RE: XCP-ng 8.3 updates announcements and testing

New maintenance update candidates for XCP-ng 8.3 LTS

This release batch contains fixes, and a security fix on an optional package,

Note: the two previous batches of updates has not been released yet, so if you haven't tested it, you will see more updates than described here when you'll install the update candidates. Refer to the previous announcements.

What changed

Virtualization & System

• kexec-tools: Update to sync with Xen Server:
  • Add checks to reboot a crashed host if kernel crash handling doesn't complete.

Control Plane

• xapi: Fix the VM revert regression introduced in earlier "testing" version.

Optional package

• lldpd: Fix CVE-2026-46433, a buffer over-read when processing the "VLAN tags from an Ethernet frame.

Versions

• kexec-tools: 2.0.15-20.1.xcp-ng8.3 -> kexec-tools-2.0.15-21.1.xcpng8.3
• xapi: 26.1.11-1.1.xcpng8.3 -> xapi-26.1.11-1.2.xcpng8.3

Optional packages:

• lldpd: 1.0.4-1.1.xcpng8.3 -> 1.0.4-1.2.xcpng8.3

Test on XCP-ng 8.3

Warning: XOSTOR users, refer to the instructions in the previous announcement, which apply here if you haven't installed the previous update candidates.

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

What to test

As usual, normal use and anything else you want to test.

Test window before official release of the updates

~2 days

We would like to thank users who reported feedback since our last call for testing:
@Andrew, @ScarfAntennae, @XCP-ng-JustGreat, @acebmxer, @bufanda, @flakpyro

As this is my first time installing these update candidates,

Actually we moved first batch of packages that landed in testing to candidates repo, to avoid mix up in the second batch that just landed in testing repo. Since nothing new appeared in candidate you should probably already had them before, home this is clarifying what is actually happening

Next yum update should just pull the latest stable versions?

Not if you already have installed then from testing (or candidate) repo, because versions are same, it's only the distribution channel that change, no impact for testers.

New maintenance update candidates for XCP-ng 8.3 LTS

This release batch contains mostly fixes, tools version update, a some improvements.

Note: the previous batch of updates has not been released yet, so if you haven't tested it, you will see more updates than described here when you'll install the update candidates. Refer to the previous announcements.

What changed

Virtualization & System

• xen: Add support for xenpm get-core-temp to query CPU temperature on Intel platforms.

  • Use xenpm get-core-temp to get the temperature on Intel's CPU, to fallback unsupported coretemp. Doc update being reviewed.

• grub: Sync with XenServer 8.4: Fix a rare out-of-memory error.

• dracut: Fixes

  • Fix to force reboot/shutdown/halt.
  • Fix issue where the omission of 'override' kernel modules from the initrd image could, in rare instances, prevent a freshly installed XCP-ng host from booting.

Control Plane

• xapi: Update to 26.1.11, add fixes and improvements.
  • Fixed an issue where a newly installed host wouldn't be able to join a pool due to incompatible features exposed by storage.
  • Fix shutdown VMs not being migratable due to errors generated when the VM was running.
  • Allow moving VMs back to DHCP from static IP with configure_ipv4/6.

Network

• stunnel: Fixed stunnel only considering one of the self-signed certificates with the same DN.

Tools

• xcp-ng-pv-tools: Update to XCP-ng Windows Guest Tools 9.1.200 (full changelog).

Drivers

• mpi3mr-module: Update to version 8.17.1, adding newly supported SAS5116 devices.

Optional:

• mellanox-mlnxen-alt: Fix build error with kernel 4.19.19-8.0.42.1+.

Storage

• kmod-drbd: Update to 9.2.18 (full changelog)

  • Improve XOSTOR stability when evacuating/evicting an host.

• xcp-ng-release-linstor: Relocate config file to v8.3-linstor repository.

Versions

• dracut: 033-538.xcpng8.3 -> 033-539.1.xcpng8.3
• gpumon: 24.1.0-84.1.xcpng8.3 -> 24.1.0-91.1.xcpng8.3
• grub: 1:2.06-4.0.2.1.xcpng8.3 -> 1:2.06-4.0.5.1.xcpng8.3
• mpi3mr-module: 8.6.1.0.0-1.xcpng8.3 -> 8.17.1.0.0-1.xcpng8.3
• stunnel: 5.60-5.xcpng8.3 -> 5.60-6.1.xcpng8.3
• xapi: 26.1.4-3.2.xcpng8.3 -> 26.1.11-1.1.xcpng8.3
• xcp-featured: 1.2.1-1.xcpng8.3 -> 1.2.1-2.xcpng8.3
• xcp-ng-pv-tools: 8.3-17.xcpng8.3 -> 8.3-18.xcpng8.3
• xen: 4.17.6-9.1.xcpng8.3 -> 4.17.6-9.3.xcpng8.3

Optional packages:

• mellanox-mlnxen-alt: 5.4_1.0.3.0-2.xcpng8.3 -> 5.4_1.0.3.0-3.xcpng8.3

XOSTOR users: specific update procedure

Some XOSTOR packages are provided in separate repository, and should be installed along xcp-ng regular packages, using the following commands:

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates,xcp-ng-linstor-testing
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates,xcp-ng-linstor-testing
reboot

Note: linstor packages themselves have not been updated, only kmod-drbd and xcp-ng-release-linstor. Thus, this time it's not necessary to restart the satellites before rebooting.

The following XOSTOR-specific package received updates (and must be updated in the same transaction, which the above update commands will do):

• xcp-ng-release-linstor: 1.4-2.xcpng8.3 -> 1.5-1.xcpng8.3 (from xcp-ng-testing repo)
• kmod-drbd: 9.2.16-1.0.xcpng8.3 -> 9.2.18-2.0.xcpng8.3 (from xcp-ng-linstor-testing repo)

Test on XCP-ng 8.3

Warning: XOSTOR users should skip this part and follow the instructions of the previous section.

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

What to test

As usual, normal use and anything else you want to test.

Test window before official release of the updates

~2 days

We would like to thank users who reported feedback since our last call for testing:

@Andrew, @XCP-ng-JustGreat, @acebmxer, @bufanda, @flakpyro, @jeffberntsen, @majorp93, @manilx, @marcoi, @ph7.

rzr said:
Since it's a lowest priority you can take all the time you need, and If too busy, no problem we can do it for you and then backport the change to XCP-ng.

Or Is there any volunteer interested to learn about how to contribute to xcp-ng ? I can mentor you, pm me.

rzr said:

New security update candidates for XCP-ng 8.3 LTS (kernel)

Test window before official release of the updates

~3 days

The testing window is extended a bit, expect also a next batch (to be tested later this month).

It has been planned to group updates for the convenience of administrators (stay tuned in blog).

Meanwhile If you didn't notice yet, an updated xen-4.17.6-9.2.xcpng8.3 package landed in testing repo, it addresses some low risk vulnerabilities as reported at:

• VSA-2026-017 (XSA-491, CVE-2026-42487)
• VSA-2026-018 (XSA-492, CVE-2026-42489 - CVE-2026-42490),
• VSA-2026-019 (CVE-2025-10263, XSA-493)
• VSA-2026-020 (CVE-2026-42488, XSA-494)

More to come soon

@acebmxer said:

@rzr
No issues to report initially other then nslookup still an issue.

openssl_link.c:132: INSIST(dst__memory_pool != ((void *)0)) failed, back trace

Yes I looked at it, it looks like it's a design isssue that was fixed in later version of bind.

In details If I understand correctly this patched version of nslookup is facing a SIGARBT caused by an assert on previously cleanup resources (dst__memory_pool) which is unexpected in finishing part of the openssl thread (dst__openssl_destroy).

This bind patched version (where ssl support is in progress) is also known to have memory leaks, but those are resolved in later version, so until we catch up you'll probably have to live with this little annoyance on process exit unless we find (and validate) a better fix.

New security update candidates for XCP-ng 8.3 LTS (kernel)

This release batch contains security fix on kernel, version update, some bug fixes and a few improvements.

What changed

Virtualization & System

• kernel: Fix Vulnerability: CVE-2026-46243

  • Fixed the CIFSwitch security vulnerability that could allow privilege escalation from a user with low privileges.

• intel-microcode: Fix a hang on boot on some platforms (Revert Granite Rapids AP/SP ucode back to IPU 2026.1)

Drivers

• intel-ice: Update to 2.4.5
  • Adds support for E825-C and E830.
  • Adds support for Link Aggregation (LAG).
  • Various stability, performance, and bug-fix updates.

Versions:

• intel-ice: 1.15.5-2.xcpng8.3 -> 2.4.5-8.1.1.xcpng8.3
• intel-microcode: 20260416-1.xcpng8.3 -> 20260416-2.xcpng8.3
• kernel: 4.19.19-8.0.46.5.xcpng8.3 -> 4.19.19-8.0.46.6.xcpng8.3

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

What to test

As usual, normal use and anything else you want to test.

Test window before official release of the updates

~3 days

We would like to thank users who reported feedback since our last call for testing:

@Andrew, @acebmxer, @flakpyro, @jeffberntsen, @majorp93, @marcoi, @ph7, @pilow, @probain.

@marcoi said:

i ssh into the host2 yum clean metadata and yum update manually applied updates.

Did you try to reboot it just after ?

XO still showed host 2 needing patching, so i reboot it

Seems not.

What about rebooting the host too ?

Let me pass the world to @Team-XO-Backend

We pushed the tested updates to the xcp-ng-updates repository, check blog post for summary and related advisories:
https://xcp-ng.org/blog/2026/06/02/june-2026-updates-1-for-xcp-ng-8-3-lts/

Thank you again for feedback we will try to address reported issues on next batch (to come soon).

Note that some issues are not related to this specific update batch, but might have been introduced on previous ones (TBC).

@ph7 said:

Maybe this schould be under XO/Backup

Sure, It will not hurt to start a dedicated thread about this @storage issue, but it's not mandatory team is listening to your feedback anyway.

@Andrew said:

Thank you for this report, I fear this issue appeared when we rebuilt bind with openssl-3

nslookup vates.com 8.8.8.8

I confirm this issue, note that bind-utils is not installed by default, let me investigate.

New security and maintenance update candidates for XCP-ng 8.3 LTS (kernel)

This release batch contains security fixes on the Linux kernel in dom0, version updates, some bug fixes and a few improvements.

What changed

Virtualization & System

• kernel: Update to 4.19.19-8.0.46.5

  • Fixes multiple vulnerabilities:
    • CVE-2026-46300: A logic error in the network stack could allow an unprivileged local user to escalate its privileges to root by modifying page caches for file-backed files that were not supposed to be writable. The modifications are not persistent to a reboot (i.e. no disk corruption). This vulnerability is used by the public exploit Fragnesia.
    • CVE-2026-46333: Incorrect tracking of users privilege level when a task is exiting in the ptrace sub-system could allow an unprivileged local user to escalate its privileges to root by writing to file descriptors they are not supposed to have access to. The changes made to potentially root-owned files are persisted across reboots. This vulnerability is used by the public exploits ssh-keysign-pwn as well as ptrace_may_dream.
    • CVE-2026-43494: A double-free of pinned pages in the RDS kernel module in the transmit error path could allow an unprivileged local user to escalate its privileges to root by modifying page caches for file-backed files, allowing them to for example overwrite a SUID binary in page cache with a shellcode. Changes are not persistent across reboots. This vulnerability is used by the public exploit pintheft.

• qemu: Fix a potential issue in guest memory mapping lookup.

• edk2:

  • Fix issues while booting from physical CD/DVD drive.
  • Bump UEFI guest vCPU limit to 128 vCPU (was 96 vCPUs)

• dmidecode: Update to 3.6-3

  • Version able to read type 42 tables (redfish)

• varstored: Update to 1.3.2-2.1

  • Sync with upstream.

• ipxe: PXE boot support of BIOS VMs on a VLAN with 802.1Q priority tags

Control plane

• xapi: Enable USB passthrough of smartcards

Storage

• blktap: No functional change. Only sync with upstream.

Network

• openssh: Drop support of insecure clients
  • Old OpenSSH clients (version less than 7.2) can no longer connect with ssh-rsa (due to SHA-1 being no longer accepted by the server).
  • The solution is either to update OpenSSH-clients (to a version >= 7.2), or to generate and use ED25519 keys.

Others

• libtasn1: Update to 4.21.0 (hardening)
• fuse: Rebuild
• slang: Rebuild
• systemtap: Rebuild

Optional packages

• libreswan: Rebuild
• netdata: Rebuild

Versions:

• blktap: 3.55.5-6.7.xcpng8.3 -> 3.55.5-9.1.xcpng8.3
• dmidecode: 1:3.0-5.el7 -> 1:3.6-3.xcpng8.3
• edk2: 20220801-1.7.10.1.xcpng8.3 -> 20220801-1.7.11.1.xcpng8.3
• fuse: 2.9.2-10.xcpng8.3 -> 2.9.2-10.1.xcpng8.3
• ipxe: 20121005-1.0.7.xcpng8.3 -> 20121005-1.0.8.xcpng8.3
• kernel: 4.19.19-8.0.46.3.xcpng8.3 -> 4.19.19-8.0.46.5.xcpng8.3
• libreswam: 4.12-2.3.1.xcpng8.3 -> 4.12-2.3.2.xcpng8.3
• libtasn1: 4.10-1.el7 -> 4.21.0-1.xcpng8.3
• openssh: 9.8p1-1.2.3.xcpng8.3 -> 9.8p1-1.2.4.xcpng8.3
• netdata: 1.47.5-4.2.xcpng8.3 -> 1.47.5-4.3.xcpng8.3
• qemu: 2:4.2.1-5.2.17.1.xcpng8.3 -> 2:4.2.1-5.2.18.1.xcpng8.3
• slang: 2.3.2-11.xcpng8.3 -> 2.3.2-11.1.xcpng8.3
• systemtap: 4.0-5.2.xcpng8.3 -> 4.0-5.3.xcpng8.3
• varstored: 1.3.1-2.1.xcpng8.3 -> 1.3.2-2.1.xcpng8.3
• xapi: 26.1.4-3.1.xcpng8.3 -> 26.1.4-3.2.xcpng8.3

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

What to test

As usual, normal use and anything else you want to test.

Test window before official release of the updates

~1 day

We would like to thank users who reported feedback since our last call for testing:

@Andrew, @acebmxer, @flakpyro, @greg_e, @jeffberntsen, @marcoi, @ovicz, @ph7, @probain.

@ovicz said:

I get this in dmesg after the latest updates :

[   54.673443] python3[3691]: segfault at 200000 ip 00007f16eb8eca9f sp 00007ffd                                                                                                             b84e9ff0 error 4 in libpython3.6m.so.1.0[7f16eb804000+28d000]
[   54.673450] Code: 01 00 00 8d 5f ff 48 8d 2d de 3a 3c 00 c1 eb 03 44 8d 24 1b                                                                                                              4e 8b 44 e5 00 49 8b 70 10 49 39 f0 74 5f 49 8b 40 08 41 83 00 01 <48> 8b 38 48                                                                                                              85 ff 49 89 78 08 74 0d 48 83 c4 10 5b 5d 41 5c c3 0f
[   84.587661] xapi[3697]: segfault at 7f28cacaea40 ip 00007f28c6df0ec2 sp 00007                                                                                                             f289a5b8af0 error 6 in libjemalloc.so.2[7f28c6d85000+85000]
[   84.587669] Code: 48 2b 73 08 44 8b 4d 84 ba 01 00 00 00 49 83 c2 01 49 0f af                                                                                                              f1 4c 8d 0d ac 72 42 00 48 89 f1 48 c1 ee 26 48 c1 e9 20 48 d3 e2 <48> 31 54 f3                                                                                                              40 48 8b 8d 58 ff ff ff 48 8b 33 48 8d be 00 00 00 10

Hi, if possible can you share us more information to troubleshoot, like a xen-bugtool --yestoall output ?
https://docs.xcp-ng.org/troubleshooting/log-files/

If you can also do the usual hardware check (eg: memtest) that would help, because my intuition is that it is not related to this precise update but we like to be sure.

@ph7 said:

@rzr

XO-lite was already on 0.21.0 (13f98) after the update 2 weeks ago.. Don't know if it's the same.

yes it's same landed in testing before and not yet moved to updates, btw this version does not bring much change as it's a rebuild with dep update, see there is no full changelog :

https://github.com/vatesfr/xen-orchestra/releases/tag/xo-lite-v0.21.0

@JeffBerntsen said:

@rzr

I'm seeing 30 updates as well but they're installed and seem to be working fine on my test systems.

I think I only listed sources packages (which contains several binaries sub-packages having the same versions), so that's expected

BTW thank you for reactivity on testing

New security update candidates for XCP-ng 8.3 LTS (kernel, xen, intel-microcode)

This release batch contains security fix on kernel, version updates, some bug fixes.

What changed

Virtualization & System

• kernel: Update to 4.19.19-8.0.46.3
  • Fixes CVE-2026-43284 (used by the DirtyFrag and CopyFail2 exploits)
• intel-microcode: Update to 20260416-1
  • Improve Intel support and security INTEL-SA-01420
• xen: Update to 4.17.6-8.1
  • Minor bugfixes for x86 systems, including calibration of various timers and handling of PCI devices when disabling SR-IOV

Control plane

• xapi: Update to 26.1.4
  • Minor NUMA fixes

UI

• xo-lite: Update to 0.21.0
  • chore: upgrade dependencies with known security vulnerabilities (#9640)
    • These vulnerabilities are not believed to affect XO Lite itself. They are fixed as defence-in-depth.
  • Changelog

Versions:

• gpumon: 24.1.0-83.2.xcpng8.3 -> 24.1.0-84.1.xcpng8.3
• intel-microcode: 20260115-1.xcpng8.3 -> 20260416-1.xcpng8.3
• kernel: 4.19.19-8.0.46.2.xcpng8.3 -> 4.19.19-8.0.46.3.xcpng8.3
• xapi: 26.1.3-1.10.xcpng8.3 -> 26.1.4-3.1.xcpng8.3
• xcp-featured: 1.1.8-6.xcpng8.3 -> 1.2.1-1.xcpng8.3
• xen: 4.17.6-6.2.xcpng8.3 -> 4.17.6-8.1.xcpng8.3
• xo-lite: 0.20.0-1.xcpng8.3 -> 0.21.0-1.xcpng8.3

Test on XCP-ng 8.3

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

What to test

As usual, normal use and anything else you want to test.

Test window before official release of the updates

~1 day

We would like to thank users who reported feedback since our last call for testing:
@Andrew, @FritzGerald, @IgorGlock, @bufanda, @flakpyro, @manilx, @marcoi, @ovicz, @ph7.

@bnerickson said:

Thanks for the reminder, for some reason it was not seen before (all applogies).

I'm unsure where to report this,

Here or in related open projects directly (assuming you know where to look at) but let me guide you.

but syslog reports the following warning when a VM starts:

(UDEV-WORKER)   cpu0: Process '/bin/sh -c '[ -e /dev/xen/xenbus ] && [ -e /sys/devices/system/cpu/cpu0/online ] && echo 1 > /sys/devices/system/cpu/cpu0/online'' failed with exit code 1.

Good catch, it's a bad habit to use AND (&&) in conditionals.

Hardcore programmers prefer to use OR (||) in scripts, this practice prevents failed exit and make debugging easier (with set -xe).

(...)

> ACTION=="add", SUBSYSTEM=="cpu", RUN+="/bin/sh -c 'if [ -e /dev/xen/xenbus ] && [ -e /sys$devpath/online ]; then echo 1 > /sys$devpath/online; fi'"

That would work, What about this "simpler" form ?

[ ! -e /dev/xen/xenbus ]  || [ ! -e /sys$devpath/online ] || echo 1 > /sys$devpath/online 

Could be harder to read, but I get used to.

If you want you can contribute the fix directly to upstream since the file is public at:

https://github.com/xenserver/xe-guest-utilities/blob/master/mk/xen-vcpu-hotplug.rules

About the exec bit, here is the line that should be changed:

https://github.com/xcp-ng-rpms/xcp-ng-pv-tools/commit/3d134fbd0f3ac9e2f3cfa914e38b33529635d458#r183816712

@bnerickson, If you need any mentoring for OSS contributions, I would be more than a happy to help.
Since it's a lowest priority you can take all the time you need, and If too busy, no problem we can do it for you and then backport the change to XCP-ng.

1 stormi committed to xcp-ng-rpms/xcp-ng-pv-tools

Build the tools from the sources

- Build 32 bit and 64 bit xe-guest-utilities
- Build TGZ, RPM and DEB packages for xe-guest-utilities
- Put the result into the ISO and the ISO into the xcp-ng-pv-tools RPM
  (as before).

It's a bit hacky, but as the binaries are statically linked, this
peculiar build process should work.

New update candidates for you to test!

We are continuing to refine the next batch of update with planned fixes. This release batch contains fixes on the major storage feature previously announced, read the RC2 announcement for QCOW2 image format support for 2TiB+ images.

What changed

Storage

QCOW2 image format support is the major feature of this release batch, check related announcement in forum.

Some fixes have been applied to fix issues found during the testing phase.

• sm: 3.2.12-17.6

  • Limit QCOW2 VDI max size to be 16TiB with metadata to allow compatibility with EXTSR (EXTSR is limited to 16TiB unique file size)

    • If a full QCOW2 VDI is allocated, XCP-ng would not be able to migrate it to an EXTSR with this limitation.

    • In the future, while EXTSR will remain limited to this maximum size, other SR types will evolve towards higher limits. For this, we'll have to work on the existing assumption that all SR which support the QCOW2 image-format share the same maximum size limit for VDIs, and to catch migration attempts towards SRs whic cannot receive disks bigger than their maximum limit.

• blktap: 3.55.5-6.6

  • Update the package's license.

Versions:

• blktap: 3.55.5-6.5.xcpng8.3 -> 3.55.5-6.6.xcpng8.3
• sm: 3.2.12-17.5.xcpng8.3 -> 3.2.12-17.6.xcpng8.3

Test on XCP-ng 8.3

If you are using XOSTOR, please refer to our documentation for the update method.

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

What to test

The most important change is related to storage: adding QCOW2 support also affects the codebase managing VHD disks. What matters here is, above all, to detect any regression on VHD support (we tested it deeply, but on this matter there's no such thing as too much testing). Of course, you are also welcome to test the QCOW2 image format support.

See the dedicated thread for more information.

And, as usual, normal use and anything else you want to test.

Test window before official release of the updates

~3 days

We would like to thank users who reported feedback since our last call for testing, in less than 24h: @acebmxer, @Andrew, @MajorP93.

Feature fixes, security and maintenance update candidates for you to test!

This release batch contains fixes on the major storage feature previously announced,
read the RC2 announcement for QCOW2 image format support for 2TiB+ images.

The whole platform has been hardened with back-porting security patches from the latest version of OpenSSH.

An additional driver fix is part of this minor package set.

What changed

Storage

QCOW2 image format support is the major feature of this release batch,
check related announcement in forum.

Some fixes have been applied to fix issues found during the testing phase. Many thanks go to @Andrew who found a CBT-related bug on file-based SRs!

• sm: 3.2.12-17.5
  • Fix a regression on CBT (Changed block tracking) on file-based SRs (EXT, NFS, ...), causing backup jobs using the "purge snapshot data when using CBT" option to create full backups each time instead of deltas.
  • Deactivate unused LVM snapshot base before deletion to prevent LVM leak. This fix is not related to the QCOW2 feature, but is important and localized enough for us to provide it in addition the other changes.
  • Minor fix that prevents a warning when updating the package.
• blktap: 3.55.5-6.5
  • Fix install warning when triggering mdadm to generate a udev rule.

Network

• openssh: Update to 9.8p1-1.2.3
  • Two vulnerabilities disclosed along with the OpenSSH 10.3 release have been fixed.
    • In authorized_keys, when principals="" was defined along with a CA with a common CA, an interpretation error occurred, which could lead to unauthorized access.
    • When one ECDSA algorithm was active, it activated all others regardless of their configuration. (By default, all ECDSA algorithms are active.)
  • For more details please track the upcoming Vates Security Advisories.

Drivers updates

More information about drivers and current versions is maintained on the drivers wiki page.

• qlogic-fastlinq-alt: 8.74.6.0-1
  • Fixes 2 issues in the qede module driver:
    • Driver does not retain configured MAC and MTU post reset recovery
    • Driver does not recover from TX timeout error

Versions:

• blktap: 3.55.5-6.4.xcpng8.3 -> 3.55.5-6.5.xcpng8.3
• openssh: 9.8p1-1.2.2.xcpng8.3 -> 9.8p1-1.2.3.xcpng8.3
• sm: 3.2.12-17.2.xcpng8.3 -> 3.2.12-17.5.xcpng8.3

Optional packages:

• qlogic-fastlinq-alt: 8.70.12.0-1.xcpng8.3 -> 8.74.6.0-1.xcpng8.3

Test on XCP-ng 8.3

If you are using XOSTOR, please refer to our documentation for the update method.

yum clean metadata --enablerepo=xcp-ng-testing,xcp-ng-candidates
yum update --enablerepo=xcp-ng-testing,xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

What to test

The most important change is related to storage: adding QCOW2 support also affects the codebase managing VHD disks. What matters here is, above all, to detect any regression on VHD support (we tested it deeply, but on this matter there's no such thing as too much testing). Of course, you are also welcome to test the QCOW2 image format support.

See the dedicated thread for more information.

Other significant changes requiring attention:

• SSH connectivity

And, as usual, normal use and anything else you want to test.

Test window before official release of the updates

~4 days

We would like to thank users who reported feedback on the QCOW RC2 release: @acebmxer, @andrew, @bufanda, @flakpyro, @jeffberntsen, @ph7