XCP-ng, the popular virtualization platform, has released its latest security update for the month of December. The update is specifically for the 8.2 LTS release, which is currently the only supported version of XCP-ng.

The update includes fixes for vulnerabilities in Xen and linux-firmware in the controller domain. These vulnerabilities have been addressed to ensure the security of the virtual machines running on the platform.

One of the fixed vulnerabilities, labeled XSA-445, addresses a mismatch in IOMMU quarantine page table levels on x86 AMD systems. This vulnerability could potentially allow a device in quarantine mode to access leaked data from previously quarantined pages. Although this feature is not enabled by default in XCP-ng, it can still be enabled at Xen boot time.

The second fixed vulnerability, XSA-446, deals with memory content inference in PV guests. XCP-ng strongly advises against using PV guests and recommends switching to HVM for better security. If you are still using PV guests, it is highly recommended to consider making the switch.

In addition to the security updates, XCP-ng has also released non-security updates to pave the way for upcoming refreshed installation ISOs. These updates include improvements to the linux-firmware, gpumon, tzdata, and vendor-drivers components.

The linux-firmware update includes an update to the AMD microcode, specifically for the family 19h (Zen 3, Zen3+). This update helps mitigate hardware vulnerabilities and bugs. However, it is important to note that updating the hardware’s firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.

Other changes include a small change to suppress unnecessary logging in gpumon, updated timezones with the latest CentOS 7 update of the tzdata package, and the integration of new drivers into XCP-ng in preparation for the upcoming refreshed installation ISOs. These new drivers include the igc module for Intel device drivers for I225/I226, the r8125 module for Realtek r8125 device drivers, and the mpi3mr module for Broadcom mpi3mr RAID device drivers.

Overall, the December 2023 security update for XCP-ng brings important security fixes and improvements to the virtualization platform, ensuring the safety and performance of virtual machines. Users are encouraged to update their systems to benefit from these enhancements and to maintain a secure environment for their workloads.

OpenSSL 3.2, the latest major update to the widely-used cryptography and SSL/TLS project, has been released. This update brings numerous new features and improvements to the library.

Some of the key highlights of the OpenSSL 3.2 release include:

• The default SSL/TLS security level has been increased from 1 to 2, enhancing security for users.
• Support for client-side QUIC has been added, including multi-stream support. QUIC is a general-purpose transport layer network protocol initially developed by Google and later adopted by the IETF. While OpenSSL 3.2 only offers client-side QUIC support, the plan for OpenSSL 3.3~3.4 over the next year is to further enhance this QUIC implementation.
• The addition of support for Ed25519ctx, Ed25519ph, and Ed448p.
• Deterministic ECDSA signatures are now supported.
• TCP Fast Open is now supported on Linux, macOS, and FreeBSD where available.
• TLS certificate compression is now supported with Zlib, Brotli, and Zstd.
• On Windows, support has been added for using the Windows system certificate store as a source of trusted root certificates, although it is not enabled by default.
• Additional enhancements include support for SM4-XTS, AES-GCM-SIV, Argon2 KDF, Brainpool curves in TLS 1.3, TLS Raw Public Keys, and various other additions.

For downloads and further details on the OpenSSL 3.2 release, visit the official OpenSSL website.

Source: Phoronix.

XCP-ng has released a new security update for the 8.2 LTS version. The update includes new microcode from Intel to mitigate hardware vulnerabilities. However, it is recommended to update the hardware’s firmware for the best results. The update also addresses security issues related to IOMMU and PV guests in the Xen Project. The fixed vulnerability, CVE-2023-23583, can allow privilege escalation, information disclosure, or denial of service. It affects specific generations of server, desktop, embedded, and mobile processors.

The update also mentions upcoming fixes for XSA-445 and XSA-446 vulnerabilities. XSA-445 can affect hosts if the dom_io feature is enabled, and XSA-446 can bypass certain protections for PV guests. It is recommended to avoid PV guests to avoid any potential impact. The updated microcode for Intel SA is included in the XCP-ng update. The integration of fixes for XSAs will be incorporated in a future release or as needed in the coming days.

New security and maintenance updates are available for the only currently supported release of XCP-ng, version 8.2 LTS. This update includes fixes for several vulnerabilities in Xen and the Linux kernel in the controller domain. Additionally, maintenance updates that were ready and waiting for the next push are also included.

The fixed vulnerabilities in this security update are as follows:

• XSA-440: CVE-2023-34323 - “xenstored: A transaction conflict can crash C Xenstored”. This vulnerability could potentially lead to a denial of service (DoS) attack. However, it only affects users who deliberately switched to C Xenstored from the default ocaml version used by XCP-ng.
• XSA-441: CVE-2023-34324 - “Possible deadlock in Linux kernel event handling”. While this denial of service vulnerability is not exploitable in XCP-ng’s default configuration, a patched dom0 kernel is provided as an additional layer of defense.
• XSA-442: CVE-2023-34326 - “x86/AMD: missing IOMMU TLB flushing”. On certain AMD systems, an attacker could exploit a vulnerability in the handling of PCI passthrough to escalate privileges, cause a denial of service, or gain access to leaked information.
• XSA-443: CVE-2023-34325 - “Multiple vulnerabilities in libfsimage disk handling”. This privilege escalation vulnerability affects PV guests through flaws in the handling of libfsimage, particularly with XFS. While PV guests are deprecated and not security-supported on XCP-ng 8.2, a fix is provided for users who still have PV guests. It is strongly recommended to convert these VMs to HVM. The Xen Security Team plans to issue another update later this month to remove all uses of libfsimage wherever possible.
• XSA-444: CVE-2023-34327 and CVE-2023-34327 - “x86/AMD: Debug Mask handling”. This vulnerability affects AMD CPUs, specifically the Steamroller microarchitecture and later. It allows guests to crash other guests and can also result in a crash of the host if a buggy or malicious PV guest kernel is present.

In addition to the security updates, this release includes other improvements:

• The Storage Manager (sm) now has better handling of custom multipath configurations. Previously, modifying the /etc/multipath.conf file could lead to issues when the file was updated to add support for new hardware. The correct way to add custom multipath configuration is now through a file in the /etc/multipath/conf.d/ directory. XCP-ng 8.2 now includes a warning on top of the /etc/multipath.conf file, creates the /etc/multipath/conf.d/ directory by default, and provides a ready-to-modify /etc/multipath/conf.d/custom.conf file.
• Guest templates have been synced with Citrix Hypervisor’s recent hotfixes. The only new template added is for Ubuntu 22.04.
• A backport of Citrix Hypervisor’s hotfix (XS82ECU1048) for irqbalance has been included. This hotfix enables interrupt balancing for Fibre Channel (FC) PCI devices, improving performance on fast FC HBA SRs, especially when multipathing is used.

For more information and to download the October 2023 Security Update for XCP-ng 8.2, please visit the XCP-ng blog.

Curl 8.4 has been released with a focus on addressing a major security vulnerability. Following the recent announcement that Curl was preparing for one of its worst security flaws in a long time, the latest version of Curl aims to fix this issue and provide additional security improvements.

In addition to the “high” level security fix, Curl 8.4 also resolves a “low” security issue. Alongside these security updates, the release includes bug fixes and feature enhancements for the widely-used downloading library and curl command-line utility.

The main security issue addressed in Curl 8.4 is CVE-2023-38545. This vulnerability involves a heap-based buffer overflow in the SOCKS5 proxy handshake. When Curl is requested to pass the hostname to the SOCKS5 proxy for address resolution, a maximum length of 255 bytes is allowed. However, due to a bug, if the hostname exceeds this length, the buffer can be overwritten into the heap. This issue requires a slow SOCKS5 handshake and a client using a hostname longer than the download buffer to be triggered.

The other security issue resolved in this release pertains to cookie injection without a file.

On the feature side, Curl 8.4 introduces support for IPFS (InterPlanetary File System) protocols via HTTP gateways. Additionally, support for legacy MinGW.org toolchains has been dropped in this release.

For more information on all the changes in Curl 8.4, you can visit the official curl.se website.

Source: Phoronix.

The widely-used curl project is preparing to release curl 8.4 early to address a severe vulnerability in the library. Details on the vulnerability are limited, as it is still under embargo, but curl lead developer Daniel Stenberg has described it as “probably the worst curl security flaw in a long time.” The release, scheduled for October 11, will include fixes for this high severity vulnerability, as well as a low severity one. Stenberg has not provided specific details about which version range is affected, but he has stated that it impacts all curl versions from the past few years. This vulnerability is expected to be particularly impactful for users of the libcurl library and curl command-line tool.

Source: Phoronix.