feat: update libvirt to 10.7.0-3

AUTHORS.rst

@@ -143,6 +143,7 @@ Patches have also been contributed by:
 * Antoni S. Puimedon <asegurap@redhat.com>
 * Anton Khramov <anton@endocode.com>
 * Anya Harter <aharter@redhat.com>
+* aokblast <aokblast@FreeBSD.org>
 * Arnaud Patard <apatard@hupstream.com>
 * Aron Griffis <aron.griffis@hp.com>
 * Artem Chernyshev <artem.chernyshev@red-soft.ru>
@@ -253,6 +254,7 @@ Patches have also been contributed by:
 * Dankaházi (ifj.) István <dankahazi.istvan@gmail.com>
 * Dan Kenigsberg <danken@redhat.com>
 * dann frazier <dann.frazier@canonical.com>
+* Danny Sauer <gitlab@dannysauer.com>
 * Dan Smith <danms@us.ibm.com>
 * Dan Zheng <dzheng@redhat.com>
 * Dario Faggioli <dario.faggioli@citrix.com>
@@ -360,9 +362,11 @@ Patches have also been contributed by:
 * Gene Czarcinski <gene@czarc.net>
 * Geoff Hickey <ghickey@datagravity.com>
 * George Dunlap <george.dunlap@citrix.com>
+* Georgia Garcia <georgia.garcia@canonical.com>
 * Gerd Hoffmann <kraxel@redhat.com>
 * Gerd v. Egidy <gerd@egidy.de>
 * Gerhard Stenzel <gerhard.stenzel@de.ibm.com>
+* Gildasio Junior <gildasiojunior@riseup.net>
 * Giuseppe Scrivano <gscrivan@redhat.com>
 * Gogo Gogsi <linux.hr@protonmail.com>
 * gongwei <gongwei@smartx.com>
@@ -398,6 +402,7 @@ Patches have also been contributed by:
 * hexin <hexin15@baidu.com>
 * Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
 * Hongbin Lu <hongbin034@gmail.com>
+* hongmianquan <hongmianquan@bytedance.com>
 * Hongwei Bi <hwbi2008@gmail.com>
 * Huanle Han <hanxueluo@gmail.com>
 * Huaqiang <huaqiang.wang@intel.com>
@@ -456,6 +461,7 @@ Patches have also been contributed by:
 * jiangjiacheng <jiangjiacheng@huawei.com>
 * Jiang Jiacheng <jiangjiacheng@huawei.com>
 * Jiang Kun <jiang.kun2@zte.com.cn>
+* jianqing yan <yanjianqing@kylinos.cn>
 * Jianwei Hu <jiahu@redhat.com>
 * Jia Zhou <zhou.jia2@zte.com.cn>
 * Jidong Xia <xiajidong@cmss.chinamobile.com>
@@ -487,6 +493,7 @@ Patches have also been contributed by:
 * Jonathan Watt <jwatt@jwatt.org>
 * Jonathan Wright <jonathan@almalinux.org>
 * Jonathon Jongsma <jjongsma@redhat.com>
+* Jon Kohler <jon@nutanix.com>
 * Josh Durgin <josh.durgin@inktank.com>
 * Josh Stone <jistone@redhat.com>
 * Jovanka Gulicoska <jovanka.gulicoska@gmail.com>
@@ -499,6 +506,7 @@ Patches have also been contributed by:
 * Justin Gatzen <justin.gatzen@gmail.com>
 * Kai Kang <kai.kang@windriver.com>
 * KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+* Kamil Szczęk <kamil@szczek.dev>
 * Karel Zak <kzak@redhat.com>
 * Karim Taha <kariem.taha2.7@gmail.com>
 * Kashyap Chamarthy <kchamart@redhat.com>
@@ -515,6 +523,7 @@ Patches have also been contributed by:
 * Konstantin Neumoin <kneumoin@virtuozzo.com>
 * Kothapally Madhu Pavan <kmp@linux.vnet.ibm.com>
 * Kristina Hanicova <khanicov@redhat.com>
+* Kshitij Jha <kshitij.jha@nutanix.com>
 * K Shiva Kiran <shiva_kr@riseup.net>
 * K Shiva <shiva_kr@riseup.net>
 * Kyle DeFrancia <kdef@linux.vnet.ibm.com>
@@ -642,6 +651,8 @@ Patches have also been contributed by:
 * Milos Vyletel <milos.vyletel@sde.cz>
 * minglei.liu <minglei.liu@smartx.com>
 * Minoru Usui <usui@mxm.nes.nec.co.jp>
+* Miroslav Los <mirlos@cisco.com>
+* Miroslav Los via Devel <devel@lists.libvirt.org>
 * Mooli Tayer <mtayer@redhat.com>
 * MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
 * Moshe Levi <moshele@mellanox.com>
@@ -666,6 +677,7 @@ Patches have also been contributed by:
 * Nico Pache <npache@redhat.com>
 * Niels de Vos <ndevos@redhat.com>
 * Nikolai Barybin <nikolai.barybin@virtuozzo.com>
+* Nikolai Barybin via Devel <devel@lists.libvirt.org>
 * Nikolay Shirokovskiy <nshirokovskiy@openvz.org>
 * Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
 * Nikos Mavrogiannopoulos <nmav@redhat.com>
@@ -737,6 +749,7 @@ Patches have also been contributed by:
 * Prerna Saxena <prerna@linux.vnet.ibm.com>
 * Pritesh Kothari <pritesh.kothari@sun.com>
 * Purna Pavan Chandra Aekkaladevi <paekkaladevi@linux.microsoft.com>
+* Purna Pavan Chandra <paekkaladevi@linux.microsoft.com>
 * Qiao Nuohan <qiaonuohan@cn.fujitsu.com>
 * Qiaowei Ren <qiaowei.ren@intel.com>
 * Radoslaw Biernacki <radoslaw.biernacki@linaro.org>
@@ -784,6 +797,7 @@ Patches have also been contributed by:
 * Sahid Orentino Ferdjaoui <sahid.ferdjaoui@cloudwatt.com>
 * Sam Bobroff <sam.bobroff@au1.ibm.com>
 * Sam Hartman <hartmans@debian.org>
+* Sandesh Patel <sandesh.patel@nutanix.com>
 * sannyshao <jishao@redhat.com>
 * Sascha Peilicke <saschpe@suse.de>
 * Sascha Silbe <silbe@linux.vnet.ibm.com>
@@ -803,6 +817,7 @@ Patches have also been contributed by:
 * Serge Hallyn <serge.hallyn@ubuntu.com>
 * Sergey A <sw@atrus.ru>
 * Sergey Bronnikov <sergeyb@openvz.org>
+* Sergey Dyasli <sergey.dyasli@nutanix.com>
 * Sergey Fionov <fionov@gmail.com>
 * Sergey Mironov <mironov@fintech.ru>
 * Sergio Durigan Junior <sergio.durigan@canonical.com>
@@ -856,6 +871,7 @@ Patches have also been contributed by:
 * Sukrit Bhatnagar <skrtbhtngr@gmail.com>
 * Supriya Kannery <supriyak@linux.vnet.ibm.com>
 * Suyang Chen <dawson0xff@gmail.com>
+* Swapnil Ingle <swapnil.ingle@nutanix.com>
 * Syed Humaid <syedhumaidbinharoon@gmail.com>
 * Szymon Scholz <szymonscholz@gmail.com>
 * Taisuke Yamada <tai@rakugaki.org>

NEWS.rst

@@ -8,6 +8,157 @@ the changes introduced by each of them.
 For a more fine-grained view, use the `git log`_.
 
 
+v10.7.0 (2024-09-02)
+====================
+
+* **Security**
+
+ * CVE-2024-8235: Crash of ``virtinterfaced`` via ``virConnectListInterfaces()``
+
+ A refactor of the code fetching the list of interfaces for multiple APIs
+ introduced corner case on platforms where allocating 0 bytes of memory
+ results in a NULL pointer.
+
+ This corner case would lead to a NULL-pointer dereference and subsequent
+ crash of ``virtinterfaced`` if ``virConnectListInterfaces()`` is called
+ requesting 0 networks to be filled.
+
+ The bug was introduced in libvirt-10.4.0
+
+* **New features**
+
+ * qemu: Introduce the ability to disable the built-in PS/2 controller
+
+ It is now possible to control the state of the ``ps2`` feature in the
+ domain XML for descendants of the generic PC machine type (``i440fx``,
+ ``q35``, ``xenfv`` and ``isapc``).
+
+* **Improvements**
+
+ * ch: support restore with network devices
+
+ Cloud-Hypervisor starting from V40.0 supports restoring file descriptor
+ backed network devices. So, create new net fds and pass them via
+ SCM_RIGHTS to CH during restore operation.
+
+ * ch: support basic networking modes
+ Cloud-Hypervisor driver now supports Ethernet, Network (NAT) and Bridge
+ networking modes.
+
+v10.6.0 (2024-08-05)
+====================
+
+* **Removed features**
+
+ * qemu: Require QEMU-5.2.0 or newer
+
+ The minimal required version of QEMU was bumped to 5.2.0.
+
+* **New features**
+
+ * qemu: Add support for the 'pauth' Arm CPU feature
+
+ * Introduce pstore device
+
+ The aim of pstore device is to provide a bit of NVRAM storage for guest
+ kernel to record oops/panic logs just before it crashes. Typical usage
+ includes usage in combination with a watchdog so that the logs can be
+ inspected after the watchdog rebooted the machine.
+
+* **Improvements**
+
+ * qemu: Set 'passt' net backend if 'default' is unsupported
+
+ If QEMU is compiled without SLIRP support, and if domain XML allows it,
+ starting from this release libvirt will use passt as the default backend
+ instead. Also, supported backends are now reported in the domain
+ capabilities XML.
+
+ * qemu: add a monitor to /proc/$pid when killing times out
+
+ In cases when a QEMU process takes longer to be killed, libvirt might have
+ skipped cleaning up after it. But now a /proc/$pid watch is installed so
+ this does not happen ever again.
+
+* **Bug fixes**
+
+ * virt-aa-helper: Allow RO access to /usr/share/edk2-ovmf
+
+ When binary version of edk2 is distributed, the files reside under
+ /usr/share/edk2-ovmf. Allow virt-aa-helper to generate paths under that
+ directory.
+
+ * virt-host-validate: Allow longer list of CPU flags
+
+ During its run, virt-host-validate parses /proc/cpuinfo to learn about CPU
+ flags. But due to a bug it parsed only the first 1024 bytes worth of CPU
+ flags leading to unexpected results. The file is now parsed properly.
+
+ * capabilities: Be more forgiving when decoding OEM strings
+
+ On some systems, OEM strings are scattered in multiple sections. This
+ confused libvirt when generating capabilities XML. Not anymore.
+
+
+v10.5.0 (2024-07-01)
+====================
+
+* **New features**
+
+ * Introduce SEV-SNP support
+
+ SEV-SNP is introduced as another type of ``<launchSecurity/>``. Its support
+ is reported in both domain capabilities and ``virt-host-validate``.
+
+* **Improvements**
+
+ * tools: virt-pki-validate has been rewritten in C
+
+ The ``virt-pki-validate`` shell script has been rewritten as a C program,
+ providing an output format that matches ``virt-host-validate``, removing
+ the dependency on ``certtool`` and providing more comprehensive checks
+ of the certificate properties.
+
+ * qemu: implement iommu coldplug/unplug
+
+ The ``<iommu/>`` device can be now cold plugged and/or cold unplugged.
+
+ * Pass shutoff reason to release hook
+
+ Sometimes in release hook it is useful to know if the VM shutdown was
+ graceful or not. This is especially useful to do cleanup based on the VM
+ shutdown failure reason in release hook. Starting with this release the
+ last argument 'extra' is used to pass VM shutoff reason in the call to
+ release hook.
+
+ * nodedev: improve DASD detection
+
+ In newer DASD driver versions the ID_TYPE tag is supported. This tag is
+ missing after a system reboot but when the ccw device is set offline and
+ online the tag is included. To fix this version independently we need to
+ check if a device detected as type disk is actually a DASD to maintain the
+ node object consistency and not end up with multiple node objects for
+ DASDs.
+
+* **Bug fixes**
+
+ * remote_daemon_dispatch: Unref sasl session when closing client connection
+
+ A memory leak was identified when a client started SASL but then suddenly
+ closed connection. This is now fixed.
+
+ * qemu: Fix migration with disabled vmx-* CPU features
+
+ Migrating a domain with some vmx-* CPU features marked as disabled could
+ have failed as the destination would incorrectly expect those features to
+ be enabled after starting QEMU.
+
+ * qemu: Fix ``libvirtd``/``virtqemud`` crash when VM shuts down during migration
+
+ The libvirt daemon could crash when a VM was shut down while being migrated
+ to another host.
+
+
 v10.4.0 (2024-06-03)
 ====================
 

debian/NEWS

@@ -1,3 +1,20 @@
+libvirt (10.6.0-2) experimental; urgency=medium
+
+ The package has been reworked significantly.
+
+ All the various drivers and storage backends come in their own
+ separate binary packages now, which makes it possible to install
+ exactly as many or as few as desired.
+
+ The system-wide configuration for the libvirtd daemon is no longer
+ shipped separately from the daemon itself, as was the case until
+ now. The libvirt-daemon-system package still exists, but it's now
+ simply a convenient way to install the "typical" libvirt
+ deployment consisting of all the components needed to run a
+ QEMU-based hypervisor.
+
+ -- Andrea Bolognani <eof@kiyuko.org> Sat, 24 Aug 2024 11:01:43 +0200
+
 libvirt (9.6.0-1) unstable; urgency=medium
 
  Local overrides for AppArmor abstractions are now expected to

debian/arches.mk

@@ -1,7 +1,7 @@
-ARCHES_CEPH = amd64 arm64 mips64el ppc64el riscv64 s390x
-ARCHES_GLUSTER = amd64 arm64 ia64 mips64el ppc64 ppc64el riscv64 s390x sparc64
-ARCHES_QEMU = amd64 arm64 armel armhf i386 mips64el mipsel powerpc ppc64 ppc64el riscv64 s390x sparc64 x32
-ARCHES_LXC = alpha amd64 arm64 armel armhf hppa i386 m68k mips64el mipsel powerpc ppc64 ppc64el riscv64 s390x sh4 sparc64 x32
+ARCHES_CEPH = amd64 arm64 loong64 mips64el ppc64el riscv64 s390x
+ARCHES_GLUSTER = amd64 arm64 ia64 loong64 mips64el ppc64 ppc64el riscv64 s390x sparc64
+ARCHES_QEMU = amd64 arm64 armel armhf i386 loong64 mips64el mipsel powerpc ppc64 ppc64el riscv64 s390x sparc64 x32
+ARCHES_LXC = alpha amd64 arm64 armel armhf hppa i386 loong64 m68k mips64el mipsel powerpc ppc64 ppc64el riscv64 s390x sh4 sparc64 x32
 ARCHES_XEN = amd64 arm64 armhf
 ARCHES_VBOX = amd64 i386
 

debian/changelog

@@ -1,3 +1,79 @@
+libvirt (10.7.0-3) unstable; urgency=medium
+
+ * [70a5d8d] patches: Add backport/apparmor-Don-t-check-for[...]
+ - Ensures that AppArmor doesn't get disabled for QEMU domains
+ just because the LXC driver is not installed (Closes: #1081396)
+
+ -- Andrea Bolognani <eof@kiyuko.org> Mon, 16 Sep 2024 21:41:15 +0200
+
+libvirt (10.7.0-2) unstable; urgency=medium
+
+ * [6fb4103] control: Turn dmidecode back into a Recommends
+ - It was accidentally made it into a Depends in 10.6.0-2,
+ which has resulted in libvirt-daemon being uninstallable on
+ architectures that don't have dmidecode (e.g. ppc64el)
+
+ -- Andrea Bolognani <eof@kiyuko.org> Sun, 08 Sep 2024 15:15:11 +0200
+
+libvirt (10.7.0-1) unstable; urgency=medium
+
+ * [a84ccbd] New upstream version 10.7.0
+ - Update for qemu-bridge-helper's new location (Closes: #1077915)
+ - Fixes CVE-2024-8235 (Closes: #1080218)
+
+ -- Andrea Bolognani <eof@kiyuko.org> Thu, 05 Sep 2024 20:59:27 +0200
+
+libvirt (10.6.0-3) experimental; urgency=medium
+
+ * [01e7456] control: Bump Standards-Version to 4.7.0
+ - No changes needed.
+ * [b172fde] control: Change some Breaks+Replaces to Conflicts
+ - Prevents file loss scenarios during upgrade (DEP17 M7)
+ - Thanks to Helmut Grohne
+ * [4f20e64] snippets: Create protective diversions
+ - Prevents file loss scenarios during upgrade (DEP17 M8)
+ - Thanks to Helmut Grohne
+
+ -- Andrea Bolognani <eof@kiyuko.org> Sun, 01 Sep 2024 16:31:02 +0200
+
+libvirt (10.6.0-2) experimental; urgency=medium
+
+ * [9333950] control: Introduce daemon-common package
+ + As well as a bunch more. In general, every single driver and
+ storage backend comes with its own binary package now, which
+ makes it possible to decide exactly what gets installed
+ * [d776368] control: Mark daemon-system-* packages as dummy
+ + Configuration for the daemon is now shipped in libvirt-daemon
+ * [0ac1f2c] control: Mark sanlock package as dummy
+ + Replaced by libvirt-daemon-plugin-sanlock
+ * [cf64ba3] install: Perform usr-merge transition
+ - Thanks to Michael Biebl, Helmut Grohne (Closes: #1064126)
+
+ -- Andrea Bolognani <eof@kiyuko.org> Sat, 24 Aug 2024 13:37:16 +0200
+
+libvirt (10.6.0-1) unstable; urgency=medium
+
+ * [65e5d2b] New upstream version 10.6.0
+ * [cca0f9c] control: Drop Build-Depends on pm-utils
+ - Support is explicitly disabled
+ * [963bd56] control: Drop Build-Depends on systemd
+ - It's not used
+ * [7c418f9] control: Suggest daemon on Linux only
+ - It doesn't get built elsewhere
+ * [664a6db] control: Enable more features on loong64.
+ - Start building the QEMU and LXC hypervisor drivers as
+ well as the glusterfs and ceph storage drivers
+ - Thanks to Dandan Zhang (Closes: #1075758)
+
+ -- Andrea Bolognani <eof@kiyuko.org> Wed, 07 Aug 2024 02:50:03 +0200
+
+libvirt (10.5.0-1) unstable; urgency=medium
+
+ * [a8c62f5] New upstream version 10.5.0
+ - Fixes qemu:///session (Closes: #1072723, #1072769)
+
+ -- Andrea Bolognani <eof@kiyuko.org> Thu, 04 Jul 2024 00:44:29 +0200
+
 libvirt (10.4.0-1) unstable; urgency=medium
 
  * [7ed6608] New upstream version 10.4.0