May 2019 - Announce - libvirt List Archives

[Libvirt-announce] Entering freeze for libvirt 5.4.0
by Daniel Veillard 31 May '19

31 May '19

This is tagged in git, I have put the signed tarball and source RPM at the usual place: https://libvirt.org/sources/ I did not build the binaries rpms, first it broke because I was still on F28 c.f. Jan's patch, and second it's true to provides little value, it's doubtful people would just install my binaries as is. Will likely stick to sources as part of releases in the future. Release looks fine in my limited testing, https://ci.centos.org/view/libvirt/ is of a rare uniform green color, which is promising too ! Please give it a try, I will likely cut RC2 on Thrusday, and then if everything goes fine push the GA over the w.e. or Monday, thanks, Daniel -- Daniel Veillard | Red Hat Developers Tools http://developer.redhat.com/ veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

1 1

[Libvirt-announce] LSN-2019-0003: Insecure permissions for systemd socket for virtlockd/virtlogd
by Daniel P. Berrangé 21 May '19

21 May '19

Libvirt Security Notice: LSN-2019-0003 ====================================== Summary: Insecure permissions for systemd socket for virtlockd/virtlogd Reported on: 20190430 Published on: 20190421 Fixed on: 20190421 Reported by: Daniel P. Berrangé <berrange(a)redhat.com> Patched by: Daniel P. Berrangé <berrange(a)redhat.com> See also: CVE-2019-10132 Description ----------- The virtlockd-admin.socket and virtlogd-admin.socket unit files do not set the SocketMode parameter and thus create a world accessible UNIX domain socket. Furthermore the code fails to validate the identity of clients connecting to these sockets. Impact ------ An unprivileged user is able to connect to the virtlockd or virtlogd daemons and use the administrative RPC commands to elevate their privileges Workaround ---------- Disable the virtlockd-admin.socket and virtlogd-admin.socket units in systemd. Alternative customize them to add SocketMode=0600 locally. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v4.1.0 Broken in: v4.2.0 Broken in: v4.3.0 Broken in: v4.4.0 Broken in: v4.5.0 Broken in: v4.6.0 Broken in: v4.7.0 Broken in: v4.8.0 Broken in: v4.9.0 Broken in: v4.10.0 Broken in: v5.0.0 Broken in: v5.1.0 Broken in: v5.2.0 Broken in: v5.3.0 Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7 Fixed by: f111e09468693909b1f067aa575efdafd9a262a1 Fixed by: e37bd65f9948c1185456b2cdaa3bd6e875af680f Branch: v4.1-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: 39fb5ab3125d1669344bab94ccb71bce814d9ae2 Fixed by: 41f06e6095e17b61b2af35821d204afc5c34777c Fixed by: f0e014133104cdb5af5c7d96a7aa6dc0f1bbb03c Branch: v4.2-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: 9bef445981a244622bfd64086d91016868656978 Fixed by: 63095b01eb9d9629c34a8a7c8a4b5ffd611b51c3 Fixed by: f845754de1b44375879bae4937acfb5d0965ac08 Branch: v4.3-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: acf17630336568984e3e00d356fd75cdf2b1f09c Fixed by: 93d9f05684c818fb5eab9ffef7a4f9f9adbd7d02 Fixed by: 59fe946efccc1fe28a734a91de27550ece9467d5 Branch: v4.4-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: ebc49c1dff2fc1999963dd225c3f9a7beb90e87b Fixed by: 13d340b328ad2d567f2878cfeedacd114a9172a7 Fixed by: faac7d474ad696f7e105ba776167f8d18d78d5d7 Branch: v4.5-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: d1017aeee9da6d3db4389141b0f07f0a8204303d Fixed by: 618358632b6bfe93e46f038656609cf79b471bef Fixed by: ec58805400e8d394169af2355168bc439586f414 Branch: v4.6-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: 99decb0a65227aac7b072f9e1751b75ac50a62a5 Fixed by: 223167124cf5c056c12d7c174307e490aa5fd2b3 Fixed by: 0a9c2082e65579ab814fce701e58f91a71a73c11 Branch: v4.7-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: dfd22fc50f8f268b9810d2ef21adada021f740eb Fixed by: 54005b84b0165b62b2ef88c7df229bddbaa29e76 Fixed by: 030fdf57255f97289a407529194bf26c77548acb Branch: v4.8-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: 4369e90f8cacb24b55a22321923954874c14b44b Fixed by: 257c5589fe5138fdb36d434162b97599cc470f9b Fixed by: 5c3dcd0dd416f28520ce3a8fd33222b01c5a33a1 Branch: v4.9-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: b0f788c2d3d9930015258a7df95dde80a498e657 Fixed by: ea014c9fcf19539c75a7cb6926b14858426746a7 Fixed by: a474f18dceed61d562508980999e5f2d7445d683 Branch: v4.10-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: 8d12118171a250150f2cb16448c49271a1dcb077 Fixed by: a712f01682078f48d3c258bff8cd523ab9100b0d Fixed by: f8d8a7a182c0854fa50d3976077b3a3d8de8980f Branch: v5.0-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: 78a00c539d271a250c62260bbf2c2594714b7e9b Fixed by: 5aa8b8d1b118f52bb2209c87482824b3ffac74c2 Fixed by: be311e1ba9b7ac7f17a0f3d1a34496de50a7b914 Branch: v5.1-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: 44a0bcdb107eb7ac251f9aa5a316f4c161f43542 Fixed by: 771a7f2fa86a736770c3470f2a0fccd60cce3e9f Fixed by: 4aa6ce7dad1a0b66afd32f02fa17319762bb12b1 Branch: v5.2-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: de48bfbe09a00d743eef4b3a7b03b1af0e26fa9d Fixed by: 16a5284eb1be6b0c00e277b604e62f394b426fbc Fixed by: c909c8e185a14bbab82564f219c0bb492a81ca43 Branch: v5.3-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Fixed by: fd48a871a9dcdb8b8b1eb39612e5df870a7e2c3c Fixed by: 8c2c611df31d3b37f149385e4597c47300ae1489 Fixed by: a968b3103c503db8a9fb6c9d64f0dd49d3b6f2a3 Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

1 0

[Libvirt-announce] RElease of libvirt-5.3.0
by Daniel Veillard 04 May '19

04 May '19

A bit late, sorry I was in vacations, but the release is now tagged in git and I pushed the signed tarball and rpms to the normal place: https://libvirt.org/sources/ Please note that following discussion on last release the FTP server will soon be shutdown. I also pushed the related libvirt-python release that you can find in git and at https://libvirt.org/sources/python/ This is a balanced release, one thing to note is the removal of the support for the old 4.x VirtualBox releases New feature: - qemu: Add support for setting the emulator scheduler parameters I/O threads and vCPU threads already support setting schedulers, but until now it was impossible to do so for the main QEMU thread (emulator thread in the libvirt naming). This is, however, requested for some very specific scenarios, for example when vCPU threads are running at such priority that could starve the main thread. Removed feature: - vbox: Drop support for VirtualBox 4.x releases Support for all the 4.x releases was ended by VirtualBox maintainers in December 2015. Therefore, libvirt support for these releases is dropped. Improvements: - qemu: Use PCI by default for RISC-V guests PCI support for RISC-V guests was already available in libvirt 5.1.0, but it required the user to opt-in by manually assigning PCI addresses: with this release, RISC-V guests will use PCI automatically when running against a recent enough (4.0.0+) QEMU release. - qemu: Advertise firmware autoselection in domain capabilities The firmware autoselection feature is now exposed in domain capabilities and management applications can query for accepted values, i.e. values that are accepted and for which libvirt found firmware descriptor files. Firmware Secure Boot support is also advertised. - Drop YAJL 1 support YAJL 2 is widely adopted and maintaining side by side support for two versions is unnecessary. Bug fixes: - rpc: cleanup in virNetTLSContextNew Failed new gnutls context allocations in virNetTLSContextNew function results in double free and segfault. Occasional memory leaks may also occur. - virsh: various completers fixes There were some possible crashers, memory leaks, etc. which are now fixed. - qemu: Make hugepages work with memfd backend Due to a bug in command line generation libvirt did not honor hugepages setting with memfd backend. - Enforce ACL write permission for getting guest time & hostname Getting the guest time and hostname both require use of guest agent commands. These must not be allowed for read-only users, so the permissions check must validate "write" permission not "read". Thanks everybody for your help bringing this release up, Daniel -- Daniel Veillard | Red Hat Developers Tools http://developer.redhat.com/ veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/

1 0