RE: XCP-ng 8.2 updates announcements and testing

Updates published: https://xcp-ng.org/blog/2025/07/03/july-2025-security-and-maintenance-update-for-xcp-ng-8-2-lts/

Thank you for the tests!

Updates published: https://xcp-ng.org/blog/2025/07/03/july-2025-security-and-maintenance-update-for-xcp-ng-8-3-lts/

Thank you for the tests!

New security and maintenance update candidate

A new XSA (Xen Security Advisory) was published on the 1st of July, and an update to Xen addresses it. We also publish other non-urgent updates which we had in the pipe for the next release.

---

Security updates

• xen-*:
  • Fix XSA-470 - An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host.

Maintenance updates

• http-nbd-transfer: moved some logs into debug to reduce log spam
• sm:
  • XOSTOR: avoid a rare migration error when the GC would run on our migration snapshot
  • Use GC daemon code for LINSTOR like other drivers (no changes for users)
    This updated package is already included in the refreshed 8.3 installation ISOs.
• xapi:
  • Fix remote syslog configuration being broken on updates
  • Fix several RRD (stats collection) issues and make the plugins more robust:
    • Cap Derive values within a certain range without making them NaN
    • Use a computed delay time for RRD loop to prevent gaps in metrics collection
    • Avoid duplicating datasources on plugin restore
    • Protect against a resource leak in the plugins
    • Avoid running out of mmap-ed pages in xcp-rrdd-cpu for large numbers of domains
    • Prevent exceptions from escaping and introducing gaps into metrics collection
    • Avoid missing metrics from new and destroyed domains
  • Prevent xapi concurrent calls during migration from indirectly make each other fail (already fixed in the refreshed ISOs)
  • Fix a deadlock in xenopsd due to atom nesting (already fixed in the refreshed ISOs)
• xo-lite: update to 0.12.0
  • [VM/system] Display system information in vm/system tab
  • [Host/system] Display system view information in host/system tab
  • [Host/Dashboard] Fix color of tag list (PR #8731)
  • [Table] add pagination on table (PR #8573)
  • [Pool/system] Display pool information in pool/system tab (PR #8660)
  • [VM/Dashboard] Display VM information in dashboard tab (PR #8529)
  • [Tab/Network] Updated side panel in tab network behavior for mobile view (PR #8688)
  • [Stats] Fix graphs that were sometimes not displayed or displayed incorrectly (PR #8722)

Optional packages:

• Alternate Driver: Updated to newer version.
  • broadcom-bnxt-en-alt: Update to version 1.10.3_232.0.155.5

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• http-nbd-transfer: 1.6.0-1.xcpng8.3
• sm: 3.2.12-3.2.xcpng8.3
• xapi: 25.6.0-1.9.xcpng8.3
• xen: 4.17.5-13.2.xcpng8.3
• xo-lite: 0.12.0-1.xcpng8.3

Optional packages:

• Alternate drivers:
  • broadcom-bnxt-en-alt: 1.10.3_232.0.155.5-1.xcpng8.3

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

~2 days.

New security and maintenance update candidate

A new XSA (Xen Security Advisory) was published on the 1st of July, and an update to Xen addresses it. We also publish other non-urgent updates which we had in the pipe for the next release.

---

Security updates

• xen-*:
  • Fix XSA-470 - An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host.

Maintenance updates

• openssh: fix low priority CVE-2025-26465 DoS attack when VerifyHostKeyDNS is "yes" or "ask" (The Default value has not changed: "no")
• samba: fix low priority CVEs on client side.
• xcp-ng-release: this update adds a certificate to resolve a TLS handshake error, particularly when deploying xoa.io.

Test on XCP-ng 8.2

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• openssh: 7.4p1-23.3.2.xcpng8.2
• samba: 4.10.16-25.el7_9
• xcp-ng-release: 8.2.1-16
• xen: 4.13.5-9.49.2.xcpng8.2

What to test

Normal use and anything else you want to test.

Test window before official release of the updates

~2 days.

@TrapoSAMA No, as with 8.2, this isn't something displayed in the console.
Since it doesn't indicate that an updated 8.2 is actually 8.2.1, only the major version is displayed. We have the same behavior here.

However, as with many other products, this is clearly displayed on the XCP-ng homepage, in addition to the announcement on the blog.

This will be three months after the official release of 8.3 LTS.

The release should take place in a few days when we release the ISO currently available for testing.

It's what is described in the "What to expect" part of the blogpost given above:

Guaranteed overlap period – There will be at least three months where both XCP-ng 8.2.1 and XCP-ng 8.3 LTS will be supported simultaneously, ensuring organizations can transition smoothly.

@ph7 As David mentioned, the security updates were released yesterday. They are no longer in the candidates repository, but in the updates repository.

Note that the updates in the testing repository have not yet been released. They include a more recent version of the XAPI. This could explain why you can no longer migrate this VHD between your test and production environments.

Are you trying to perform a live migration or with the VM powered off?

This is not an XO behavior, but rather a Xapi behavior, and therefore a XCP-ng behavior.

When you join a host to a pool, the administrator password for the joining host is automatically changed to match the administrator password of the pool master.

Source

From a security perspective, this isn't a risk, because when you run a command on any of the hosts in a pool, the master responds. So, as long as you're connected to a pool member, you have access to the entire pool via xe commands.

@HenrikSchmidt We don't currently offer regular ISO builds. The most recent ISOs are available.

The driver you're talking about is integrated into the kernel, and to my knowledge, there are no updates for it at the moment. @Andrew is currently working on an alternate driver package, but the PR seems to be waiting for his response.

This type of driver can be loaded at the beginning of the installation with an ISO by pressing F9 when the menu prompts. You can then load an additional driver for the installation, and install it on the future system later in the procedure when prompted.

As this is not an issue with the latest updates, I suggest you create a dedicated thread. This would give you better visibility and help from the community on this issue.

@AlexanderK CI/QA is our testing and integration environment. We run a number of tests to validate that XCP-ng works properly with these new versions, before making them available to our testers in the testing repository.

New update candidates for you to test!

As we move closer to making XCP-ng 8.3 the new LTS release, taking over from XCP-ng 8.2.1, a first batch of updates is now available for user testing ahead of a future collective release. Details are provided below.

• amd-microcode: Packaging and versioning update, but no actual changes in microcodes.
• blktap: Fixes.
• broadcom-bnxt-en: bug fix: "Backport patch to fix GSO type for HW GRO packets on 5750X chips"
• busybox: backport fixes for CVE-2018-20679 and others.
• gpumon: No major changes. Rebuild for dependency reasons.
• guest-templates-json: Add templates for Windows server 2025 and Ubuntu 24.04. Remove "preview" from a few template names.
• host-upgrade-plugin: Update to version 3.0.1 which transitions to python 3 and brings some fixes.
• intel-i40e: Update to version 2.25.11
• interface-rename: Sync with XenServer, but this only changes packaging details.
• ipxe: Rebuild.
• jemalloc: Updated to version 5.3.0.
• lvm2: Fixes.
• microsemi-smartpqi: Update to version 2.1.30_031
• ncurses: Updated to upstream 6.4-20240309 revision. Some minor improvements.
• net-snmp: Rebase on XenServer version 5.7.2-52, which incorporates fixes for CVE-2022-24805 and CVE-2022-24809
• openssh: fix CVE-2025-26465
• qemu: Rebuilt with new version of jemalloc.
• qlogic-qla2xxx: Update to version 10.02.12.01_k
• sm: (Storage manager):
  • Logging improvements
  • Minor fixes regarding race conditions
  • Robustify snapshots and a few XAPI calls
  • Send message to XAPI if the garbage collection process doesn't have enough space.
  • Multipath configuration updates for some vendors.
  • Preliminary work for future XOSTOR support and over 2TB VM disks.
• sm-core-libs: fixes.
• vmss: Synchronization with the latest package from XenServer, which replaces the use of a deprecated dependency (imp module) by another.
• xapi:
  • Update to version 24.39.1
  • Many fixes and improvements, among which:
• Improve logging during live storage migration
  • Lengthy VDI migrations were mistakenly canceled upon reaching a 12-hour time limit.
  • Faster starting VMs when they have multiple VIFs or in conditions where the database is under heavy load.
  • High availability occasionally fails to process heartbeats in time when there are a lot of hosts in a pool. Consequently, the host that is unable to process heartbeats is flagged as offline and self-fences.
  • IPv6-related fixes.
  • Configurable threshold for updating last_active
  • Many under the hood improvements or fixes.
  • Added python dependencies for opentelemetry support: pyproject-rpm-macros, python-aiocontextvars, python-charset-normalizer, python-contextvars, python-deprecated, python-idna, python-immutables, python-opentelemetry, python-requests, python-typing-extensions, python-urllib3, python-wheel, python-wrapt, python3-setuptools.
• xcp-ng-release:
  • Sync with xenserver-release-8.4.0-14. (XCP-ng release number remains 8.3.0)
  • Update dependencies between systemd services.
  • Enable new RRDD plugins
• xcp-python-libs: Sync with XenServer, but this only changes packaging details.
• xen: Synchronization with package 4.17.5-6 from XenServer:
  • Fix migration of VMs from XCP-ng 8.2 to XCP-ng 8.3 when the guest is using BHI_DIS_S
  • Initial AMD Turin support
  • Fix dom0 pIRQ limit calculation
  • Fix emulation of BMI1/2 instructions
• xenserver-status-report: Minor update to add scsi disk provisioning mode in the output from this debug tool.
• xo-lite: As described in Xen Orchestra's blog, added VM creation page and form and Display vifs list in vm view and vifs information in side panel
• xs-opam-repo: Update to version 6.86.0 as a dependency for xapi
• xsconsole: Improved xenapi error handling & reintroduced Portable SR feature

Test on XCP-ng 8.3

From an up-to-date host:

yum clean metadata --enablerepo=xcp-ng-testing
yum update --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions

• amd-microcode: 20241121-1.1.xcpng8.3
• blktap: 3.55.4-1.1.xcpng8.3
• broadcom-bnxt-en: 1.10.2_223.0.183.0-2.xcpng8.3
• busybox: 1.22.1-7.xcpng8.3
• gpumon: 24.1.0-32.1.xcpng8.3
• guest-templates-json: 2.0.13-1.1.xcpng8.3
• host-upgrade-plugin: 3.0.1-1.xcpng8.3
• intel-i40e: 2.25.11-2.xcpng8.3
• interface-rename: 2.0.6-1.1.xcpng8.3
• ipxe: 20121005-1.0.7.xcpng8.3
• jemalloc: 5.3.0-1.xcpng8.3
• lvm2: 2.02.180-18.1.xcpng8.3
• microsemi-smartpqi: 2.1.30_031-1.xcpng8.3
• ncurses: 6.4-5.20240309.xcpng8.3
• net-snmp: 5.7.2-52.1.xcpng8.3
• openssh: 7.4p1-23.3.2.xcpng8.3
• pyproject-rpm-macros: 1.8.0-4.1.xcpng8.3
• python-aiocontextvars: 0.2.2-3.1.xcpng8.3
• python-charset-normalizer: 2.1.0-4.1.xcpng8.3
• python-contextvars: 2.4-3.1.xcpng8.3
• python-deprecated: 1.2.14-3.1.xcpng8.3
• python-idna: 3.3-4.xcpng8.3
• python-immutables: 0.19-5.xcpng8.3
• python-opentelemetry: 1.12.0-1
• python-requests: 2.28.1-4.1.xcpng8.3
• python-typing-extensions: 3.7.4.3-4.xcpng8.3
• python-urllib3: 1.26.15-4.1.xcpng8.3
• python-wheel: 0.31.1-5.el7_7
• python-wrapt: 1.14.0-4.xcpng8.3
• python3-setuptools: 40.4.1-1.0.1.xcpng8.3
• qemu: 4.2.1-5.2.12.1.xcpng8.3
• qlogic-qla2xxx: 10.02.12.01_k-1.xcpng8.3
• sm: 3.2.12-3.1.xcpng8.3
• sm-core-libs: 1.1.2-1.xcpng8.3
• vmss: 1.2.1-1.xcpng8.3
• xapi: 24.39.1-1.3.xcpng8.3
• xcp-ng-release: 8.3.0-30
• xcp-python-libs: 3.0.4-2.1.xcpng8.3
• xen: 4.17.5-6.1.xcpng8.3
• xenserver-status-report: 2.0.7-1.xcpng8.3
• xo-lite: 0.9.1-1.xcpng8.3
• xs-opam-repo: 6.86.0-1.1.xcpng8.3
• xsconsole: 11.0.8-1.1.xcpng8.3

What to test

Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

Test window before official release of the updates

None defined, but early feedback is always better than late feedback, which is in turn better than no feedback

I think the XO team (@xen-orchestra) will be better able to answer this question

We encourage you to reply in the original thread and not to open new threads for the same issue: https://xcp-ng.org/forum/topic/10633/status-of-pvh

It will allow those trying to help you to have a complete history of the information.

This will be more effective in getting help and, therefore, a resolution

I just received their answer, and this behavior will be changed. The update will be available in a future release of Xen Orchestra.

Thanks for your feedback

I have just forwarded this question to the Xen Orchestra team so they can provide us with more information on this.

Have you seen this blog post?

https://xcp-ng.org/blog/2022/01/17/removing-support-for-32-bit-pv-guests/

There is a solution given in it in relation to this action.

@davx8342 vTPM is not available in 8.2. You will not be able to use this option there.

However, Xostor is coming very soon to XCP-ng 8.3, as we announced in this blog post: https://xcp-ng.org/blog/2025/03/14/the-future-of-xcp-ng-lts/

Probably within one or two months. Indeed, we are doing everything possible to offer XCP-ng 8.3 as LTS, with Xostor, as soon as possible.

Hello,

Having never used Packer or Terraform, I can't answer quickly. From my research, I haven't found anything yet related to vTPM.

I've just asked our DevOps team about this so they can bring us more information on it or record it as a future evolution.

You can enable vTPM from Xen Orchestra or directly from the command line via xe, in XCP-ng 8.3:

xe vtpm-create vm-uuid=<vm_uuid>

Several commands are also available for vTPM management:

vtpm-create - Create a VTPM associated with a VM vtpm-param-clear - Clears the specified parameter (param-name can be allowed operations)
vtpm-destroy - Destroy a VTPM vtpm-param-get - Gets the specified parameter of the object
vtpm-list - Lists all the vtpms, filtering on the optional arguments vtpm-param-list - Lists all the parameters of the object specified by the uuid

If you use a script to create your VMs, you should be able to enable vTPM immediately after creating them, before starting their installation.

@PNO3 There is currently no more up-to-date ISO.

We recommend simply updating from an XO or running a yum update from the command line and rebooting the host.

For more information on updates and how to perform them: https://docs.xcp-ng.org/management/updates/

You can also view informations on the latest updates on our blog: https://xcp-ng.org/blog/tag/update/

Update published: https://xcp-ng.org/blog/2025/03/12/march-2025-security-and-maintenance-update-for-xcp-ng-8-2-lts/

Thank you for the tests!