Recommended Hotfixes for Citrix Hypervisor 8.2

Public Availability: fixes to Dom0 user space

To improve security, weaker ciphersuites have been removed from the list of ciphersuites that are supported for SSH communication. Only the following ciphersuites are now supported:

Ciphers:

  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • aes128-ctr
  • aes192-ctr
  • aes256-ctr
  • aes128-gcm@openssh.com
  • aes256-gcm@openssh.com
  • chacha20-poly1305@openssh.com

MACs:

  • hmac-sha1
  • hmac-sha2-256
  • hmac-sha2-512
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com

Key Exchange algorithms:

  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha256
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • curve25519-sha256
  • curve25519-sha256@libssh.org

Host Key algorithms:

  • ecdsa-sha2-nistp256-cert-v01@openssh.com
  • ecdsa-sha2-nistp384-cert-v01@openssh.com
  • ecdsa-sha2-nistp521-cert-v01@openssh.com
  • ssh-ed25519-cert-v01@openssh.com
  • ssh-rsa-cert-v01@openssh.com
  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • ssh-ed25519,ssh-rsa

To benefit from the improvement to ciphersuite security, you must restart your servers. However, a restart is not required to benefit from the other fixes included in this hotfix.

This hotfix resolves the following issues:

  • On slower systems, xen-bugtool can experience time outs.
  • A misconfigured PCI interface-rename rule leaves all host interfaces inaccessible.
  • If there is an issue in your NTP environment, sometimes on Citrix Hypervisor start up it can take up to 10 minutes to reach the xsconsole.

    The wait time has been reduce to 2 minutes. You are also advised to investigate your NTP set up and change any configuration that is incorrect.

Related:

  • No Related Posts

Leave a Reply