[ubuntu/noble-security] libvirt 10.0.0-2ubuntu8.11 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu Jan 8 12:45:34 UTC 2026 

libvirt (10.0.0-2ubuntu8.11) noble-security; urgency=medium

  * SECURITY UPDATE: memory consumption DoS via XML parsing
    - debian/patches/CVE-2025-12748-pre1.patch: move unlinking corrupt save
      image file to caller in src/qemu/qemu_driver.c,
      src/qemu/qemu_saveimage.c, src/qemu/qemu_saveimage.h,
      src/qemu/qemu_snapshot.c.
    - debian/patches/CVE-2025-12748-pre2.patch: decompose qemuSaveImageOpen
      in src/qemu/qemu_driver.c, src/qemu/qemu_saveimage.c,
      src/qemu/qemu_saveimage.h, src/qemu/qemu_snapshot.c
    - debian/patches/CVE-2025-12748-pre3.patch: check for valid save image
      format when verifying image header in src/qemu/qemu_saveimage.c.
    - debian/patches/CVE-2025-12748-1.patch: add virDomainDefIDsParseString
      in src/conf/domain_conf.c, src/conf/domain_conf.h,
      src/libvirt_private.syms.
    - debian/patches/CVE-2025-12748-2.patch: check ACLs before parsing the
      whole domain XML in src/bhyve/bhyve_driver.c.
    - debian/patches/CVE-2025-12748-3.patch: check ACLs before parsing the
      whole domain XML in src/libxl/libxl_driver.c,
    - debian/patches/CVE-2025-12748-4.patch: check ACLs before parsing the
      whole domain XML in src/lxc/lxc_driver.c.
    - debian/patches/CVE-2025-12748-5.patch: check ACLs before parsing the
      whole domain XML in src/vz/vz_driver.c.
    - debian/patches/CVE-2025-12748-6.patch: check ACLs before parsing the
      whole domain XML in src/ch/ch_driver.c.
    - debian/patches/CVE-2025-12748-7.patch: check ACLs before parsing the
      whole domain XML in src/qemu/qemu_driver.c,
      src/qemu/qemu_migration.c, src/qemu/qemu_migration.h,
      src/qemu/qemu_saveimage.c, src/qemu/qemu_saveimage.h,
      src/qemu/qemu_snapshot.c.
    - debian/patches/CVE-2025-12748-8.patch: fix typo in bhyve driver in
      src/bhyve/bhyve_driver.c.
    - CVE-2025-12748
  * SECURITY UPDATE: incorrect world-readable permissions on snapshots
    - debian/patches/CVE-2025-13193.patch: set umask for qemu-img when
      creating external inactive snapshots in src/qemu/qemu_snapshot.c.
    - CVE-2025-13193

libvirt (10.0.0-2ubuntu8.10) noble; urgency=medium

  * d/p/u-aa/lp2127492-*: apparmor: Allow AMD-SEV device access for
    AMD-SEV VM (LP: #2127492)

libvirt (10.0.0-2ubuntu8.9) noble; urgency=medium

  [ Bhavin Gandhi ]
  * d/p/u/lp-2117467-virdevmapper-device-name-for-targets.patch:
    virdevmapper: Always use device name for finding targets. This ensures
    that all the target devices of a multipath device are added to the
    namespace/cgroup of the guest domain.
    Closes LP: #2117467.

  [ Hector Cao ]
  * d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule
    (LP: #2120278)

libvirt (10.0.0-2ubuntu8.8) noble; urgency=medium

  [ Lukas Märdian ]
  * Move README.Debian to libvirt0 package (LP: #2108995).

  [ Hector Cao ]
  * d/p/u/lp2106812-cpu_map-Drop-mpx-from-x86-cpu-models.patch:
    Memory protection extensions (MPX) were introduced in Intel Skylake
    generation CPUs and provided hardware support for bound checking. This
    feature will not be supported in Intel CPUs beginning with the Ice Lake
    generation. Remove missing mpx feature so that libvirts detects correctly
    CPU models (Icelake, ..) instead of the old Blackwell (LP: #2106812)

libvirt (10.0.0-2ubuntu8.7) noble; urgency=medium

  [ Heinrich Schuchardt ]
  * Fix compiler macro to correctly detect RISC-V (LP: #2095488)
    - d/p/u/lp-2095488-virsysinfo-Try-reading-DMI-table.patch
    - d/p/u/lp-2095488-virsysinfo-fix-RISC-V-detection.patch

  [ Lukas Märdian ]
  * Add full boot order support on s390x (LP: #2051239)
    - d/p/u/lp2051239/1-qemu-capabilities-Add-QEMU_CAPS_VIRTIO_CCW_DEVICE.patch
    - d/p/u/lp2051239/2-qemu-command-add-multi-boot-device-support-on-s39.patch
  * apparmor: Allow SGX if configured (LP: #2100024)
    - d/p/u-aa/lp-2100024-Allow-SGX-if-configured.patch

libvirt (10.0.0-2ubuntu8.6) noble; urgency=medium

  - d/p/u/lp-2084136-fix-get-number-block-io-throttle-params.patch:
    Fix issue preventing the user to obtain the number of block I/O
    parameters. (LP: #2084136)

  [ Heinrich Schuchardt ]
  - d/p/ubuntu-aa/virt-aa-helper-allow-riscv64-EDK-II.patch
    virt-aa-helper: allow riscv64 EDK II (LP: #2091357)

libvirt (10.0.0-2ubuntu8.5) noble; urgency=medium

  - d/p/u/lp-2051754-*.patch: Refresh patches against accepted
    upstream version.  This should not have any visible user changes.
  - d/p/u/lp-2071848-fix-migration-with-disabled-vmx-features.patch:
    Refresh patch.
  - d/p/u/lp-2083986-*.patch: Backport upstream patches to fix issues
    with domain migrations between two nested VMs due to mismatched
    check of CPU features. (LP: #2083986)

libvirt (10.0.0-2ubuntu8.4) noble; urgency=medium

  * d/p/u/lp-2072647-log_cleaner-Detect-rotated-filenames-properly.patch:
    Fix virtlogd bug "internal error: Failed to parse rotated index", this
    happens when max_age_days parameter is enabled. (LP: #2072647)

libvirt (10.0.0-2ubuntu8.3) noble; urgency=medium

  * d/p/u/lp-2071848-fix-migration-with-disabled-vmx-features.patch:
    Fix migration issues with disabled vmx-* CPU features. (LP: #2071848)

Date: 2025-12-08 19:02:11.066895+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/libvirt/10.0.0-2ubuntu8.11
-------------- next part --------------
Sorry, changesfile not available.

More information about the noble-changes mailing list