[ubuntu/resolute-proposed] libvirt 12.0.0-1ubuntu1 (Accepted)
Hector Cao
hector.cao at canonical.com
Wed Feb 18 10:02:22 UTC 2026
libvirt (12.0.0-1ubuntu1) resolute; urgency=medium
* Merge with Debian unstable (LP: #2126022). Remaining changes:
- d/*(post|pre)(rm|inst), d/*.install: drop generated files
- d/control.in: Disable libssh2 support (universe dependency)
- d/control.in: add libzfslinux-dev to build-deps
- d/p/ovmf_paths.patch: adjust paths to secboot.fd UEFI
Secure Boot enabled variants of the OVMF firmware and variable store for
the paths where we ship these files in Ubuntu.
- d/rules: Set qemu-group to kvm (for compat with older ubuntu)
- d/rules, d/libvirt-daemon-common.*: Additional apport package-hook
- autostart default bridged network (As upstream does, but not Debian).
In addition to just enabling it our solution provides:
+ do not autostart if subnet is already taken (e.g. in guests).
+ iterate some alternative subnets before giving up
+ d/t/network: Test automatic virbr0 setup via autopkgtest.
+ d/l-d-config-network.postinst: clear 'autostarted' state, to activate
network on install (LP 2093864)
+ d/control: Add Breaks/Replaces, to account for the move of configuration
of the default bridged network to libvirt-daemon-config-network.
(LP 2107448)
+ d/l-d-config-network.{pre,post}inst.in: diversions for network config.
+ d/l-d-config-network.{pre,post}inst.in: retain non pkg owned network
config.
- d/p/u/Allow-libvirt-group-to-access-the-socket.patch: This is
the group based access to libvirt functions as it was used in Ubuntu
for quite a long time.
+ d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
due to the group access change.
+ d/libvirt-daemon-driver-qemu.postinst*: add users in sudo to the libvirt
group.
- update README.Debian with Ubuntu changes
- d/p/u/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
- fix autopkgtests (LP 1899180)
+ d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
vmlinuz available and accessible (Debian bug 848314)
+ d/t/control: fix smoke-qemu-session by ensuring the service will run
installing libvirt-daemon-system
+ d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as
long as the following undefine succeeds
+ d/t/smoke-lxc: use systemd instead of sysV to restart the service
+ d/t/control, d/t/smoke-lxc: retry service restart and skip test if
failing; This was flaky on some release/architectures
+ d/t/smoke-lxc: retry check_domain being flaky on arm64
- dnsmasq related enhancements
+ run dnsmasq as libvirt-dnsmasq (LP 1743718)
+ d/libvirt-daemon-config-network.postinst*: add libvirt-dnsmasq user
and group
+ d/libvirt-daemon-config-network.postrm*: remove libvirt-dnsmasq user
and group on purge
+ d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user
libvirt-dnsmasq and adapt the self tests to expect that config
+ Add dnsmasq configuration to work with system wide dnsmasq-base
- d/p/u/set-default-machine-to-ubuntu.patch: to select default
machine type correctly with newer qemu/libvirt
- d/p/u/lp-1861125-ubuntu-models: recognize Ubuntu models for
(LP 1861125) fixups
- d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592)
- d/libvirt-daemon-common.libvirt-guests.default: shut guests down
in parallel
- apparmor Delta that is Ubuntu specific or yet to be upstreamed
split into logical pieces. File names in debian/patches/ubuntu-aa/:
+ 0020-virt-aa-helper-ubuntu-storage-paths.patch:
apparmor, virt-aa-helper: Allow various storage pools and image
locations
+ 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor,
libvirt-qemu: Add 9p support
+ 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch:
virt-aa-helper: Ask for no deny rule for readonly disk
+ 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch:
apparmor, libvirt-qemu: Allow reading charm-specific ceph config
+ 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow
commands executed by ubuntu only kvm wrapper on ppc64el
(LP 1686621 LP 1680384 LP 1784023)
+ 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch:
apparmor, virt-aa-helper: access for snapped nova
+ lp-1815910-allow-vhost-hotplug.patch: avoid apparmor issues
with vhost-net/vhost-vsock/vhost-scsi hotplug (LP 1815910)
+ d/p/u-aa/lp2079869-*: allow access for bridge helper to sys node
(LP 2079869)
+ Support both GNU and Rust coreutils paths in apparmor policy (LP 2123870)
d/p/u-aa/lp2123870-apparmor-use-the-coreutils-tunable-for-coreutils.patch
- libvirt should not use user/group tss for swtpm (LP 1948880)
+ d/libvirt-daemon-system.postinst: own swtpm logdir by user swtpm
+ d/p/u/swtpm-by-swtpm-user.patch: change default spawned swtpm processes
to user swtpm and adapt expected self test result changes triggered by
this
+ d/libvirt-daemon-system.postinst: create user/group swtpm if not present
due to swtpm-tools (LP 1951975)
- d/control: Demote passt to Suggests (from Recommends) for
libvirt-daemon-driver-qemu, because passt is in universe.
- d/control: Make libvirt-daemon Suggest (instead of Recommend)
libvirt-daemon-plugin-sanlock, which is in universe.
- d/control: re-generate from d/control-in: we stop changing both files
and eventually re-generate from d/control-in at built as intended.
- default to qemu:///system libvirt URI (LP 2027838)
On Ubuntu we always want to initialize the URI to qemu:///system,
regardless if running as privileged daemon or not. This keeps backward
compatibility with Ubuntu's default behavior, while still allowing users
more flexibility in changing that default, through config files or
environment variables.
Redesign the solution by getting rid of the libvirt-uri.sh script used
up until now to achieve the same behavior.
+ d/p/u/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch
+ d/libvirt-clients.conffiles: Remove libvirt-uri.sh profile.d script
on upgrade
+ d/t/default-uri: add basic test for LIBVIRT_DEFAULT_URI handling
- enable MSR kernel module load (LP 2106791)
* Dropped changes [in Upstream 12.0.0]:
- d/p/u-aa/lp2127492-*: apparmor: Allow AMD-SEV device access for
AMD-SEV VM (LP 2127492)
- cpu_map: fix vmx-* MSR features (LP 2083293)
d/p/u/lp2083293-cpu_map-update-vmx-features.patch
- d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule
(LP 2120278)
- SECURITY UPDATE: memory consumption DoS via XML parsing, CVE-2025-12748
- SECURITY UPDATE: incorrect world-readable permissions on snapshots
CVE-2025-13193
libvirt (12.0.0-1) unstable; urgency=medium
* [f56956f] New upstream version 12.0.0
* [e391236] control: Bump Standards-Version to 4.7.3
- No changes needed
* [7497157] watch: Update to version 5 syntax
* [e6faaf7] debconf: Add Chinese translation
- Thanks to Yangfl (Closes: #1125068)
libvirt (11.10.0-2) experimental; urgency=medium
[ Luca Boccassi ]
* [5f62c20] Install and use sysusers.d config files
- Replace existing bespoke handling of user/groups in
maintainer scripts with a declarative approach. It should
be completely transparent for users, except for the fact
that users/groups are no longer deleted on purge, which
prevents accidental ownership transfer for existing files
[ Andrea Bolognani ]
* [7f00f6b] Tweak details for libvirt-qemu user
- Improve GECOS field and change home directory to /nonexistent.
This only affects new installations: existing users will not
be modified
libvirt (11.10.0-1) unstable; urgency=medium
* [13462ab] New upstream version 11.10.0
- Perform ACL checks earlier, preventing malicious users
from potentially being able to crash the daemon
- Closes: #1120584 (CVE-2025-12748)
- Ensure that newly-created snapshots are not world-readable
- Closes: #1120119 (CVE-2025-13193)
- Apply the detect_zeroes settings across all layers of the
backing chain instead of just the topmost one
- Closes: #1121280
* [5732866] common: Add several CPU models
libvirt (11.9.0-2) unstable; urgency=medium
* [2b22a1b] daemon-plugin-sanlock: Always install augeas config
- Fixes FTBFS on architectures that don't enable the QEMU driver
libvirt (11.9.0-1) unstable; urgency=medium
* [a76d51f] New upstream version 11.9.0
libvirt (11.8.0-2) unstable; urgency=medium
* [a17e07a] patches: Add backports
- Fix building against Wireshark 4.6.0
- Closes: #1118069
libvirt (11.8.0-1) unstable; urgency=medium
* [b4ab89e] New upstream version 11.8.0
* [3e1d30b] upstream: Update keyring
libvirt (11.7.0-1) unstable; urgency=medium
[ Nuri KÜÇÜKLER ]
* [192b7f1] debconf: Add Turkish translation
- Closes: #1110365
[ Andrea Bolognani ]
* [cc15910] New upstream version 11.7.0
Date: Thu, 22 Jan 2026 13:34:09 +0100
Changed-By: Hector Cao <hector.cao at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
https://launchpad.net/ubuntu/+source/libvirt/12.0.0-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 22 Jan 2026 13:34:09 +0100
Source: libvirt
Built-For-Profiles: noudeb
Architecture: source
Version: 12.0.0-1ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Hector Cao <hector.cao at canonical.com>
Closes: 1110365 1118069 1120119 1120584 1121280 1125068
Launchpad-Bugs-Fixed: 2126022
Changes:
libvirt (12.0.0-1ubuntu1) resolute; urgency=medium
.
* Merge with Debian unstable (LP: #2126022). Remaining changes:
- d/*(post|pre)(rm|inst), d/*.install: drop generated files
- d/control.in: Disable libssh2 support (universe dependency)
- d/control.in: add libzfslinux-dev to build-deps
- d/p/ovmf_paths.patch: adjust paths to secboot.fd UEFI
Secure Boot enabled variants of the OVMF firmware and variable store for
the paths where we ship these files in Ubuntu.
- d/rules: Set qemu-group to kvm (for compat with older ubuntu)
- d/rules, d/libvirt-daemon-common.*: Additional apport package-hook
- autostart default bridged network (As upstream does, but not Debian).
In addition to just enabling it our solution provides:
+ do not autostart if subnet is already taken (e.g. in guests).
+ iterate some alternative subnets before giving up
+ d/t/network: Test automatic virbr0 setup via autopkgtest.
+ d/l-d-config-network.postinst: clear 'autostarted' state, to activate
network on install (LP 2093864)
+ d/control: Add Breaks/Replaces, to account for the move of configuration
of the default bridged network to libvirt-daemon-config-network.
(LP 2107448)
+ d/l-d-config-network.{pre,post}inst.in: diversions for network config.
+ d/l-d-config-network.{pre,post}inst.in: retain non pkg owned network
config.
- d/p/u/Allow-libvirt-group-to-access-the-socket.patch: This is
the group based access to libvirt functions as it was used in Ubuntu
for quite a long time.
+ d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
due to the group access change.
+ d/libvirt-daemon-driver-qemu.postinst*: add users in sudo to the libvirt
group.
- update README.Debian with Ubuntu changes
- d/p/u/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
- fix autopkgtests (LP 1899180)
+ d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
vmlinuz available and accessible (Debian bug 848314)
+ d/t/control: fix smoke-qemu-session by ensuring the service will run
installing libvirt-daemon-system
+ d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as
long as the following undefine succeeds
+ d/t/smoke-lxc: use systemd instead of sysV to restart the service
+ d/t/control, d/t/smoke-lxc: retry service restart and skip test if
failing; This was flaky on some release/architectures
+ d/t/smoke-lxc: retry check_domain being flaky on arm64
- dnsmasq related enhancements
+ run dnsmasq as libvirt-dnsmasq (LP 1743718)
+ d/libvirt-daemon-config-network.postinst*: add libvirt-dnsmasq user
and group
+ d/libvirt-daemon-config-network.postrm*: remove libvirt-dnsmasq user
and group on purge
+ d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user
libvirt-dnsmasq and adapt the self tests to expect that config
+ Add dnsmasq configuration to work with system wide dnsmasq-base
- d/p/u/set-default-machine-to-ubuntu.patch: to select default
machine type correctly with newer qemu/libvirt
- d/p/u/lp-1861125-ubuntu-models: recognize Ubuntu models for
(LP 1861125) fixups
- d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592)
- d/libvirt-daemon-common.libvirt-guests.default: shut guests down
in parallel
- apparmor Delta that is Ubuntu specific or yet to be upstreamed
split into logical pieces. File names in debian/patches/ubuntu-aa/:
+ 0020-virt-aa-helper-ubuntu-storage-paths.patch:
apparmor, virt-aa-helper: Allow various storage pools and image
locations
+ 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor,
libvirt-qemu: Add 9p support
+ 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch:
virt-aa-helper: Ask for no deny rule for readonly disk
+ 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch:
apparmor, libvirt-qemu: Allow reading charm-specific ceph config
+ 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow
commands executed by ubuntu only kvm wrapper on ppc64el
(LP 1686621 LP 1680384 LP 1784023)
+ 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch:
apparmor, virt-aa-helper: access for snapped nova
+ lp-1815910-allow-vhost-hotplug.patch: avoid apparmor issues
with vhost-net/vhost-vsock/vhost-scsi hotplug (LP 1815910)
+ d/p/u-aa/lp2079869-*: allow access for bridge helper to sys node
(LP 2079869)
+ Support both GNU and Rust coreutils paths in apparmor policy (LP 2123870)
d/p/u-aa/lp2123870-apparmor-use-the-coreutils-tunable-for-coreutils.patch
- libvirt should not use user/group tss for swtpm (LP 1948880)
+ d/libvirt-daemon-system.postinst: own swtpm logdir by user swtpm
+ d/p/u/swtpm-by-swtpm-user.patch: change default spawned swtpm processes
to user swtpm and adapt expected self test result changes triggered by
this
+ d/libvirt-daemon-system.postinst: create user/group swtpm if not present
due to swtpm-tools (LP 1951975)
- d/control: Demote passt to Suggests (from Recommends) for
libvirt-daemon-driver-qemu, because passt is in universe.
- d/control: Make libvirt-daemon Suggest (instead of Recommend)
libvirt-daemon-plugin-sanlock, which is in universe.
- d/control: re-generate from d/control-in: we stop changing both files
and eventually re-generate from d/control-in at built as intended.
- default to qemu:///system libvirt URI (LP 2027838)
On Ubuntu we always want to initialize the URI to qemu:///system,
regardless if running as privileged daemon or not. This keeps backward
compatibility with Ubuntu's default behavior, while still allowing users
more flexibility in changing that default, through config files or
environment variables.
Redesign the solution by getting rid of the libvirt-uri.sh script used
up until now to achieve the same behavior.
+ d/p/u/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch
+ d/libvirt-clients.conffiles: Remove libvirt-uri.sh profile.d script
on upgrade
+ d/t/default-uri: add basic test for LIBVIRT_DEFAULT_URI handling
- enable MSR kernel module load (LP 2106791)
* Dropped changes [in Upstream 12.0.0]:
- d/p/u-aa/lp2127492-*: apparmor: Allow AMD-SEV device access for
AMD-SEV VM (LP 2127492)
- cpu_map: fix vmx-* MSR features (LP 2083293)
d/p/u/lp2083293-cpu_map-update-vmx-features.patch
- d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule
(LP 2120278)
- SECURITY UPDATE: memory consumption DoS via XML parsing, CVE-2025-12748
- SECURITY UPDATE: incorrect world-readable permissions on snapshots
CVE-2025-13193
.
libvirt (12.0.0-1) unstable; urgency=medium
.
* [f56956f] New upstream version 12.0.0
* [e391236] control: Bump Standards-Version to 4.7.3
- No changes needed
* [7497157] watch: Update to version 5 syntax
* [e6faaf7] debconf: Add Chinese translation
- Thanks to Yangfl (Closes: #1125068)
.
libvirt (11.10.0-2) experimental; urgency=medium
.
[ Luca Boccassi ]
* [5f62c20] Install and use sysusers.d config files
- Replace existing bespoke handling of user/groups in
maintainer scripts with a declarative approach. It should
be completely transparent for users, except for the fact
that users/groups are no longer deleted on purge, which
prevents accidental ownership transfer for existing files
.
[ Andrea Bolognani ]
* [7f00f6b] Tweak details for libvirt-qemu user
- Improve GECOS field and change home directory to /nonexistent.
This only affects new installations: existing users will not
be modified
.
libvirt (11.10.0-1) unstable; urgency=medium
.
* [13462ab] New upstream version 11.10.0
- Perform ACL checks earlier, preventing malicious users
from potentially being able to crash the daemon
- Closes: #1120584 (CVE-2025-12748)
- Ensure that newly-created snapshots are not world-readable
- Closes: #1120119 (CVE-2025-13193)
- Apply the detect_zeroes settings across all layers of the
backing chain instead of just the topmost one
- Closes: #1121280
* [5732866] common: Add several CPU models
.
libvirt (11.9.0-2) unstable; urgency=medium
.
* [2b22a1b] daemon-plugin-sanlock: Always install augeas config
- Fixes FTBFS on architectures that don't enable the QEMU driver
.
libvirt (11.9.0-1) unstable; urgency=medium
.
* [a76d51f] New upstream version 11.9.0
.
libvirt (11.8.0-2) unstable; urgency=medium
.
* [a17e07a] patches: Add backports
- Fix building against Wireshark 4.6.0
- Closes: #1118069
.
libvirt (11.8.0-1) unstable; urgency=medium
.
* [b4ab89e] New upstream version 11.8.0
* [3e1d30b] upstream: Update keyring
.
libvirt (11.7.0-1) unstable; urgency=medium
.
[ Nuri KÜÇÜKLER ]
* [192b7f1] debconf: Add Turkish translation
- Closes: #1110365
.
[ Andrea Bolognani ]
* [cc15910] New upstream version 11.7.0
Checksums-Sha1:
2e72f4f870aba93a6cedd0b36fcc99fb7d726ad0 7909 libvirt_12.0.0-1ubuntu1.dsc
9b03a46ebd57c2717c2a66a07cbb59d7d528f8f1 10272864 libvirt_12.0.0.orig.tar.xz
4f50bee911ddbce7e99405a597fe4f5db901ca4d 833 libvirt_12.0.0.orig.tar.xz.asc
46355dab9451a38da2a286c64bcb7e15be9f018c 114860 libvirt_12.0.0-1ubuntu1.debian.tar.xz
148f4db7340e595d6b280d8502e0da54996bc347 8222 libvirt_12.0.0-1ubuntu1_source.buildinfo
Checksums-Sha256:
9783ac5bdde0f5d39c7ed36450c25444f1cb3937e85aa3e8bbaf30695b62fd10 7909 libvirt_12.0.0-1ubuntu1.dsc
bf4e680019c04c45b557dd4a7ef59e952887f74e3c47044fe035a961fb624726 10272864 libvirt_12.0.0.orig.tar.xz
55957ea518a28eaa66a81be2a1aa23b9ceef9efd87f85d57a4e6a9ae89a95f69 833 libvirt_12.0.0.orig.tar.xz.asc
2f0cee01f5b9d91d0ef005c906d4f30a7293ad4f2e339aef90107a539896d26e 114860 libvirt_12.0.0-1ubuntu1.debian.tar.xz
60e35df0d429c95f17a936cefd101395ddaffca5e24cd8576ee0a8a44843babc 8222 libvirt_12.0.0-1ubuntu1_source.buildinfo
Files:
f3c5e61c238da0305371f205383b13e5 7909 libs optional libvirt_12.0.0-1ubuntu1.dsc
8bfd7f72e5d9b74c38000f4bc3fd6bae 10272864 libs optional libvirt_12.0.0.orig.tar.xz
38b70362dce3c1841b480ff91242458a 833 libs optional libvirt_12.0.0.orig.tar.xz.asc
0bef1015f5e9f58bb494b14c16399596 114860 libs optional libvirt_12.0.0-1ubuntu1.debian.tar.xz
85a52f5197bd54e1f7ff84703efce296 8222 libs optional libvirt_12.0.0-1ubuntu1_source.buildinfo
Original-Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers at lists.alioth.debian.org>
Vcs-Git: https://git.launchpad.net/~paelzer/ubuntu/+source/libvirt
Vcs-Git-Commit: 3e218c0a0a34714e3c83221503a297590561e731
Vcs-Git-Ref: refs/heads/merge-lp2126022-resolute
More information about the Resolute-changes
mailing list