October 2017 - Announce - libvirt List Archives

[Libvirt-announce] Entering freeze for next release
by Daniel Veillard 01 Nov '17

01 Nov '17

The Candidate Release 1 is tagged in git, I also pushed signed tarball and rpms to the usual place : ftp://libvirt.org/libvirt/ I'm travelling so not really in a position to do much testing, but https://ci.centos.org/view/libvirt/ is all green (yay!) so that sounds rather good ATM :-) I will try to push RC2 on Tuesday evening or Wed morning, with a final release on Tuesday 2nd, in the meantime please give it a try, as usual testing on various arches and OSes is very useful ! Thanks, Daniel -- Daniel Veillard | Red Hat Developers Tools http://developer.redhat.com/ veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

2 3

[Libvirt-announce] LSN-2017-0002 - TLS certificate verification disabled for clients
by Daniel P. Berrange 16 Oct '17

16 Oct '17

Libvirt Security Notice: LSN-2017-0002 ====================================== Summary: TLS certificate verification disabled for clients Reported on: 20171005 Published on: 20171016 Fixed on: 20171016 Reported by: Daniel P. Berrange <berrange(a)redhat.com> Patched by: Daniel P. Berrange <berrange(a)redhat.com> See also: CVE-2017-1000256 Description ----------- The default_tls_x509_verify (and related) parameters in qemu.conf control whether the TLS servers in QEMU request & verify certificates from clients. This works as a simple access control system for QEMU servers by requiring the CA to issue certs to permitted clients. This use of client certificates is disabled by default, since it requires extra work to issue client certificates. Unfortunately the libvirt code was using these configuration parameters when setting up both TLS clients and servers in QEMU. The result was that TLS clients for character devices and disk devices had verification turned off, meaning they would ignore any errors while validating the server certificate. Impact ------ A MITM attacker can attack any client connection made by QEMU's character devices and disk devices which have TLS enabled. The attacker can send an arbitrary certificate back to the client QEMU and it will ignore all errors that result during validation. Workaround ---------- Enable the 'default_tls_x509_verify' parameter in qemu.conf restart libvirtd. This will trigger libvirt to turn on certificate verification in QEMU clients. Unfortunately this will also turn on use of client certificates in QEMU servers. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v2.3.0 Broken in: v2.4.0 Broken in: v2.5.0 Broken in: v3.0.0 Broken in: v3.1.0 Broken in: v3.2.0 Broken in: v3.3.0 Broken in: v3.4.0 Broken in: v3.5.0 Broken in: v3.6.0 Broken in: v3.7.0 Broken in: v3.8.0 Fixed in: v3.9.0 Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5 Fixed by: 441d3eb6d1be940a67ce45a286602a967601b157 Branch: v3.0-maint Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5 Fixed by: 16daadc708be65c2681f54d33ac4004ccaf6e82d Branch: v3.2-maint Broken in: v3.2.1 Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5 Fixed by: 9e6bc47bb541d8eea10cdd5704ea7f5e699bf0ba Branch: v3.7-maint Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5 Fixed by: dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

1 0

[Libvirt-announce] Release of libvirt-3.8.0
by Daniel Veillard 04 Oct '17

04 Oct '17

I tagged the tree and pushed the release earlier today, signed tarball and rpms should be available at the usual place: ftp://libvirt.org/libvirt/ I also pushed the associated 3.8.0 for the python bindings which can be found in the python subdir: ftp://libvirt.org/libvirt/ This is a balanced release with new features especially for Qemu/KVM, a reasonable set of improvement and bugs fixes: New features: ------------- - qemu: Added support for cold-(un)plug of watchdog devices - qemu: Added support for setting IP address os usernet interfaces - qemu: Added support for Veritas Hyperscale (VxHS) block devices - storage: Added new events for pool-build and pool-delete Improvements: ------------- - qemu: Set DAC permissions properly for spice rendernode When a rendernode path is set for SPICE GL on qemu:///system, we now correctly set DAC permissions on the device at VM startup. This is the last remaining hurdle to let SPICE GL work for qemu:///system without any external host changes. - nodedev: Add switchdev offload query to NIC capabilities Allow querying the NIC interface capabilities for the availability of switchdev offloading (also known as kernel-forward-plane-offload). - New CPU models for AMD and Intel AMD EPYC and Intel Skylake-Server CPU models were added together with their features - Improve long waiting when saving a domain While waiting for a write to disk to be finished, e.g. during save, even simple operations like virsh list would be blocking due to domain lock. This is now resolved by unlocking the domain in places where it is not needed. * Bug fixes: ------------ - Proper units are now used in virsh manpage for dom(mem)stats Previously the documentation used multiples of 1000, but now it is fixed to use multiples of 1024. - qemu: Fix error reporting when disk attachment fails There was a possibility for the actual error to be overridden or cleared during the rollback. - qemu: Fix assignment of graphics ports after daemon restart This could be seen with newer kernels that have bug regarding SO_REUSEADDR. After libvirtd was restarted it could assign already used address to new guests which would make them fail to start. This is fixed by marking used ports unavailable when reconnecting to running QEMU domains. - Fix message decoding which was causing a very strange bug When parsing an RPC message with file descriptors was interrupted and had to restart, the offset of the payload was calculated badly causing strange issues like not being able to find a domain that was not requested. thanks everybody who contributed to this release with bug reports, patches, reviews, documentation, etc ... Enjoy the release ! Daniel -- Daniel Veillard | Red Hat Developers Tools http://developer.redhat.com/ veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

1 0