Format: 1.8 Date: Fri, 16 Aug 2019 17:47:04 +0000 Source: libvirt Binary: libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-zfs libvirt-daemon-system libvirt0 libvirt-doc libvirt-dev libvirt-sanlock libnss-libvirt libvirt-wireshark Architecture: source Version: 5.4.0-0ubuntu3~cloud0 Distribution: bionic Urgency: medium Maintainer: Ubuntu Developers Changed-By: Openstack Ubuntu Testing Bot Description: libnss-libvirt - nss plugins providing IP address resolution for virtual machines libvirt-clients - Programs for the libvirt library libvirt-daemon - Virtualization daemon libvirt-daemon-driver-storage-gluster - Virtualization daemon glusterfs storage driver libvirt-daemon-driver-storage-rbd - Virtualization daemon RBD storage driver libvirt-daemon-driver-storage-zfs - Virtualization daemon ZFS storage driver libvirt-daemon-system - Libvirt daemon configuration files libvirt-dev - development files for the libvirt library libvirt-doc - documentation for the libvirt library libvirt-sanlock - Sanlock plugin for virtlockd libvirt-wireshark - Wireshark dissector for the libvirt protocol libvirt0 - library for interfacing with different virtualization systems Closes: 910288 916587 918472 919484 919663 920574 921713 926418 Launchpad-Bugs-Fixed: 1759509 1832297 1833040 Changes: libvirt (5.4.0-0ubuntu3~cloud0) bionic-train; urgency=medium . * New upstream release for the Ubuntu Cloud Archive. . libvirt (5.4.0-0ubuntu3) eoan; urgency=medium . * SECURITY UPDATE: virDomainSaveImageGetXMLDesc does not check for read-only connection - debian/patches/CVE-2019-10161.patch: add check to src/libvirt-domain.c, src/qemu/qemu_driver.c, src/remote/remote_protocol.x. - CVE-2019-10161 * SECURITY UPDATE: virDomainManagedSaveDefineXML does not check for read-only connection - debian/patches/CVE-2019-10166.patch: add check to src/libvirt-domain.c. - CVE-2019-10166 * SECURITY UPDATE: virConnectGetDomainCapabilities does not check for read-only connection - debian/patches/CVE-2019-10167.patch: add check to src/libvirt-domain.c. - CVE-2019-10167 * SECURITY UPDATE: virConnect*HypervisorCPU do not check for read-only connection - debian/patches/CVE-2019-10168.patch: add checks to src/libvirt-host.c. - CVE-2019-10168 . libvirt (5.4.0-0ubuntu2) eoan; urgency=medium . * d/p/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch: avoid issues with remote screen connections like virt-manager due to apparmor changes in libvirt 5.1 (LP: #1833040) . libvirt (5.4.0-0ubuntu1) eoan; urgency=medium . * Merged with Debian git 5.3.0-1~1.gbp7b1637 and upstreams 5.4 release Among many other new features and fixes this includes fixes for: LP: #1759509 - virsh dompmwakeup fails to wake VM from dompmsuspend state Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update Vcs-Git and Vcs-Browser fields to point to launchpad - Xen related - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) + d/p/ubuntu-aa/lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) - d/rules: enable build time self tests on all architectures - dnsmasq related enhancements + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - debian/rules: disable the netcf backend. (LP: 1764314) - debian/control: drop libnetcf from Build-Depends. - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) - d/rules: also check build time self test results on all architectures - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system - d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds - avoid service dependency issues on upgrade (LP: 1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. - d/libvirt-daemon-system.virtlogd.init: removed sysV init file - d/libvirt-daemon-system.libvirtd.init: removed sysV init file - debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file - d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. - d/t/smoke-lxc: use systemd instead of sysV to restart the service * Added Changes: - Refreshed patches to match new upstream - d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch - d/p/ubuntu/ubuntu_machine_type.patch - d/control: Revert iptables/ebtables dependency as Eoan still is on 1.6.x This can be dropped once >=1.8.1 - d/rules: adapt iptables binary paths present in Eoan (LP: #1832297) This can be dropped once >=1.8.1 - d/p/ubuntu/dnsmasq-as-priv-user: update to include the new test nat-network-mtu - revert [c3c4cd4] drop in helper for firewalld as it is disabled on Ubuntu [can be squashed with the disabling of firewalld on next merge] - d/libvirt0.symbols: bump symbol versions for 5.4.0 - d/rules: add --no-restart-after-upgrade to services that are supposed to stay up through upgrades - this also applies to related sockets. * Dropped Changes (upstream) - d/p/ubuntu-aa/lp-1804766-*: Allow rendering node access as needed for the ease use of mdev and gl devices (LP: 1804766) - d/p/ubuntu/lp-1771662-*: fix handling of VFs without associated PF (LP: 1771662) - d/p/ubuntu/lp-1825195-*.patch: fix issues with old guests that defined the never functional osxsave and ospke features (LP: 1825195). - d/p/ubuntu-aa/lp-1829223-virt-aa-helper-allow-vhost-scsi.patch fix vhost-scsi hotplug in virt-aa-helper (LP: 1829223) - SECURITY UPDATE: Add support for md-clear functionality + debian/patches/ubuntu/md-clear.patch: Define md-clear CPUID bit in src/cpu_map/x86_features.xml. + CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - Implement further apparmor rules for usage of gl enabled graphics (LP: 1815452) + d/p/ubuntu-aa/lp-1815452-more-gl-rules.patch + d/p/ubuntu-aa/lp-1815452-virt-aa-helper-rule.patch - Implement further apparmor rules for usage of gl enabled graphics with nvidia cards (LP: 1817943) + d/p/ubuntu-aa/lp-1817943-nvidia-gl-rules.patch + d/p/ubuntu-aa/lp-1817943-devices-in-sysfs.patch * Dropped Changes (in Debian) - d/rules: strip -Bsymbolic-functions from linker flags as it breaks libvirt tests . libvirt (5.3.0-1~1.gbp7b1637) UNRELEASED; urgency=medium . ** SNAPSHOT build @7b1637605da9224c46ebf3a243fa725d643e7556 ** . [ Guido Günther ] * [fb43676] d/control: Drop dh-autoreconf build-dep. Not needed for dh compat > 10. * [81d21d5] d/not-installed: Use multi-arch dirs. Files moved during the dh12 switch. * [428ad14] New upstream version 5.3.0~rc2 * [641e532] New upstream version 5.3.0 . [ Christian Ehrhardt ] * [c28c3b3] d/libvirt0.install: install translations * [c3c4cd4] d/libvirt-daemon-system.install: drop in helper for firewalld * [3e8b43c] d/not-installed: ignore default files /etc/sysconfig * [c223d7f] d/libvirt-daemon-system.examples: ship sysctl config as example * [f19acf6] d/libvirt-daemon-system.install: ship libxl-sanlock.conf (Closes: #919484) . [ Andrea Bolognani ] * [6a2eae3] Simplify and improve watch file. . libvirt (5.2.0-2) experimental; urgency=medium . [ Guido Günther ] * [1ec90c0] d/compat: Switch to debhelper level 12 * [fb6dd18] d/rules: s/no-restart-on-upgrade/no-stop-on-upgrade/ * [3764b71] d/rules: --prallel not needed anymore * [1d92095] d/control: Add ${misc:Pre-Depends} for libvirt-daemon-system. This makes sure we pull in recent enough init-system-helpers * [02a155b] d/rules: Switch to dh_installsystemd dh_systemd_start is no longer used. * [bcad111] d/control: Fix typo * [8609192] d/control: Drop Debian revision on iptables build-dep. Any version greater than 1.8.1 will do. * [447dd58] libnss-libvirt: Install libnss_libvirt-guest as well (Closes: #910288) * [4fb7d11] d/control: Build-depend on libglusterfs-dev. Since this is a recent addition we can drop the versioned dependency. (Closes: #919663) * [7b4ffeb] d/rules: Newer debhelper puts the libs into multi arch dirs. There's no need to move them manually anymore. . [ Andrea Bolognani ] * [dd9cdaa] Use HTTPS for all URLs. This gets rid of the debian-watch-uses-insecure-uri informational Lintian tag, and then some. * [faaec12] Minimize upstream's signing key. This gets rid of the public-upstream-key-not-minimal informational Lintian tag. * [8a0e6f1] Remove Priority field from binary packages. This gets rid of the binary-control-field-duplicates-source informational Lintian tag. . [ Christian Ehrhardt ] * [08f3a23] d/libvirt-clients.manpages: add virkeycode and virkeyname man pages. * [0f359de] d/rules: mv logrotate files to silence dh_missing * [f36ca33] dh_missing: ignore warning on libtool .la file . libvirt (5.2.0-1) experimental; urgency=medium . * Team upload. . [ Christian Ehrhardt ] * [3997186] d/libvirt-daemon-system.maintscript: remove obsolete conffile /etc/logrotate.d/libvirtd.uml became obsolete since UML was dropped in libvirt 5.0 (Closes: #920574) * [c64d020] d/libvirt-daemon-system.libvirtd.default: clarify libvirtd_opts example (Closes: #921713) . [ Guido Günther ] * [dd9d74f] New upstream version 5.2.0 * [790365e] CVE-2019-3886: Don't allow unprivileged users to use the guest agent. Apply upstream patches remote-enforce-ACL-write-permission-for-getting-guest-tim.patch api-disallow-virDomainGetHostname-for-read-only-connectio.patch (Closes: #926418) . [ Andrea Bolognani ] * [453f85d] Rediff patches. The patches security-aa-helper-allow-virt-aa-helper-to-read-dev-dri.patch security-aa-helper-generate-more-rules-for-gl-devices.patch security-aa-helper-gl-devices-in-sysfs-at-arbitrary-depth.patch security-aa-helper-nvidia-rules-for-gl-devices.patch virt-aa-helper-generate-rules-for-gl-enabled-graphics-dev.patch are included in libvirt 5.2.0 and have thus been dropped. * [a4294ef] Bump symbol versions. * [68394f6] Add tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch . libvirt (5.1.0-1) experimental; urgency=medium . [ Laurent Bigonville ] * [76e2cb7] Don't recommend ebtables. It's part of the iptables package now. (Closes: #918472) . [ Guido Günther ] * [5814c89] New upstream version 5.1.0 * [55d063d] Rediff patches * [1102dae] d/gbp.conf: Switch to experimental * [cdf3787] d/rules: Adjust to now versioned wireshark module path . libvirt (5.0.0-2) unstable; urgency=medium . [ Laurent Bigonville ] * [76e2cb7] Don't recommend ebtables. It's part of the iptables package now. (Closes: #918472) . [ intrigeri ] * [d7a7218] Fix virtio-gpu + virgl support by cherry-picking upstream commits virt-manager in current sid still creates new VMs with QXL graphics by default, so this bug only affects users who opt in for virtio-gpu 3D acceleration. Still, the option for virtio-gpu + 3D acceleration is offered in the virt-manager GUI, so having it broken by default is an important problem. (Closes: #916587) . [ Christian Ehrhardt ] * [3997186] d/libvirt-daemon-system.maintscript: remove obsolete conffile /etc/logrotate.d/libvirtd.uml became obsolete since UML was dropped in libvirt 5.0 (Closes: #920574) * [c64d020] d/libvirt-daemon-system.libvirtd.default: clarify libvirtd_opts example (Closes: #921713) . [ Guido Günther ] * [790365e] CVE-2019-3886: Don't allow unprivileged users to use the guest agent. Apply upstream patches remote-enforce-ACL-write-permission-for-getting-guest-tim.patch api-disallow-virDomainGetHostname-for-read-only-connectio.patch (Closes: #926418) Checksums-Sha1: a8b1d6448c29f1c1105f5780b753c5bf41cf3b45 4518 libvirt_5.4.0-0ubuntu3~cloud0.dsc e7d967283e1e2e51d3d73f29f7ff67c19ac6da7e 12346896 libvirt_5.4.0.orig.tar.xz 50392ef83f25209fc26bb5db6989af993d8e1ec1 130748 libvirt_5.4.0-0ubuntu3~cloud0.debian.tar.xz Checksums-Sha256: d7c4fbcdd26b75029296ef46ba89cd8f7cef565848761515560b1a58c576c2f9 4518 libvirt_5.4.0-0ubuntu3~cloud0.dsc 1cfa802081bee09fd0ddfa97bd491e6554e25fa59f7a7758b41d8aef53458e7b 12346896 libvirt_5.4.0.orig.tar.xz 4a9ad5b550582a8bfcdb0e59f61abf4a4b3ecdaaceb964535bf985d699f5f856 130748 libvirt_5.4.0-0ubuntu3~cloud0.debian.tar.xz Files: 687f6e248ea95262d95d4e40c22cb497 4518 libs optional libvirt_5.4.0-0ubuntu3~cloud0.dsc 92b7d6f53b1ff21e03afeee726850109 12346896 libs optional libvirt_5.4.0.orig.tar.xz a270261fbb9317d1ebe7d03b0777f7bd 130748 libs optional libvirt_5.4.0-0ubuntu3~cloud0.debian.tar.xz Original-Maintainer: Debian Libvirt Maintainers