.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
RE: Updates announcements and testing
The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/10/05/october-2022-maintenance-update/
-
RE: Updates announcements and testing
Update released. Thanks everyone for testing!
https://xcp-ng.org/blog/2022/05/16/may-2022-security-update/
-
RE: Updates announcements and testing
The updates have been published; thank you for testing them out.
https://xcp-ng.org/blog/2024/03/29/march-2024-maintenance-update/
-
RE: Updates announcements and testing
New update candidates for you to test!
As you may know, we group non-urgent updates together for a collective release, in order not to cause unnecessary maintenance for our users.
The moment to release such a batch has come, so here they are, ready for user tests before the final release.
openvswitch
:- CVE-2023-1668: Correct a flaw when processing an IP packet with protocol 0.
- CVE-2023-5366: Apply the patch for OpenFlow and neightbor discovery target with IPv6
- CVE-2023-3966: Correct a vulnerabity with "crafted Geneve packets causing invalid memory accesses and potential denial of service".
blktap
:- Synced with XS82ECU1056:
- Bugfix for time out on NFS tasks which can sometimes exceed the configured value.
- Improve the error handling for some lost iSCSI connection.
- Synced with XS82ECU1056:
sm
:- Support NFS servers which only offer NFSv4. The discovery process for such servers differs from that of servers which offer also NFSv3, so the SR driver had to be improved.
- Synced with XS82ECU1056: bugfix on the path checker for DELL EqualLogic with iSCSI protocol
- Synced with XS82ECU1060: bugfix for when a host is unable to log into all iSCSI portals because there are separate independent Target Portal Groups inside the IQN.
util-linux
: preparatory steps to support 4k-only disks.xapi
: Bugfix in a testing framework.xcp-ng-pv-tools
: Small fixes regarding VM stats reporting.xcp-ng-xapi-plugins
: Add check_installed function in updater plugin to test installed packages. This is a prerequisite for the upcoming XOSTOR release.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update --enablerepo=xcp-ng-testing blktap openvswitch sm-* util-linux xapi-* xcp-ng-pv-tools xcp-ng-xapi-plugins reboot
The usual update rules apply: pool coordinator first, etc.
Versions
blktap
: 3.37.4-3.1.xcpng8.2openvswitch
: 2.5.3-2.3.12.2.xcpng8.2sm
: 2.30.8-10.1.xcpng8.2util-linux
: 2.23.2-52.1.xcpng8.2xapi
: 1.249.32-2.2.xcpng8.2xcp-ng-pv-tools
: 8.2.0-12.xcpng8.2xcp-ng-xapi-plugins
: 1.10.0-1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~1 week.
-
RE: XCP-ng 8.3 beta š
A new version of xo-lite for XCP-ng 8.3 has been released:
Version:
xo-lite-0.2.0-1.xcpng8.3
You can update it like this:
yum update xo-lite
For more information about the changes between version 0.1.3 and 0.2.0, you can consult this link: https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/lite/CHANGELOG.md
-
RE: Updates announcements and testing
New Security Update Candidates (Xen)
Xen is being updated to mitigate some vulnerabilities:
- XSA-439: CVE-2023-20588. On AMD Zen1 CPUs, "an attacker might be able to infer data from a different execution context on the same CPU core."
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" --enablerepo=xcp-ng-testing reboot
Version:
- xen: 4.13.5-9.36.2.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
RE: Updates announcements and testing
Update published. Thanks for the tests!
https://xcp-ng.org/blog/2023/08/14/august-2023-security-update/
-
RE: Updates announcements and testing
New Security Update Candidates (kernel, Xen, linux-firmware, microcode_ctl, XAPI...)
Xen is being updated to mitigate some vulnerabilities:
-
XSA-432: CVE-2023-34319. Under Linux, a buffer overrun in netback can be triggered due to unusual packets. This behavior was due to the fix of the XSA-423 which didn't account an extreme case of an entire packet being split into as many pieces as permitted by the protocol and still being smaller than the area that's dealt with to keep all headers together. It is possible to crash a host from a vm, with malicious and privileged code.
-
XSA-434: CVE-2023-20569. Researchers from ETH Zurich have extended their prior research (XSA-422, Branch Type Confusion, a.k.a Retbleed) and have discovered INCEPTION, also known as RAS (Return Address Stack) Poisoning, and Speculative Return Stack Overflow. An attacker might be able to infer the contents of memory belonging to other guests.
-
XSA-435: CVE-2022-40982. A security issue in certain Intel CPUs may allow an attacker to infer data from different contexts on the same core.
Components are also updated to add bugfixes and enhancements:
-
guest-templates-json: Added Debian 12 Bookworm
-
XAPI:
- Several hotfixes and improvements from XS82ECU1033
- From XS82ECU1045 Significant performance improvements on a set of CPU features for servers with Cascade Lake or later Intel CPUs.
-
microcode_ctl: Update to IPU 2023.3
-
linux-firmware: Expose additional features for Intel CPUs, especially for Cascade Lake or later Intel CPUs. Updated to latest AMD firmware for processor family 19h.
-
Xen: Expose MSR_ARCH_CAPS to guests on all Intel hardware by default.
-
blktap, nbd: An update of the packages for Xostor.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" microcode_ctl linux-firmware kernel forkexecd gpumon message-switch "ocaml-*" rrd2csv rrdd-plugins sm-cli squeezed varstored-guard vhd-tool wsproxy "xapi-*" xcp-networkd xcp-rrdd "xenopsd*" xs-opam-repo "guest-templates-*" blktap xcp-ng-linstor nbd tzdata grub* lldpad xcp-ng-xapi-plugins --enablerepo=xcp-ng-testing reboot
Version:
- forkexecd: 1.18.3-2.1.xcpng8.2
- gpumon: 0.18.0-10.1.xcpng8.2
- kernel: 4.19.19-7.0.17.1.xcpng8.2
- linux-firmware: 20190314-9.1.xcpng8.2
- message-switch: 1.23.2-9.1.xcpng8.2
- microcode_ctl: 2.1-26.xs26.1.xcpng8.2
- ocaml-rrd-transport: 1.16.1-7.1.xcpng8.2
- ocaml-rrdd-plugin: 1.9.1-7.1.xcpng8.2
- ocaml-tapctl: 1.5.1-7.1.xcpng8.2
- ocaml-xcp-idl: 1.96.5-1.1.xcpng8.2
- ocaml-xen-api-client: 1.9.0-10.1.xcpng8.2
- ocaml-xen-api-libs-transitional: 2.25.5-4.1.xcpng8.2
- rrd2csv: 1.2.6-7.1.xcpng8.2
- rrdd-plugins: 1.10.9-4.1.xcpng8.2
- sm-cli: 0.23.0-53.1.xcpng8.2
- squeezed-0.27.0-10.1.xcpng8.2
- varstored-guard: 0.6.2-7.xcpng8.2
- vhd-tool: 0.43.0-10.1.xcpng8.2
- wsproxy: 1.12.0-11.xcpng8.2
- xapi: 1.249.32-1.1.xcpng8.2
- xapi-nbd: 1.11.0-9.1.xcpng8.2
- xapi-storage: 11.19.0_sxm2-9.xcpng8.2
- xapi-storage-script: 0.34.1-8.1.xcpng8.2
- xcp-networkd: 0.56.2-7.xcpng8.2
- xcp-rrdd: 1.33.2-6.1.xcpng8.2
- xen: 4.13.5-9.36.1.xcpng8.2
- xenopsd: 0.150.17-1.1.xcpng8.2
- xs-opam-repo: 6.35.11-1.xcpng8.2
- guest-templates-json: 1.9.6-1.3.xcpng8.2
- blktap-3.37.4-1.0.2.xcpng8.2
- tzdata-2022a-1.el7
- xcp-ng-linstor-1.1-3.xcpng8.2
- nbd-3.24-1.xcpng8.2
- grub-2.02-3.2.0.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
-
RE: Updates announcements and testing
Hello,
Yes, these patches will become available in XCP-ng. We're working on it to release as soon as possible. We'd like to release them this week, so we do everything we can for that.
There will be a post here for the tests and for the final release.
-
RE: Updates announcements and testing
Update published. Thanks for the tests!
https://xcp-ng.org/blog/2023/08/04/erratum-july-2023-security-update-zenbleed/
-
RE: Updates announcements and testing
New Security Update Candidates (Xen and AMD CPUs)
Xen is being updated to mitigate hardware vulnerabilities in AMD CPUs.
- Upstream (Xen project) advisory: XSA-433
This issue affects systems running AMD Zen 2 CPUs. Under specific microarchitectural circumstances, it may allow an attacker to potentially access sensitive information.
Components are also updated to add bugfixes and enhancements:
- Xen:
- Now, MPX feature is disabled by default. Cross-pool migration and upgrade will be simplified as VMs can migrate more easily from pools with Intel SkyLake, CascadeLake, or CooperLake hardware to pools with later Intel hardware (such as IceLake).
A reboot is necessary after updating to benefit from this feature. - Improvements to latency with a limit on the scheduler loadbalancing. This improves performance on large systems with high CPU utilization.
- Now, MPX feature is disabled by default. Cross-pool migration and upgrade will be simplified as VMs can migrate more easily from pools with Intel SkyLake, CascadeLake, or CooperLake hardware to pools with later Intel hardware (such as IceLake).
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update "xen-*" linux-firmware --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.5-9.34.1.xcpng8.2
- linux-firmware: 20190314-8.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
RE: Updates announcements and testing
New update candidates (xen, microcode_ctl)
In this release, there are the following fixes and improvements:
- xen, microcode_ctl:
- Issues resolved: Minor bug fixes.
- Improvements: Intel microcode is updated to version IPU 2022.3.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing reboot
Versions:
Ā * xen-*: 4.13.4-9.28.1.xcpng8.2
Ā * microcode_ctl: 2:2.1-26.xs23.xcpng8.2What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
No precise ETA, but the sooner the feedback the better.
- xen, microcode_ctl:
-
RE: Updates announcements and testing
New maintenance update candidate (openvswitch, qemu, xen, microcode, xapi, Guest tools...)
Several package updates that we had queued for a future update are ready for you to test them. Some of them were already submitted to you earlier in this thread, and others are new.
The complete list is detailed again in this message.
-
xs-openssl:
- was rebuilt without compression support. Although compression was not offered by default and the clients that connect to port 443 of XCP-ng hosts don't enable compression by default, it's better security-wise not to support it at all (due to CRIME), and this will make security scanners happier.
- received a patch from RHEL 8's openssl which fixes a potential denial of service: "CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates"
-
xcp-ng-xapi-plugins received a few fixes:
- Avoid accidentally installing updates from repositories that users may have enabled on XCP-ng (even if they should never do this), when using the updater plugin (Xen Orchestra uses it to install updates).
- In the updater plugin again, error handling was broken: whenever an error would occur (such as a network issue preventing from installing the updates), another error would be raised from the error handler, and thus mask the actual reason for the initial error. That's what happens when you write command with 3 m .
-
blktap:
- received a fix backported from one if Citrix Hypervisor's hotfixes, which addresses a possible segmentation fault if you create a lot of snapshots at the same time.
-
sm ("Storage Manager", responsible for the SMAPIv1 storage management layer) received a few fixes:
- We fixed an issue with local ISO SRs and mountpoints: creating a local ISO SR on a directory that is a mountpoint for another filesystem would unmount it. The patch was not accepted upstream because it touches legacy code that Citrix won't support, according to the developer who answered, but we considered it safe and useful enough to apply it to XCP-ng anyway.
- The (experimental) MooseFS driver will now default to creating a subdirectory in the mounted directory, to avoid collision between several SRs using the same share.
- The update also includes the followings fix from one of Citrix Hypervisor's hotfixes: CA-352880: when deleting an HBA SR remove the kernel devices
- Two other fixes which are hard to explain in user terms but typically don't affect the majority of users.
-
xen, microcode_ctl:
- Update the Intel microcode for IPU 2022.2
- AMD IOMMU fix
- Fix others issues like slow boot when VGA is enabled
-
Openvswitch:
- Open vSwitch ignores the bond_updelay setting for LACP bonds.
- Some packets might be dropped by a link after LACP renegotiation completes, but before bond updelay completes.
- The openvswitch logrotate script outputs spurious error messages into dead.letter.
-
qemu:
- If you add SR-IOV to a VM with GPU-Passthrough enabled, the VM doesn't boot.
-
XAPI:
- Add the other-config:ethtool-advertise option to the network commands. This option sets the speed and duplex of a NIC as advertised by the auto-negotiation process.
- Resolve other issues
-
XCP-ng Guests tools
- Integrate last changes from upstream
- Change the network interface to take in charge last releases with enX interfaces
- Support RHEL 9, Almalinux 9, Rocky Linux 9, Centos Stream 9...
- In the RPMs, switch the service to systemd by default and provide legacy RPMs for older systems with simply chkconfig. Not done yet for DEB packages.
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update blktap forkexecd gpumon sm sm-cli sm-rawhba xcp-ng-xapi-plugins xs-openssl-libs xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools microcode_ctl openvswitch qemu rrd2csv rrdd-plugins squeezed vhd-tool xenopsd xapi-core xapi-tests xapi-xe varstored-guard xcp-networkd xcp-ng-pv-tools xapi-nbd xapi-storage-script xcp-rrdd xenopsd-cli xenopsd-xc --enablerepo=xcp-ng-testing reboot
Versions:
- blktap-3.37.4-1.0.1.xcpng8.2
- forkexecd-1.18.0-3.2.xcpng8.2
- gpumon-0.18.0-4.2.xcpng8.2
- sm-2.30.7-1.3.xcpng8.2
- sm-cli-0.23.0-7.xcpng8.2
- sm-rawhba-2.30.7-1.3.xcpng8.2
- xcp-ng-xapi-plugins-1.7.2-1.xcpng8.2
- xs-openssl-libs-1.1.1k-5.1.xcpng8.2
- xen-dom0-libs-4.13.4-9.25.1.xcpng8.2
- xen-dom0-tools-4.13.4-9.25.1.xcpng8.2
- xen-hypervisor-4.13.4-9.25.1.xcpng8.2
- xen-libs-4.13.4-9.25.1.xcpng8.2
- xen-tools-4.13.4-9.25.1.xcpng8.2
- microcode_ctl-2.1-26.xs22.xcpng8.2
- openvswitch-2.5.3-2.3.12.1.xcpng8.2
- qemu-4.2.1-4.6.2.1.xcpng8.2
- rrd2csv-1.2.5-7.1.xcpng8.2
- rrdd-plugins-1.10.8-5.1.xcpng8.2
- squeezed-0.27.0-5.xcpng8.2
- vhd-tool-0.43.0-4.1.xcpng8.2
- xenopsd-0.150.12-1.1.xcpng8.2
- xapi-core-1.249.25-2.1.xcpng8.2
- xapi-tests-1.249.25-2.1.xcpng8.2
- xapi-xe-1.249.25-2.1.xcpng8.2
- varstored-guard-0.6.2-1.xcpng8.2
- xcp-networkd-0.56.2-1.xcpng8.2
- xcp-ng-pv-tools-8.2.0-11.xcpng8.2
- xapi-nbd-1.11.0-3.2.xcpng8.2
- xapi-storage-script-0.34.1-2.1.xcpng8.2
- xcp-rrdd-1.33.0-5.1.xcpng8.2
- xenopsd-cli-0.150.12-1.1.xcpng8.2
- xenopsd-xc-0.150.12-1.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
We also ask you to give a special attention to the updated guest tools for linux. We tested them on a large variety of linux systems, but we can't cover every special cases in our tests, so your help is more than welcome.
The installation instructions for the tools did not change: see https://xcp-ng.org/docs/guests.html#install-from-the-guest-tools-iso.
/!\ The only tools that were updated are those provided by XCP-ng through the guest tools ISOs. Tools provided by packages in the repositories of various Linux distributions are not maintained directly by us.
Test window before official release of the updates
No precise ETA, but the sooner the feedback the better.
-
-
RE: Updates announcements and testing
The update is published. Thanks for your tests!
Blog post: https://xcp-ng.org/blog/2022/07/15/retbleed-security-patch/ -
RE: Updates announcements and testing
New security update (xen, Intel and AMD CPUs)
Xen is being updated to mitigate hardware vulnerabilities in Intel and AMD CPUs.
- Upstream (Xen project) advisory: XSA-407
- Citrix Hypervisor Security Bulletin: https://support.citrix.com/article/CTX461397/citrix-hypervisor-security-bulletin-for-cve202223816-and-cve202223825
Impact of the vulnerabilities - RETbleed is a speculative execution attack on x86-64 processors, including some recent Intel and AMD chips. You can read the original paper from Computer Security Group at this address: https://comsec.ethz.ch/research/microarch/retbleed/
Test on XCP-ng 8.2
From an up to date host:
yum clean metadata --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing reboot
Versions:
- xen-*: 4.13.4-9.24.1.xcpng8.2
What to test
Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.
Test window before official release of the updates
~2 days.
-
RE: XCP-ng 8.3 beta š
A new version of xo-lite for XCP-ng 8.3 has been released:
Version:
xo-lite-0.2.1-1.xcpng8.3
You can update it like this:
yum update xo-lite
For more information about the changes between version 0.1.3 or 0.2.0 and 0.2.1, you can consult this link: https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/lite/CHANGELOG.md