-
libvirt (7.6.0-0ubuntu1.2) impish-security; urgency=medium
* SECURITY UPDATE: DoS via libxl driver
- debian/patches/CVE-2021-4147-1.patch: disable death events after
receiving a shutdown event in src/libxl/libxl_domain.c,
src/libxl/libxl_domain.h.
- debian/patches/CVE-2021-4147-2.patch: rename libxlShutdownThreadInfo
struct in src/libxl/libxl_domain.c.
- debian/patches/CVE-2021-4147-3.patch: modify name of shutdown thread
in src/libxl/libxl_domain.c.
- debian/patches/CVE-2021-4147-4.patch: handle domain death events in a
thread in src/libxl/libxl_domain.c.
- debian/patches/CVE-2021-4147-5.patch: search for virDomainObj in
event handler threads in src/libxl/libxl_domain.c.
- debian/patches/CVE-2021-4147-6pre1.patch: avoid virHashFree by
rearranging code in src/libxl/libxl_logger.c.
- debian/patches/CVE-2021-4147-6.patch: protect access to libxlLogger
files hash table in src/libxl/libxl_logger.c.
- CVE-2021-4147
* SECURITY UPDATE: DoS via nwfilter driver
- debian/patches/CVE-2022-0897.patch: fix crash when counting number of
network filters in src/nwfilter/nwfilter_driver.c.
- CVE-2022-0897
-- Marc Deslauriers <email address hidden> Wed, 20 Apr 2022 09:34:13 -0400
-
libvirt (7.6.0-0ubuntu1.1) impish; urgency=medium
* d/p/u/lp-1927519-virt-aa-helper-Purge-profile-if-corrupted.patch:
avoid issues due to corrupted apparmor profiles (LP: #1927519)
-- Christian Ehrhardt <email address hidden> Thu, 18 Nov 2021 10:19:58 +0100
-
libvirt (7.6.0-0ubuntu1) impish; urgency=medium
* Merge v7.6.0 from upstream and unreleased changes from Debian git.
Among other bugs this fixes copy-storage-inc based migrations (LP: #1936778)
- New upstream version 7.5.0
- New upstream version 7.6.0
- symbols: Bump symbol versions
- refresh d/p/debian/Set-defaults-for-zfs-tools.patch for v7.5.0
- patches: Refresh patches
- d/rules: disable the new Cloud Hypervisor driver
- d/rules: enable more features explicitly
- d/rules: use apparmor_profiles=enabled instead of the now rejected
value true
- update d/p/debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch: to detect
XDR functions from glibc
* d/control, d/rules: enable libssh (LP: #1939416)
* refresh ubuntu patches for v7.6.0
* Further fixups for v7.6.0 (thanks to Andrea Bolognani)
- rules: Explicitly set remote_default_mode
- rules: Rework installation of AppArmor-related files
-- Christian Ehrhardt <email address hidden> Wed, 11 Aug 2021 08:11:16 +0200
-
libvirt (7.4.0-0ubuntu3) impish; urgency=medium
* d/t/smoke-lxc: skip if cgroup v1&v2 are present (systemd 248
was not enough)
libvirt (7.4.0-0ubuntu2) impish; urgency=medium
* d/t/smoke-lxc: skip before systemd 248 due to a known bug (LP: #1934966)
libvirt (7.4.0-0ubuntu1) impish; urgency=medium
* Merge v7.4.0 from upstream,
among a lot of new features and fixes this closes a few of issues
reported against Ubuntu
- Toleration for qemu >=6.0 handling of props (LP: #1932264)
- Persistent vfio-ccw device assignments (LP: #1887929)
- Drop patches that are upstream in v7.4.0
- d/p/b/meson-Fix-cross-building-of-dtrace-probes.patch
- d/p/b/apparmor-let-image-label-setting-loop-over-backing-files.patch
- d/p/r/systemd-Revert-remote-Add-libvirtd-dependency-to-virt-gue.patch
- d/p/u/lp-1913266-*: add vsock options to be usable with s390x
- d/p/u/lp-1921754-*: EPYC-Rome-v2
- d/p/u/lp-1921880-*: EPYC-Milan
- d/libvirt-clients.install: completions no more are symlinked to vsh
- Revert "disable firewalld support (universe dependency)"
This does not add a runtime dependency and while firewalld isn't in
main that way users can install and use it from universe.
(LP: #1928113)
- d/libvirt0.symbols: bump symbol versions for 7.4.0
- d/rules: disable the now auto-built vstorage backend
- not-installed: split daemon man pages are no yet installed
-- Christian Ehrhardt <email address hidden> Thu, 08 Jul 2021 14:20:53 +0200
-
libvirt (7.4.0-0ubuntu2) impish; urgency=medium
* d/t/smoke-lxc: skip before systemd 248 due to a known bug (LP: #1934966)
libvirt (7.4.0-0ubuntu1) impish; urgency=medium
* Merge v7.4.0 from upstream,
among a lot of new features and fixes this closes a few of issues
reported against Ubuntu
- Toleration for qemu >=6.0 handling of props (LP: #1932264)
- Persistent vfio-ccw device assignments (LP: #1887929)
- Drop patches that are upstream in v7.4.0
- d/p/b/meson-Fix-cross-building-of-dtrace-probes.patch
- d/p/b/apparmor-let-image-label-setting-loop-over-backing-files.patch
- d/p/r/systemd-Revert-remote-Add-libvirtd-dependency-to-virt-gue.patch
- d/p/u/lp-1913266-*: add vsock options to be usable with s390x
- d/p/u/lp-1921754-*: EPYC-Rome-v2
- d/p/u/lp-1921880-*: EPYC-Milan
- d/libvirt-clients.install: completions no more are symlinked to vsh
- Revert "disable firewalld support (universe dependency)"
This does not add a runtime dependency and while firewalld isn't in
main that way users can install and use it from universe.
(LP: #1928113)
- d/libvirt0.symbols: bump symbol versions for 7.4.0
- d/rules: disable the now auto-built vstorage backend
- not-installed: split daemon man pages are no yet installed
-- Christian Ehrhardt <email address hidden> Thu, 08 Jul 2021 09:33:49 +0200
-
libvirt (7.4.0-0ubuntu1) impish; urgency=medium
* Merge v7.4.0 from upstream,
among a lot of new features and fixes this closes a few of issues
reported against Ubuntu
- Toleration for qemu >=6.0 handling of props (LP: #1932264)
- Persistent vfio-ccw device assignments (LP: #1887929)
- Drop patches that are upstream in v7.4.0
- d/p/b/meson-Fix-cross-building-of-dtrace-probes.patch
- d/p/b/apparmor-let-image-label-setting-loop-over-backing-files.patch
- d/p/r/systemd-Revert-remote-Add-libvirtd-dependency-to-virt-gue.patch
- d/p/u/lp-1913266-*: add vsock options to be usable with s390x
- d/p/u/lp-1921754-*: EPYC-Rome-v2
- d/p/u/lp-1921880-*: EPYC-Milan
- d/libvirt-clients.install: completions no more are symlinked to vsh
- Revert "disable firewalld support (universe dependency)"
This does not add a runtime dependency and while firewalld isn't in
main that way users can install and use it from universe.
(LP: #1928113)
- d/libvirt0.symbols: bump symbol versions for 7.4.0
- d/rules: disable the now auto-built vstorage backend
- not-installed: split daemon man pages are no yet installed
-- Christian Ehrhardt <email address hidden> Thu, 17 Jun 2021 10:33:27 +0200
-
libvirt (7.0.0-2ubuntu2) hirsute; urgency=medium
* d/p/u/lp-1921754*: add EPYC-Rome-v2 as v1 missed IBRS and thereby fails
on some HW/Guest combinations e.g. Windows 10 on Threadripper
(LP: #1921754)
* d/p/u/lp-1921880*: add EPYC-Milan features and named cpu type support
(LP: #1921880)
-- Christian Ehrhardt <email address hidden> Wed, 07 Apr 2021 13:33:46 +0200
-
libvirt (7.0.0-2ubuntu1) hirsute; urgency=medium
* Merge with Debian 7.0.0-1 from Debian unstable
Remaining changes:
- libvirt-uri.sh: Automatically switch default libvirt URI for users
via user profile (xen URI on dom0, qemu:///system otherwise)
[contains lintian fixups of 6.6.0-1ubuntu1]
- Disable libssh2 support (universe dependency)
- Disable firewalld support (universe dependency)
- d/control: add libzfslinux-dev to build-deps
- d/control: drop libvirt-lxc, vbox and xen drivers to suggest
- d/control: breaks replaces for augeas lenses move in 6.0.0-1
(follows Debian, droppable >22.04)
- debian/rules: disable the netcf backend. (LP: 1764314)
- debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI
Secure Boot enabled variants of the OVMF firmware and variable store for
the paths where we ship these files in Ubuntu.
- Set qemu-group to kvm (for compat with older ubuntu)
- Additional apport package-hook
- Autostart default bridged network (As upstream does, but not Debian).
In addition to just enabling it our solution provides:
+ do not autostart if subnet is already taken (e.g. in guests).
+ iterate some alternative subnets before giving up
- d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
the group based access to libvirt functions as it was used in Ubuntu
for quite a long time.
+ d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
due to the group access change.
+ d/libvirt-daemon-system.postinst: add users in sudo to the libvirt
group.
- ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
- Update README.Debian with Ubuntu changes
- d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
- fix autopkgtests (LP 1899180)
+ d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
vmlinuz available and accessible (Debian bug 848314)
+ d/t/control: fix smoke-qemu-session by ensuring the service will run
installing libvirt-daemon-system
+ d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as
long as the following undefine succeeds
+ d/t/smoke-lxc: use systemd instead of sysV to restart the service
+ d/t/control, d/t/smoke-lxc: retry service restart and skip test if
failing; This was flaky on some release/architectures
+ d/t/smoke-lxc: retry check_domain being flaky on arm64
- dnsmasq related enhancements
[now contains dnsmasq-as-priv-user of 6.6.0-1ubuntu1]
+ run dnsmasq as libvirt-dnsmasq (LP: 1743718)
+ d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group
+ d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group
on purge
+ d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user
libvirt-dnsmasq and adapt the self tests to expect that config
+ d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group
+ Add dnsmasq configuration to work with system wide dnsmasq-base
- d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default
machine type correctly with newer qemu/libvirt
- d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for
(LP 1861125) fixups
- d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592)
- remove Debian debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch as with
recent ubuntu glibx 2.32 it is breaking the build
- d/control: add libtirpc for rpc.h with glibc >=2.32
- Apparmor Delta that is Ubuntu specific or yet to be upstreamed
split into logical pieces. File names in debian/patches/ubuntu-aa/:
+ 0020-virt-aa-helper-ubuntu-storage-paths.patch:
apparmor, virt-aa-helper: Allow various storage pools and image
locations
+ 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor,
libvirt-qemu: Add 9p support
+ 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch:
virt-aa-helper: Ask for no deny rule for readonly disk (renamed and
reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch)
+ 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch:
apparmor, libvirt-qemu: Allow reading charm-specific ceph config
+ 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow
commands executed by ubuntu only kvm wrapper on ppc64el
(LP 1686621 LP 1680384 LP 1784023)
+ 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch:
apparmor, virt-aa-helper: access for snapped nova
+ lp-1815910-allow-vhost-net.patch: avoid apparmor issues
with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910)
- d/p/u/lp-1913266-*: add vsock options to be usable with s390x secure
execution (LP 1913266)
* Dropped Changes [in Debian now]
- Avoid various issues around service/socket status after install/reinstall
and on upgrades (LP 1914054).
- d/rules: let sockets use --no-stop-on-upgrade to avoid false positives
- d/rules: --no-restart-after-upgrade does not prevent restarts
- d/rules: avoid --no-start which breaks .sockets on re-install
- d/rules: start, but do not restart libvirt-guests.service
- Dependency improvements yet unreleased from salsa/debian/master thanks
to Andrea Bolognani (Debian #981435).
- control: Always explicitly depend on libvirt0
- control: Always use versioned deps for libvirt components
- d/control: extend demotion of libvirt-lxc related dependencies to
libvirt-login-shell
libvirt (7.0.0-2) unstable; urgency=medium
* Team upload
[ Matthew Gabeler-Lee ]
* [7391555] control: recommend qemu support for iscsi-direct
- Closes: #981284
[ Andrea Bolognani ]
* [8048eef] control: Always use versioned deps for libvirt components
- Closes: #981435
* [effe0cd] control: Always explicitly depend on libvirt0
* [d3c8ec2] control: Bump Standards-Version to 4.5.1
[ Christian Ehrhardt ]
* [3cbe8f9] d/control: avoid libvirt-clients to pull in libvirt-daemon
* [295944d] systemd: start, but do not restart libvirt-guests.service
* [ddbad4b] systemd: do not restart sockets
-- Christian Ehrhardt <email address hidden> Tue, 23 Feb 2021 12:16:08 +0100
