Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: libvirt@packages.debian.org Control: affects -1 + src:libvirt Please unblock package libvirt. Note: this is a preemptive unblock request. I will proceed with the upload once the release team has confirmed that they're okay with it. [ Reason ] Various fixes for libvirt in trixie. [ Tests ] I have manually verified that the fixes work as intended. They all come directly from upstream, which means that they were validated in that context already. [ Risks ] Very little risk given the targeted nature of the fixes and the fact that they are straightforward backports from upstream. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock libvirt/11.3.0-3+deb13u1 -- Andrea Bolognani <eof@kiyuko.org> Resistance is futile, you will be garbage collected.
diff -Nru libvirt-11.3.0/debian/changelog libvirt-11.3.0/debian/changelog
--- libvirt-11.3.0/debian/changelog 2025-07-02 22:15:28.000000000 +0200
+++ libvirt-11.3.0/debian/changelog 2025-09-21 18:29:38.000000000 +0200
@@ -1,3 +1,25 @@
+libvirt (11.3.0-3+deb13u1) trixie; urgency=medium
+
+ * [6a549fc] patches: Add backports
+ - backport/tlscert-Don-t-force-keyEncipherment[...]
+ - backport/tls-Don-t-require-keyEncipherment-[...]
+ - backport/tests-[...]-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM[...]
+ - Removes the requirement to have keyEncipherment enabled
+ for TLS certificates
+ - Closes: #1110816
+ * [8b355a8] patches: Add backports
+ - backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-[...]
+ - Prevents journal spam when using the LXC driver
+ - Closes: #1110963
+ * [f5079ab] patches: Add backports
+ - backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-[...]
+ - Fixes a daemon crash that occurs when probing capabilities
+ for a QEMU binary that doesn't report information about
+ CPU models
+ - Closes: #1112481
+
+ -- Andrea Bolognani <eof@kiyuko.org> Sun, 21 Sep 2025 18:29:38 +0200
+
libvirt (11.3.0-3) unstable; urgency=medium
* [d10b70f] patches: Add backports
diff -Nru libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch
--- libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch 2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,34 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Tue, 26 Aug 2025 13:57:42 +0200
+Subject: daemon: Drop log level of VIR_ERR_NO_SUPPORT to debug
+
+The error code signals that the API the user called is not supported by
+the driver. This can happen with some hypervisor drivers which don't
+have everything implemented yet. There's no point in spamming the log
+with it.
+
+Closes: https://gitlab.com/libvirt/libvirt/-/issues/805
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 37a1bd945899308d1c071bb885e5d1d9529d6b85)
+
+Bug-Debian: https://bugs.debian.org/1110963
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/37a1bd945899308d1c071bb885e5d1d9529d6b85
+---
+ src/remote/remote_daemon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index 1424d4c..2973813 100644
+--- a/src/remote/remote_daemon.c
++++ b/src/remote/remote_daemon.c
+@@ -108,6 +108,7 @@ static int daemonErrorLogFilter(virErrorPtr err, int priority)
+ case VIR_ERR_NO_CLIENT:
+ case VIR_ERR_NO_HOSTNAME:
+ case VIR_ERR_NO_NETWORK_METADATA:
++ case VIR_ERR_NO_SUPPORT:
+ return VIR_LOG_DEBUG;
+ }
+
diff -Nru libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch
--- libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch 2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,76 @@
+From: anonymix007 <48598263+anonymix007@users.noreply.github.com>
+Date: Wed, 4 Jun 2025 12:05:23 +0300
+Subject: qemu: capabilities: Check if cpuModels is not NULL before trying to
+ dereference it
+
+accel->cpuModels field might be NULL if QEMU does not return CPU models.
+The following backtrace is observed in such cases:
+0 virQEMUCapsProbeQMPCPUDefinitions (qemuCaps=qemuCaps@entry=0x7f1890003ae0, accel=accel@entry=0x7f1890003c10, mon=mon@entry=0x7f1890005270)
+ at ../src/qemu/qemu_capabilities.c:3091
+1 0x00007f18b42fa7b1 in virQEMUCapsInitQMPMonitor (qemuCaps=qemuCaps@entry=0x7f1890003ae0, mon=0x7f1890005270) at ../src/qemu/qemu_capabilities.c:5746
+2 0x00007f18b42fafaf in virQEMUCapsInitQMPSingle (qemuCaps=qemuCaps@entry=0x7f1890003ae0, libDir=libDir@entry=0x7f186c1e70f0 "/var/lib/libvirt/qemu",
+ runUid=runUid@entry=955, runGid=runGid@entry=955, onlyTCG=onlyTCG@entry=false) at ../src/qemu/qemu_capabilities.c:5832
+3 0x00007f18b42fb1a5 in virQEMUCapsInitQMP (qemuCaps=0x7f1890003ae0, libDir=0x7f186c1e70f0 "/var/lib/libvirt/qemu", runUid=955, runGid=955)
+ at ../src/qemu/qemu_capabilities.c:5848
+4 virQEMUCapsNewForBinaryInternal (hostArch=VIR_ARCH_X86_64, binary=binary@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha",
+ libDir=0x7f186c1e70f0 "/var/lib/libvirt/qemu", runUid=955, runGid=955,
+ hostCPUSignature=0x7f186c1e9f20 "AuthenticAMD, AMD Ryzen 9 7950X 16-Core Processor, family: 25, model: 97, stepping: 2", microcodeVersion=174068233,
+ kernelVersion=0x7f186c194200 "6.14.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 29 May 2025 21:42:15 +0000", cpuData=0x7f186c1ea490)
+ at ../src/qemu/qemu_capabilities.c:5907
+5 0x00007f18b42fb4c9 in virQEMUCapsNewData (binary=0x7f1868002fc0 "/usr/bin/qemu-system-alpha", privData=0x7f186c194280)
+ at ../src/qemu/qemu_capabilities.c:5942
+6 0x00007f18bd42d302 in virFileCacheNewData (cache=0x7f186c193730, name=0x7f1868002fc0 "/usr/bin/qemu-system-alpha") at ../src/util/virfilecache.c:206
+7 virFileCacheValidate (cache=cache@entry=0x7f186c193730, name=name@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha", data=data@entry=0x7f18b67c37c0)
+ at ../src/util/virfilecache.c:269
+8 0x00007f18bd42d5b8 in virFileCacheLookup (cache=cache@entry=0x7f186c193730, name=name@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha")
+ at ../src/util/virfilecache.c:301
+9 0x00007f18b42fb679 in virQEMUCapsCacheLookup (cache=cache@entry=0x7f186c193730, binary=binary@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha")
+ at ../src/qemu/qemu_capabilities.c:6036
+10 0x00007f18b42fb785 in virQEMUCapsInitGuest (caps=<optimized out>, cache=<optimized out>, hostarch=VIR_ARCH_X86_64, guestarch=VIR_ARCH_ALPHA)
+ at ../src/qemu/qemu_capabilities.c:1037
+11 virQEMUCapsInit (cache=0x7f186c193730) at ../src/qemu/qemu_capabilities.c:1229
+12 0x00007f18b431d311 in virQEMUDriverCreateCapabilities (driver=driver@entry=0x7f186c01f410) at ../src/qemu/qemu_conf.c:1553
+13 0x00007f18b431d663 in virQEMUDriverGetCapabilities (driver=0x7f186c01f410, refresh=<optimized out>) at ../src/qemu/qemu_conf.c:1623
+14 0x00007f18b435e3e4 in qemuConnectGetVersion (conn=<optimized out>, version=0x7f18b67c39b0) at ../src/qemu/qemu_driver.c:1492
+15 0x00007f18bd69c5e8 in virConnectGetVersion (conn=0x55bc5f4cda20, hvVer=hvVer@entry=0x7f18b67c39b0) at ../src/libvirt-host.c:201
+16 0x000055bc34ef3627 in remoteDispatchConnectGetVersion (server=0x55bc5f4b93f0, msg=0x55bc5f4cdf60, client=0x55bc5f4c66d0, rerr=0x7f18b67c3a80,
+ ret=0x55bc5f4b8670) at src/remote/remote_daemon_dispatch_stubs.h:1265
+17 remoteDispatchConnectGetVersionHelper (server=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60, rerr=0x7f18b67c3a80, args=0x0, ret=0x55bc5f4b8670)
+ at src/remote/remote_daemon_dispatch_stubs.h:1247
+18 0x00007f18bd5506da in virNetServerProgramDispatchCall (prog=0x55bc5f4cae90, server=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60)
+ at ../src/rpc/virnetserverprogram.c:423
+19 virNetServerProgramDispatch (prog=0x55bc5f4cae90, server=server@entry=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60)
+ at ../src/rpc/virnetserverprogram.c:299
+20 0x00007f18bd556c32 in virNetServerProcessMsg (srv=srv@entry=0x55bc5f4b93f0, client=<optimized out>, prog=<optimized out>, msg=<optimized out>)
+ at ../src/rpc/virnetserver.c:135
+21 0x00007f18bd556f77 in virNetServerHandleJob (jobOpaque=0x55bc5f4d2bb0, opaque=0x55bc5f4b93f0) at ../src/rpc/virnetserver.c:155
+22 0x00007f18bd47dd19 in virThreadPoolWorker (opaque=<optimized out>) at ../src/util/virthreadpool.c:164
+23 0x00007f18bd47d253 in virThreadHelper (data=0x55bc5f4b7810) at ../src/util/virthread.c:256
+24 0x00007f18bce117eb in start_thread (arg=<optimized out>) at pthread_create.c:448
+25 0x00007f18bce9518c in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
+
+Signed-off-by: anonymix007 <anonymix007@users.noreply.github.com>
+(cherry picked from commit e7239c619fcaf35b8b605ce07c5d5b15351b3a62)
+
+Bug-Debian: https://bugs.debian.org/1112481
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/e7239c619fcaf35b8b605ce07c5d5b15351b3a62
+---
+ src/qemu/qemu_capabilities.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index a804335..e937fe3 100644
+--- a/src/qemu/qemu_capabilities.c
++++ b/src/qemu/qemu_capabilities.c
+@@ -3078,6 +3078,9 @@ virQEMUCapsProbeQMPCPUDefinitions(virQEMUCaps *qemuCaps,
+ if (virQEMUCapsFetchCPUDefinitions(mon, qemuCaps->arch, &accel->cpuModels) < 0)
+ return -1;
+
++ if (!accel->cpuModels)
++ return 0;
++
+ defs = accel->cpuModels;
+ for (i = 0; i < defs->ncpus; i++) {
+ if (STREQ_NULLABLE(defs->cpus[i].name, "max")) {
diff -Nru libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch
--- libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch 2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,237 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Tue, 1 Jul 2025 13:48:00 +0200
+Subject: tests: virnettls*test: Drop use of GNUTLS_KEY_KEY_ENCIPHERMENT
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+It's not needed with TLS 1.3 any more.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit e67952b0e612c9ad3c3eec8bb692589602953ee8)
+
+Bug-Debian: https://bugs.debian.org/1110816
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/e67952b0e612c9ad3c3eec8bb692589602953ee8
+---
+ tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------
+ tests/virnettlssessiontest.c | 14 +++++++-------
+ 2 files changed, 25 insertions(+), 25 deletions(-)
+
+diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
+index 2311524..48bdefd 100644
+--- a/tests/virnettlscontexttest.c
++++ b/tests/virnettlscontexttest.c
+@@ -156,13 +156,13 @@ mymain(void)
+ TLS_CERT_REQ(servercertreq, cacertreq,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(clientcertreq, cacertreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+
+@@ -182,7 +182,7 @@ mymain(void)
+ TLS_CERT_REQ(servercert1req, cacert1req,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+
+@@ -196,7 +196,7 @@ mymain(void)
+ TLS_CERT_REQ(servercert2req, cacert2req,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+
+@@ -210,7 +210,7 @@ mymain(void)
+ TLS_CERT_REQ(servercert3req, cacert3req,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+
+@@ -230,7 +230,7 @@ mymain(void)
+ TLS_CERT_REQ(servercert4req, cacert4req,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ /* no-basic */
+@@ -243,7 +243,7 @@ mymain(void)
+ TLS_CERT_REQ(servercert5req, cacert5req,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ /* Key usage:dig-sig:critical */
+@@ -256,7 +256,7 @@ mymain(void)
+ TLS_CERT_REQ(servercert6req, cacert6req,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+
+@@ -284,7 +284,7 @@ mymain(void)
+ TLS_CERT_REQ(servercert8req, cacertreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* usage:cert-sign:not-critical */
+@@ -372,7 +372,7 @@ mymain(void)
+ TLS_CERT_REQ(clientcert2req, cacertreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* usage:cert-sign:not-critical */
+@@ -459,19 +459,19 @@ mymain(void)
+ TLS_CERT_REQ(servercertexpreq, cacertexpreq,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercertexp1req, cacertreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, -1);
+ TLS_CERT_REQ(clientcertexp1req, cacertreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, -1);
+
+@@ -491,19 +491,19 @@ mymain(void)
+ TLS_CERT_REQ(servercertnewreq, cacertnewreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercertnew1req, cacertreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 1, 2);
+ TLS_CERT_REQ(clientcertnew1req, cacertreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 1, 2);
+
+@@ -538,13 +538,13 @@ mymain(void)
+ TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
+ "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+
+diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
+index 285cde5..459e17c 100644
+--- a/tests/virnettlssessiontest.c
++++ b/tests/virnettlssessiontest.c
+@@ -314,20 +314,20 @@ mymain(void)
+ TLS_CERT_REQ(servercertreq, cacertreq,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(clientcertreq, cacertreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+
+ TLS_CERT_REQ(clientcertaltreq, altcacertreq,
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+
+@@ -342,14 +342,14 @@ mymain(void)
+ TLS_CERT_REQ(servercertalt1req, cacertreq,
+ "UK", "libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ /* This intentionally doesn't replicate */
+ TLS_CERT_REQ(servercertalt2req, cacertreq,
+ "UK", "libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+
+@@ -433,13 +433,13 @@ mymain(void)
+ TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
+ "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
+ true, true, false,
+- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+
diff -Nru libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch
--- libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch 2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,73 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Tue, 17 Jun 2025 15:01:26 +0200
+Subject: tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
+algorithms must not have 'keyEncipherment' present, but our code did
+check it. Add exemption for known algorithms which don't use it.
+
+[1] https://datatracker.ietf.org/doc/rfc8813/
+[2] https://datatracker.ietf.org/doc/rfc5480
+
+Closes: https://gitlab.com/libvirt/libvirt/-/issues/691
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 11867b0224a2b8dc34755ff0ace446b6842df1c1)
+
+Bug-Debian: https://bugs.debian.org/1110816
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/11867b0224a2b8dc34755ff0ace446b6842df1c1
+---
+ src/rpc/virnettlscert.c | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
+index 1befbe0..f197995 100644
+--- a/src/rpc/virnettlscert.c
++++ b/src/rpc/virnettlscert.c
+@@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
+ }
+ }
+ if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
+- if (critical) {
+- virReportError(VIR_ERR_SYSTEM_ERROR,
+- _("Certificate %1$s usage does not permit key encipherment"),
+- certFile);
+- return -1;
+- } else {
+- VIR_WARN("Certificate %s usage does not permit key encipherment",
+- certFile);
++ int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
++
++ /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
++ * algorithms must not have 'keyEncipherment' present.
++ *
++ * [1] https://datatracker.ietf.org/doc/rfc8813/
++ * [2] https://datatracker.ietf.org/doc/rfc5480
++ */
++
++ switch (alg) {
++ case GNUTLS_PK_ECDSA:
++ case GNUTLS_PK_ECDH_X25519:
++ case GNUTLS_PK_ECDH_X448:
++ break;
++
++ default:
++ if (critical) {
++ virReportError(VIR_ERR_SYSTEM_ERROR,
++ _("Certificate %1$s usage does not permit key encipherment"),
++ certFile);
++ return -1;
++ } else {
++ VIR_WARN("Certificate %s usage does not permit key encipherment",
++ certFile);
++ }
+ }
+ }
+ }
diff -Nru libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch
--- libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch 2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,84 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 30 Jun 2025 19:19:42 +0200
+Subject: tls: Don't require 'keyEncipherment' to be enabled altoghther
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Key encipherment is required only for RSA key exchange algorithm. With
+TLS 1.3 this is not even used as RSA is used only for authentication.
+
+Since we can't really check when it's required ahead of time drop the
+check completely. GnuTLS will moan if it will not be able to use RSA
+key exchange.
+
+In commit 11867b0224a2 I tried to relax the check for some eliptic
+curve algorithm that explicitly forbid it. Based on the above the proper
+solution is to completely remove it.
+
+Resolves: https://issues.redhat.com/browse/RHEL-100711
+Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 8cecd3249e5fa5478a7c53567971b4d969274ea3)
+
+Bug-Debian: https://bugs.debian.org/1110816
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/8cecd3249e5fa5478a7c53567971b4d969274ea3
+---
+ src/rpc/virnettlscert.c | 34 ++++------------------------------
+ 1 file changed, 4 insertions(+), 30 deletions(-)
+
+diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
+index f197995..6a723c1 100644
+--- a/src/rpc/virnettlscert.c
++++ b/src/rpc/virnettlscert.c
+@@ -128,8 +128,10 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
+ VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
+ if (status < 0) {
+ if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+- usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
+- GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
++ if (isCA)
++ usage = GNUTLS_KEY_KEY_CERT_SIGN;
++ else
++ usage = GNUTLS_KEY_DIGITAL_SIGNATURE;
+ } else {
+ virReportError(VIR_ERR_SYSTEM_ERROR,
+ _("Unable to query certificate %1$s key usage %2$s"),
+@@ -162,34 +164,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
+ certFile);
+ }
+ }
+- if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
+- int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
+-
+- /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
+- * algorithms must not have 'keyEncipherment' present.
+- *
+- * [1] https://datatracker.ietf.org/doc/rfc8813/
+- * [2] https://datatracker.ietf.org/doc/rfc5480
+- */
+-
+- switch (alg) {
+- case GNUTLS_PK_ECDSA:
+- case GNUTLS_PK_ECDH_X25519:
+- case GNUTLS_PK_ECDH_X448:
+- break;
+-
+- default:
+- if (critical) {
+- virReportError(VIR_ERR_SYSTEM_ERROR,
+- _("Certificate %1$s usage does not permit key encipherment"),
+- certFile);
+- return -1;
+- } else {
+- VIR_WARN("Certificate %s usage does not permit key encipherment",
+- certFile);
+- }
+- }
+- }
+ }
+
+ return 0;
diff -Nru libvirt-11.3.0/debian/patches/series libvirt-11.3.0/debian/patches/series
--- libvirt-11.3.0/debian/patches/series 2025-07-02 22:15:28.000000000 +0200
+++ libvirt-11.3.0/debian/patches/series 2025-09-21 18:29:38.000000000 +0200
@@ -1,5 +1,10 @@
backport/qemuProcessStartWithMemoryState-Don-t-setup-qemu-for-inco.patch
backport/qemu-Be-more-forgiving-when-acquiring-QUERY-job-when-form.patch
+backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch
+backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch
+backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch
+backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch
+backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch
debian/Debianize-libvirt-guests.patch
debian/apparmor_profiles_local_include.patch
debian/Use-sensible-editor-by-default.patch
Attachment:
signature.asc
Description: PGP signature