diff -Nru libvirt-1.3.1/debian/changelog libvirt-1.3.1/debian/changelog
--- libvirt-1.3.1/debian/changelog	2019-10-30 21:52:41.000000000 +0000
+++ libvirt-1.3.1/debian/changelog	2020-02-26 16:23:18.000000000 +0000
@@ -1,3 +1,12 @@
+libvirt (1.3.1-1ubuntu10.30) xenial; urgency=medium
+
+  * d/p/lp-1844455-node_device_conf-Don-t-leak-physical_function.patch:
+    fix memory-leak from PCI-related structure. (LP: #1844455)
+  * d/p/lp-1864918-Fix-TLS-test-suites-with-gnutls-3.6.0.patch: fix failing TLS
+    tests due to recent-introduced SHA1 restriction in gnutls. (LP: #1864918)
+
+ -- Guilherme G. Piccoli <gpiccoli@canonical.com>  Wed, 26 Feb 2020 13:23:18 -0300
+
 libvirt (1.3.1-1ubuntu10.29) xenial; urgency=medium
 
   * debian/patches/lp1681839-*.patch: Fix block commit timeout
diff -Nru libvirt-1.3.1/debian/patches/series libvirt-1.3.1/debian/patches/series
--- libvirt-1.3.1/debian/patches/series	2019-10-30 21:52:41.000000000 +0000
+++ libvirt-1.3.1/debian/patches/series	2020-02-26 16:23:18.000000000 +0000
@@ -115,3 +115,5 @@
 lp1681839-02-virsh-be-consistent-with-style-of-loop-exit.patch
 lp1681839-03-virsh-ensure-SIGINT-action-is-reset-on-all-errors.patch
 lp1681839-04-virsh-improve-waiting-for-block-job-readiness.patch
+ubuntu/lp-1844455-node_device_conf-Don-t-leak-physical_function.patch
+ubuntu/lp-1864918-Fix-TLS-test-suites-with-gnutls-3.6.0.patch
diff -Nru libvirt-1.3.1/debian/patches/ubuntu/lp-1844455-node_device_conf-Don-t-leak-physical_function.patch libvirt-1.3.1/debian/patches/ubuntu/lp-1844455-node_device_conf-Don-t-leak-physical_function.patch
--- libvirt-1.3.1/debian/patches/ubuntu/lp-1844455-node_device_conf-Don-t-leak-physical_function.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-1.3.1/debian/patches/ubuntu/lp-1844455-node_device_conf-Don-t-leak-physical_function.patch	2020-02-26 16:23:18.000000000 +0000
@@ -0,0 +1,23 @@
+Subject: node_device_conf: Don't leak @physical_function in virNodeDeviceGetPCISRIOVCaps
+
+The pci_dev->physical_function is rewritten in
+virPCIGetPhysicalFunction() to a newly allocated pointer.
+Therefore, we must free the old one to avoid memleak.
+
+Author: Jiang Kun <jiang.kun2@zte.com.cn>
+Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=38816336
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1844455
+Last-Update: 2020-02-20
+
+diff --git a/src/node_device/node_device_linux_sysfs.c b/src/node_device/node_device_linux_sysfs.c
+index 431f471f7a0e..d9046c93d480 100644
+--- a/src/node_device/node_device_linux_sysfs.c
++++ b/src/node_device/node_device_linux_sysfs.c
+@@ -149,6 +149,7 @@ nodeDeviceSysfsGetPCISRIOVCaps(const char *sysfsPath,
+     for (i = 0; i < data->pci_dev.num_virtual_functions; i++)
+        VIR_FREE(data->pci_dev.virtual_functions[i]);
+     VIR_FREE(data->pci_dev.virtual_functions);
++    VIR_FREE(data->pci_dev.physical_function);
+     data->pci_dev.num_virtual_functions = 0;
+     data->pci_dev.max_virtual_functions = 0;
+     data->pci_dev.flags &= ~VIR_NODE_DEV_CAP_FLAG_PCI_VIRTUAL_FUNCTION;
diff -Nru libvirt-1.3.1/debian/patches/ubuntu/lp-1864918-Fix-TLS-test-suites-with-gnutls-3.6.0.patch libvirt-1.3.1/debian/patches/ubuntu/lp-1864918-Fix-TLS-test-suites-with-gnutls-3.6.0.patch
--- libvirt-1.3.1/debian/patches/ubuntu/lp-1864918-Fix-TLS-test-suites-with-gnutls-3.6.0.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-1.3.1/debian/patches/ubuntu/lp-1864918-Fix-TLS-test-suites-with-gnutls-3.6.0.patch	2020-02-26 16:23:18.000000000 +0000
@@ -0,0 +1,29 @@
+Subject: Fix TLS test suites with gnutls 3.6.0
+
+With gnutls 3.6.0, SHA1 is no longer accepted for certificate
+signatures. We must use SHA256 instead.
+
+Author: "Daniel P. Berrange" <berrange@redhat.com>
+Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=c666661b
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1864918
+Last-Update: 2020-02-26
+---
+ tests/virnettlshelpers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/virnettlshelpers.c b/tests/virnettlshelpers.c
+index 531d0b9075a9..b735c4e2f056 100644
+--- a/tests/virnettlshelpers.c
++++ b/tests/virnettlshelpers.c
+@@ -384,7 +384,7 @@ testTLSGenerateCert(struct testTLSCertReq *req,
+      * If no 'ca' is set then we are self signing
+      * the cert. This is done for the root CA certs
+      */
+-    if ((err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey)) < 0) {
++    if ((err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey, GNUTLS_DIG_SHA256, 0)) < 0) {
+         VIR_WARN("Failed to sign certificate %s", gnutls_strerror(err));
+         abort();
+     }
+-- 
+2.24.1
+