Bug#1115914: marked as done (trixie-pu: package libvirt/11.3.0-3+deb13u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#1115914: marked as done (trixie-pu: package libvirt/11.3.0-3+deb13u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 15 Nov 2025 11:23:37 +0000
Message-id: <[🔎] handler.1115914.D1115914.17632057304150055.ackdone@bugs.debian.org>
Reply-to: 1115914@bugs.debian.org
References: <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk> <20250921165229.lnwub6pbjy37kz5a@meyneth>

Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1115914,
regarding trixie-pu: package libvirt/11.3.0-3+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1115914: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115914
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: libvirt/11.3.0-3+deb13u1
From: Andrea Bolognani <eof@kiyuko.org>
Date: Sun, 21 Sep 2025 18:52:29 +0200
Message-id: <20250921165229.lnwub6pbjy37kz5a@meyneth>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libvirt@packages.debian.org
Control: affects -1 + src:libvirt

Please unblock package libvirt.

Note: this is a preemptive unblock request. I will proceed with the
upload once the release team has confirmed that they're okay with it.

[ Reason ]

Various fixes for libvirt in trixie.

[ Tests ]

I have manually verified that the fixes work as intended. They all
come directly from upstream, which means that they were validated in
that context already.

[ Risks ]

Very little risk given the targeted nature of the fixes and the fact
that they are straightforward backports from upstream.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock libvirt/11.3.0-3+deb13u1

-- 
Andrea Bolognani <eof@kiyuko.org>
Resistance is futile, you will be garbage collected.

diff -Nru libvirt-11.3.0/debian/changelog libvirt-11.3.0/debian/changelog
--- libvirt-11.3.0/debian/changelog	2025-07-02 22:15:28.000000000 +0200
+++ libvirt-11.3.0/debian/changelog	2025-09-21 18:29:38.000000000 +0200
@@ -1,3 +1,25 @@
+libvirt (11.3.0-3+deb13u1) trixie; urgency=medium
+
+  * [6a549fc] patches: Add backports
+    - backport/tlscert-Don-t-force-keyEncipherment[...]
+    - backport/tls-Don-t-require-keyEncipherment-[...]
+    - backport/tests-[...]-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM[...]
+      - Removes the requirement to have keyEncipherment enabled
+        for TLS certificates
+      - Closes: #1110816
+  * [8b355a8] patches: Add backports
+    - backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-[...]
+      - Prevents journal spam when using the LXC driver
+      - Closes: #1110963
+  * [f5079ab] patches: Add backports
+    - backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-[...]
+      - Fixes a daemon crash that occurs when probing capabilities
+        for a QEMU binary that doesn't report information about
+        CPU models
+      - Closes: #1112481
+
+ -- Andrea Bolognani <eof@kiyuko.org>  Sun, 21 Sep 2025 18:29:38 +0200
+
 libvirt (11.3.0-3) unstable; urgency=medium
 
   * [d10b70f] patches: Add backports
diff -Nru libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch
--- libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch	2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,34 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Tue, 26 Aug 2025 13:57:42 +0200
+Subject: daemon: Drop log level of VIR_ERR_NO_SUPPORT to debug
+
+The error code signals that the API the user called is not supported by
+the driver. This can happen with some hypervisor drivers which don't
+have everything implemented yet. There's no point in spamming the log
+with it.
+
+Closes: https://gitlab.com/libvirt/libvirt/-/issues/805
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 37a1bd945899308d1c071bb885e5d1d9529d6b85)
+
+Bug-Debian: https://bugs.debian.org/1110963
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/37a1bd945899308d1c071bb885e5d1d9529d6b85
+---
+ src/remote/remote_daemon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index 1424d4c..2973813 100644
+--- a/src/remote/remote_daemon.c
++++ b/src/remote/remote_daemon.c
+@@ -108,6 +108,7 @@ static int daemonErrorLogFilter(virErrorPtr err, int priority)
+     case VIR_ERR_NO_CLIENT:
+     case VIR_ERR_NO_HOSTNAME:
+     case VIR_ERR_NO_NETWORK_METADATA:
++    case VIR_ERR_NO_SUPPORT:
+         return VIR_LOG_DEBUG;
+     }
+ 
diff -Nru libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch
--- libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch	2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,76 @@
+From: anonymix007 <48598263+anonymix007@users.noreply.github.com>
+Date: Wed, 4 Jun 2025 12:05:23 +0300
+Subject: qemu: capabilities: Check if cpuModels is not NULL before trying to
+ dereference it
+
+accel->cpuModels field might be NULL if QEMU does not return CPU models.
+The following backtrace is observed in such cases:
+0  virQEMUCapsProbeQMPCPUDefinitions (qemuCaps=qemuCaps@entry=0x7f1890003ae0, accel=accel@entry=0x7f1890003c10, mon=mon@entry=0x7f1890005270)
+   at ../src/qemu/qemu_capabilities.c:3091
+1  0x00007f18b42fa7b1 in virQEMUCapsInitQMPMonitor (qemuCaps=qemuCaps@entry=0x7f1890003ae0, mon=0x7f1890005270) at ../src/qemu/qemu_capabilities.c:5746
+2  0x00007f18b42fafaf in virQEMUCapsInitQMPSingle (qemuCaps=qemuCaps@entry=0x7f1890003ae0, libDir=libDir@entry=0x7f186c1e70f0 "/var/lib/libvirt/qemu",
+   runUid=runUid@entry=955, runGid=runGid@entry=955, onlyTCG=onlyTCG@entry=false) at ../src/qemu/qemu_capabilities.c:5832
+3  0x00007f18b42fb1a5 in virQEMUCapsInitQMP (qemuCaps=0x7f1890003ae0, libDir=0x7f186c1e70f0 "/var/lib/libvirt/qemu", runUid=955, runGid=955)
+   at ../src/qemu/qemu_capabilities.c:5848
+4  virQEMUCapsNewForBinaryInternal (hostArch=VIR_ARCH_X86_64, binary=binary@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha",
+   libDir=0x7f186c1e70f0 "/var/lib/libvirt/qemu", runUid=955, runGid=955,
+   hostCPUSignature=0x7f186c1e9f20 "AuthenticAMD, AMD Ryzen 9 7950X 16-Core Processor, family: 25, model: 97, stepping: 2", microcodeVersion=174068233,
+   kernelVersion=0x7f186c194200 "6.14.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 29 May 2025 21:42:15 +0000", cpuData=0x7f186c1ea490)
+   at ../src/qemu/qemu_capabilities.c:5907
+5  0x00007f18b42fb4c9 in virQEMUCapsNewData (binary=0x7f1868002fc0 "/usr/bin/qemu-system-alpha", privData=0x7f186c194280)
+   at ../src/qemu/qemu_capabilities.c:5942
+6  0x00007f18bd42d302 in virFileCacheNewData (cache=0x7f186c193730, name=0x7f1868002fc0 "/usr/bin/qemu-system-alpha") at ../src/util/virfilecache.c:206
+7  virFileCacheValidate (cache=cache@entry=0x7f186c193730, name=name@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha", data=data@entry=0x7f18b67c37c0)
+   at ../src/util/virfilecache.c:269
+8  0x00007f18bd42d5b8 in virFileCacheLookup (cache=cache@entry=0x7f186c193730, name=name@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha")
+   at ../src/util/virfilecache.c:301
+9  0x00007f18b42fb679 in virQEMUCapsCacheLookup (cache=cache@entry=0x7f186c193730, binary=binary@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha")
+   at ../src/qemu/qemu_capabilities.c:6036
+10 0x00007f18b42fb785 in virQEMUCapsInitGuest (caps=<optimized out>, cache=<optimized out>, hostarch=VIR_ARCH_X86_64, guestarch=VIR_ARCH_ALPHA)
+   at ../src/qemu/qemu_capabilities.c:1037
+11 virQEMUCapsInit (cache=0x7f186c193730) at ../src/qemu/qemu_capabilities.c:1229
+12 0x00007f18b431d311 in virQEMUDriverCreateCapabilities (driver=driver@entry=0x7f186c01f410) at ../src/qemu/qemu_conf.c:1553
+13 0x00007f18b431d663 in virQEMUDriverGetCapabilities (driver=0x7f186c01f410, refresh=<optimized out>) at ../src/qemu/qemu_conf.c:1623
+14 0x00007f18b435e3e4 in qemuConnectGetVersion (conn=<optimized out>, version=0x7f18b67c39b0) at ../src/qemu/qemu_driver.c:1492
+15 0x00007f18bd69c5e8 in virConnectGetVersion (conn=0x55bc5f4cda20, hvVer=hvVer@entry=0x7f18b67c39b0) at ../src/libvirt-host.c:201
+16 0x000055bc34ef3627 in remoteDispatchConnectGetVersion (server=0x55bc5f4b93f0, msg=0x55bc5f4cdf60, client=0x55bc5f4c66d0, rerr=0x7f18b67c3a80,
+   ret=0x55bc5f4b8670) at src/remote/remote_daemon_dispatch_stubs.h:1265
+17 remoteDispatchConnectGetVersionHelper (server=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60, rerr=0x7f18b67c3a80, args=0x0, ret=0x55bc5f4b8670)
+   at src/remote/remote_daemon_dispatch_stubs.h:1247
+18 0x00007f18bd5506da in virNetServerProgramDispatchCall (prog=0x55bc5f4cae90, server=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60)
+   at ../src/rpc/virnetserverprogram.c:423
+19 virNetServerProgramDispatch (prog=0x55bc5f4cae90, server=server@entry=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60)
+   at ../src/rpc/virnetserverprogram.c:299
+20 0x00007f18bd556c32 in virNetServerProcessMsg (srv=srv@entry=0x55bc5f4b93f0, client=<optimized out>, prog=<optimized out>, msg=<optimized out>)
+   at ../src/rpc/virnetserver.c:135
+21 0x00007f18bd556f77 in virNetServerHandleJob (jobOpaque=0x55bc5f4d2bb0, opaque=0x55bc5f4b93f0) at ../src/rpc/virnetserver.c:155
+22 0x00007f18bd47dd19 in virThreadPoolWorker (opaque=<optimized out>) at ../src/util/virthreadpool.c:164
+23 0x00007f18bd47d253 in virThreadHelper (data=0x55bc5f4b7810) at ../src/util/virthread.c:256
+24 0x00007f18bce117eb in start_thread (arg=<optimized out>) at pthread_create.c:448
+25 0x00007f18bce9518c in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
+
+Signed-off-by: anonymix007 <anonymix007@users.noreply.github.com>
+(cherry picked from commit e7239c619fcaf35b8b605ce07c5d5b15351b3a62)
+
+Bug-Debian: https://bugs.debian.org/1112481
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/e7239c619fcaf35b8b605ce07c5d5b15351b3a62
+---
+ src/qemu/qemu_capabilities.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index a804335..e937fe3 100644
+--- a/src/qemu/qemu_capabilities.c
++++ b/src/qemu/qemu_capabilities.c
+@@ -3078,6 +3078,9 @@ virQEMUCapsProbeQMPCPUDefinitions(virQEMUCaps *qemuCaps,
+     if (virQEMUCapsFetchCPUDefinitions(mon, qemuCaps->arch, &accel->cpuModels) < 0)
+         return -1;
+ 
++    if (!accel->cpuModels)
++        return 0;
++
+     defs = accel->cpuModels;
+     for (i = 0; i < defs->ncpus; i++) {
+         if (STREQ_NULLABLE(defs->cpus[i].name, "max")) {
diff -Nru libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch
--- libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch	2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,237 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Tue, 1 Jul 2025 13:48:00 +0200
+Subject: tests: virnettls*test: Drop use of GNUTLS_KEY_KEY_ENCIPHERMENT
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+It's not needed with TLS 1.3 any more.
+
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit e67952b0e612c9ad3c3eec8bb692589602953ee8)
+
+Bug-Debian: https://bugs.debian.org/1110816
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/e67952b0e612c9ad3c3eec8bb692589602953ee8
+---
+ tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------
+ tests/virnettlssessiontest.c | 14 +++++++-------
+ 2 files changed, 25 insertions(+), 25 deletions(-)
+
+diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
+index 2311524..48bdefd 100644
+--- a/tests/virnettlscontexttest.c
++++ b/tests/virnettlscontexttest.c
+@@ -156,13 +156,13 @@ mymain(void)
+     TLS_CERT_REQ(servercertreq, cacertreq,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+     TLS_CERT_REQ(clientcertreq, cacertreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+                  0, 0);
+ 
+@@ -182,7 +182,7 @@ mymain(void)
+     TLS_CERT_REQ(servercert1req, cacert1req,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+ 
+@@ -196,7 +196,7 @@ mymain(void)
+     TLS_CERT_REQ(servercert2req, cacert2req,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+ 
+@@ -210,7 +210,7 @@ mymain(void)
+     TLS_CERT_REQ(servercert3req, cacert3req,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+ 
+@@ -230,7 +230,7 @@ mymain(void)
+     TLS_CERT_REQ(servercert4req, cacert4req,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+     /* no-basic */
+@@ -243,7 +243,7 @@ mymain(void)
+     TLS_CERT_REQ(servercert5req, cacert5req,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+     /* Key usage:dig-sig:critical */
+@@ -256,7 +256,7 @@ mymain(void)
+     TLS_CERT_REQ(servercert6req, cacert6req,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+ 
+@@ -284,7 +284,7 @@ mymain(void)
+     TLS_CERT_REQ(servercert8req, cacertreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN,
+                  false, false, NULL, NULL,
+                  0, 0);
+     /* usage:cert-sign:not-critical */
+@@ -372,7 +372,7 @@ mymain(void)
+     TLS_CERT_REQ(clientcert2req, cacertreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN,
+                  false, false, NULL, NULL,
+                  0, 0);
+     /* usage:cert-sign:not-critical */
+@@ -459,19 +459,19 @@ mymain(void)
+     TLS_CERT_REQ(servercertexpreq, cacertexpreq,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+     TLS_CERT_REQ(servercertexp1req, cacertreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, -1);
+     TLS_CERT_REQ(clientcertexp1req, cacertreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+                  0, -1);
+ 
+@@ -491,19 +491,19 @@ mymain(void)
+     TLS_CERT_REQ(servercertnewreq, cacertnewreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+     TLS_CERT_REQ(servercertnew1req, cacertreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  1, 2);
+     TLS_CERT_REQ(clientcertnew1req, cacertreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+                  1, 2);
+ 
+@@ -538,13 +538,13 @@ mymain(void)
+     TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+     TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
+                  "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+                  0, 0);
+ 
+diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
+index 285cde5..459e17c 100644
+--- a/tests/virnettlssessiontest.c
++++ b/tests/virnettlssessiontest.c
+@@ -314,20 +314,20 @@ mymain(void)
+     TLS_CERT_REQ(servercertreq, cacertreq,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+     TLS_CERT_REQ(clientcertreq, cacertreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+                  0, 0);
+ 
+     TLS_CERT_REQ(clientcertaltreq, altcacertreq,
+                  "UK", "libvirt", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+                  0, 0);
+ 
+@@ -342,14 +342,14 @@ mymain(void)
+     TLS_CERT_REQ(servercertalt1req, cacertreq,
+                  "UK", "libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+     /* This intentionally doesn't replicate */
+     TLS_CERT_REQ(servercertalt2req, cacertreq,
+                  "UK", "libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+ 
+@@ -433,13 +433,13 @@ mymain(void)
+     TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
+                  "UK", "libvirt.org", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+                  0, 0);
+     TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
+                  "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
+                  true, true, false,
+-                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
++                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+                  0, 0);
+ 
diff -Nru libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch
--- libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch	2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,73 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Tue, 17 Jun 2025 15:01:26 +0200
+Subject: tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
+algorithms must not have 'keyEncipherment' present, but our code did
+check it. Add exemption for known algorithms which don't use it.
+
+[1] https://datatracker.ietf.org/doc/rfc8813/
+[2] https://datatracker.ietf.org/doc/rfc5480
+
+Closes: https://gitlab.com/libvirt/libvirt/-/issues/691
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 11867b0224a2b8dc34755ff0ace446b6842df1c1)
+
+Bug-Debian: https://bugs.debian.org/1110816
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/11867b0224a2b8dc34755ff0ace446b6842df1c1
+---
+ src/rpc/virnettlscert.c | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
+index 1befbe0..f197995 100644
+--- a/src/rpc/virnettlscert.c
++++ b/src/rpc/virnettlscert.c
+@@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
+             }
+         }
+         if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
+-            if (critical) {
+-                virReportError(VIR_ERR_SYSTEM_ERROR,
+-                               _("Certificate %1$s usage does not permit key encipherment"),
+-                               certFile);
+-                return -1;
+-            } else {
+-                VIR_WARN("Certificate %s usage does not permit key encipherment",
+-                         certFile);
++            int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
++
++            /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
++             * algorithms must not have 'keyEncipherment' present.
++             *
++             * [1] https://datatracker.ietf.org/doc/rfc8813/
++             * [2] https://datatracker.ietf.org/doc/rfc5480
++             */
++
++            switch (alg) {
++            case GNUTLS_PK_ECDSA:
++            case GNUTLS_PK_ECDH_X25519:
++            case GNUTLS_PK_ECDH_X448:
++                break;
++
++            default:
++                if (critical) {
++                    virReportError(VIR_ERR_SYSTEM_ERROR,
++                                   _("Certificate %1$s usage does not permit key encipherment"),
++                                   certFile);
++                    return -1;
++                } else {
++                    VIR_WARN("Certificate %s usage does not permit key encipherment",
++                             certFile);
++                }
+             }
+         }
+     }
diff -Nru libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch
--- libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch	2025-09-21 18:29:38.000000000 +0200
@@ -0,0 +1,84 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Mon, 30 Jun 2025 19:19:42 +0200
+Subject: tls: Don't require 'keyEncipherment' to be enabled altoghther
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Key encipherment is required only for RSA key exchange algorithm. With
+TLS 1.3 this is not even used as RSA is used only for authentication.
+
+Since we can't really check when it's required ahead of time drop the
+check completely. GnuTLS will moan if it will not be able to use RSA
+key exchange.
+
+In commit 11867b0224a2 I tried to relax the check for some eliptic
+curve algorithm that explicitly forbid it. Based on the above the proper
+solution is to completely remove it.
+
+Resolves: https://issues.redhat.com/browse/RHEL-100711
+Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 8cecd3249e5fa5478a7c53567971b4d969274ea3)
+
+Bug-Debian: https://bugs.debian.org/1110816
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commits/8cecd3249e5fa5478a7c53567971b4d969274ea3
+---
+ src/rpc/virnettlscert.c | 34 ++++------------------------------
+ 1 file changed, 4 insertions(+), 30 deletions(-)
+
+diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
+index f197995..6a723c1 100644
+--- a/src/rpc/virnettlscert.c
++++ b/src/rpc/virnettlscert.c
+@@ -128,8 +128,10 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
+     VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
+     if (status < 0) {
+         if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+-            usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
+-                GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
++            if (isCA)
++                usage = GNUTLS_KEY_KEY_CERT_SIGN;
++            else
++                usage = GNUTLS_KEY_DIGITAL_SIGNATURE;
+         } else {
+             virReportError(VIR_ERR_SYSTEM_ERROR,
+                            _("Unable to query certificate %1$s key usage %2$s"),
+@@ -162,34 +164,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
+                          certFile);
+             }
+         }
+-        if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
+-            int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
+-
+-            /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
+-             * algorithms must not have 'keyEncipherment' present.
+-             *
+-             * [1] https://datatracker.ietf.org/doc/rfc8813/
+-             * [2] https://datatracker.ietf.org/doc/rfc5480
+-             */
+-
+-            switch (alg) {
+-            case GNUTLS_PK_ECDSA:
+-            case GNUTLS_PK_ECDH_X25519:
+-            case GNUTLS_PK_ECDH_X448:
+-                break;
+-
+-            default:
+-                if (critical) {
+-                    virReportError(VIR_ERR_SYSTEM_ERROR,
+-                                   _("Certificate %1$s usage does not permit key encipherment"),
+-                                   certFile);
+-                    return -1;
+-                } else {
+-                    VIR_WARN("Certificate %s usage does not permit key encipherment",
+-                             certFile);
+-                }
+-            }
+-        }
+     }
+ 
+     return 0;
diff -Nru libvirt-11.3.0/debian/patches/series libvirt-11.3.0/debian/patches/series
--- libvirt-11.3.0/debian/patches/series	2025-07-02 22:15:28.000000000 +0200
+++ libvirt-11.3.0/debian/patches/series	2025-09-21 18:29:38.000000000 +0200
@@ -1,5 +1,10 @@
 backport/qemuProcessStartWithMemoryState-Don-t-setup-qemu-for-inco.patch
 backport/qemu-Be-more-forgiving-when-acquiring-QUERY-job-when-form.patch
+backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch
+backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch
+backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch
+backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch
+backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch
 debian/Debianize-libvirt-guests.patch
 debian/apparmor_profiles_local_include.patch
 debian/Use-sensible-editor-by-default.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 1110859-done@bugs.debian.org, 1111236-done@bugs.debian.org, 1111733-done@bugs.debian.org, 1111734-done@bugs.debian.org, 1111808-done@bugs.debian.org, 1111819-done@bugs.debian.org, 1112097-done@bugs.debian.org, 1112120-done@bugs.debian.org, 1112256-done@bugs.debian.org, 1112261-done@bugs.debian.org, 1112276-done@bugs.debian.org, 1112282-done@bugs.debian.org, 1112283-done@bugs.debian.org, 1112380-done@bugs.debian.org, 1112479-done@bugs.debian.org, 1112557-done@bugs.debian.org, 1112668-done@bugs.debian.org, 1112671-done@bugs.debian.org, 1113711-done@bugs.debian.org, 1113750-done@bugs.debian.org, 1113757-done@bugs.debian.org, 1113761-done@bugs.debian.org, 1113778-done@bugs.debian.org, 1113799-done@bugs.debian.org, 1113804-done@bugs.debian.org, 1113860-done@bugs.debian.org, 1113882-done@bugs.debian.org, 1113902-done@bugs.debian.org, 1113904-done@bugs.debian.org, 1113961-done@bugs.debian.org, 1113979-done@bugs.debian.org, 1114595-done@bugs.debian.org, 1114684-done@bugs.debian.org, 1114755-done@bugs.debian.org, 1114855-done@bugs.debian.org, 1114929-done@bugs.debian.org, 1114979-done@bugs.debian.org, 1115257-done@bugs.debian.org, 1115486-done@bugs.debian.org, 1115530-done@bugs.debian.org, 1115749-done@bugs.debian.org, 1115815-done@bugs.debian.org, 1115860-done@bugs.debian.org, 1115899-done@bugs.debian.org, 1115914-done@bugs.debian.org, 1116012-done@bugs.debian.org, 1116020-done@bugs.debian.org, 1116040-done@bugs.debian.org, 1116053-done@bugs.debian.org, 1116127-done@bugs.debian.org, 1116196-done@bugs.debian.org, 1116201-done@bugs.debian.org, 1116386-done@bugs.debian.org, 1116523-done@bugs.debian.org, 1116526-done@bugs.debian.org, 1116547-done@bugs.debian.org, 1116575-done@bugs.debian.org, 1116665-done@bugs.debian.org, 1116705-done@bugs.debian.org, 1116938-done@bugs.debian.org, 1116945-done@bugs.debian.org, 1116983-done@bugs.debian.org, 1117467-done@bugs.debian.org, 1117469-done@bugs.debian.org, 1117828-done@bugs.debian.org, 1117843-done@bugs.debian.org, 1117876-done@bugs.debian.org, 1117909-done@bugs.debian.org, 1118008-done@bugs.debian.org, 1118037-done@bugs.debian.org, 1118047-done@bugs.debian.org, 1118228-done@bugs.debian.org, 1118374-done@bugs.debian.org, 1118434-done@bugs.debian.org, 1118443-done@bugs.debian.org, 1118458-done@bugs.debian.org, 1118547-done@bugs.debian.org, 1118657-done@bugs.debian.org, 1118663-done@bugs.debian.org, 1118673-done@bugs.debian.org, 1118674-done@bugs.debian.org, 1118737-done@bugs.debian.org, 1119085-done@bugs.debian.org, 1119088-done@bugs.debian.org, 1119115-done@bugs.debian.org, 1119136-done@bugs.debian.org, 1119142-done@bugs.debian.org, 1119256-done@bugs.debian.org, 1119286-done@bugs.debian.org, 1119287-done@bugs.debian.org, 1119288-done@bugs.debian.org, 1119291-done@bugs.debian.org, 1119301-done@bugs.debian.org, 1119303-done@bugs.debian.org, 1119719-done@bugs.debian.org, 1119798-done@bugs.debian.org, 1119854-done@bugs.debian.org, 1119909-done@bugs.debian.org, 1120048-done@bugs.debian.org, 1120050-done@bugs.debian.org, 1120054-done@bugs.debian.org, 1120125-done@bugs.debian.org, 1120129-done@bugs.debian.org, 1120143-done@bugs.debian.org, 1120145-done@bugs.debian.org, 1120148-done@bugs.debian.org, 1120151-done@bugs.debian.org, 1120262-done@bugs.debian.org, 1120278-done@bugs.debian.org, 1120289-done@bugs.debian.org, 1120325-done@bugs.debian.org, 1120345-done@bugs.debian.org, 1120350-done@bugs.debian.org, 1120358-done@bugs.debian.org, 1120360-done@bugs.debian.org, 1120445-done@bugs.debian.org

Subject: Closing requests for updates included in 13.2

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 15 Nov 2025 11:21:45 +0000

Message-id: <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 13.2

Hi,

The updates referenced in each of these bugs were included in today's
13.2 trixie point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#1116053: marked as done (trixie-pu: package libgpiod/2.2.1-2+deb13u1)
Next by Date: Bug#1116020: marked as done (trixie-pu: package allow-html-temp/10.0.8-1~deb13u1)
Previous by thread: Bug#1116053: marked as done (trixie-pu: package libgpiod/2.2.1-2+deb13u1)
Next by thread: Bug#1116020: marked as done (trixie-pu: package allow-html-temp/10.0.8-1~deb13u1)
Index(es):
- Date
- Thread