retitle 1115914 trixie-pu: package libvirt/11.3.0-3+deb13u1 tags 1115914 trixie user [email protected] usertags 1115914 pu -unblock
Fixing bug meta-data. Cheers On 2025-09-21 18:52:29 +0200, Andrea Bolognani wrote: > Package: release.debian.org > Severity: normal > User: [email protected] > Usertags: unblock > X-Debbugs-Cc: [email protected] > Control: affects -1 + src:libvirt > > Please unblock package libvirt. > > Note: this is a preemptive unblock request. I will proceed with the > upload once the release team has confirmed that they're okay with it. > > [ Reason ] > > Various fixes for libvirt in trixie. > > [ Tests ] > > I have manually verified that the fixes work as intended. They all > come directly from upstream, which means that they were validated in > that context already. > > [ Risks ] > > Very little risk given the targeted nature of the fixes and the fact > that they are straightforward backports from upstream. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > unblock libvirt/11.3.0-3+deb13u1 > > -- > Andrea Bolognani <[email protected]> > Resistance is futile, you will be garbage collected. > diff -Nru libvirt-11.3.0/debian/changelog libvirt-11.3.0/debian/changelog > --- libvirt-11.3.0/debian/changelog 2025-07-02 22:15:28.000000000 +0200 > +++ libvirt-11.3.0/debian/changelog 2025-09-21 18:29:38.000000000 +0200 > @@ -1,3 +1,25 @@ > +libvirt (11.3.0-3+deb13u1) trixie; urgency=medium > + > + * [6a549fc] patches: Add backports > + - backport/tlscert-Don-t-force-keyEncipherment[...] > + - backport/tls-Don-t-require-keyEncipherment-[...] > + - backport/tests-[...]-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM[...] > + - Removes the requirement to have keyEncipherment enabled > + for TLS certificates > + - Closes: #1110816 > + * [8b355a8] patches: Add backports > + - backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-[...] > + - Prevents journal spam when using the LXC driver > + - Closes: #1110963 > + * [f5079ab] patches: Add backports > + - backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-[...] > + - Fixes a daemon crash that occurs when probing capabilities > + for a QEMU binary that doesn't report information about > + CPU models > + - Closes: #1112481 > + > + -- Andrea Bolognani <[email protected]> Sun, 21 Sep 2025 18:29:38 +0200 > + > libvirt (11.3.0-3) unstable; urgency=medium > > * [d10b70f] patches: Add backports > diff -Nru > libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch > > libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch > --- > libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch > 2025-09-21 18:29:38.000000000 +0200 > @@ -0,0 +1,34 @@ > +From: Peter Krempa <[email protected]> > +Date: Tue, 26 Aug 2025 13:57:42 +0200 > +Subject: daemon: Drop log level of VIR_ERR_NO_SUPPORT to debug > + > +The error code signals that the API the user called is not supported by > +the driver. This can happen with some hypervisor drivers which don't > +have everything implemented yet. There's no point in spamming the log > +with it. > + > +Closes: https://gitlab.com/libvirt/libvirt/-/issues/805 > +Signed-off-by: Peter Krempa <[email protected]> > +Reviewed-by: Martin Kletzander <[email protected]> > +(cherry picked from commit 37a1bd945899308d1c071bb885e5d1d9529d6b85) > + > +Bug-Debian: https://bugs.debian.org/1110963 > + > +Forwarded: not-needed > +Origin: > https://gitlab.com/libvirt/libvirt/-/commits/37a1bd945899308d1c071bb885e5d1d9529d6b85 > +--- > + src/remote/remote_daemon.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c > +index 1424d4c..2973813 100644 > +--- a/src/remote/remote_daemon.c > ++++ b/src/remote/remote_daemon.c > +@@ -108,6 +108,7 @@ static int daemonErrorLogFilter(virErrorPtr err, int > priority) > + case VIR_ERR_NO_CLIENT: > + case VIR_ERR_NO_HOSTNAME: > + case VIR_ERR_NO_NETWORK_METADATA: > ++ case VIR_ERR_NO_SUPPORT: > + return VIR_LOG_DEBUG; > + } > + > diff -Nru > libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch > > libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch > --- > libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch > 2025-09-21 18:29:38.000000000 +0200 > @@ -0,0 +1,76 @@ > +From: anonymix007 <[email protected]> > +Date: Wed, 4 Jun 2025 12:05:23 +0300 > +Subject: qemu: capabilities: Check if cpuModels is not NULL before trying to > + dereference it > + > +accel->cpuModels field might be NULL if QEMU does not return CPU models. > +The following backtrace is observed in such cases: > +0 virQEMUCapsProbeQMPCPUDefinitions > (qemuCaps=qemuCaps@entry=0x7f1890003ae0, accel=accel@entry=0x7f1890003c10, > mon=mon@entry=0x7f1890005270) > + at ../src/qemu/qemu_capabilities.c:3091 > +1 0x00007f18b42fa7b1 in virQEMUCapsInitQMPMonitor > (qemuCaps=qemuCaps@entry=0x7f1890003ae0, mon=0x7f1890005270) at > ../src/qemu/qemu_capabilities.c:5746 > +2 0x00007f18b42fafaf in virQEMUCapsInitQMPSingle > (qemuCaps=qemuCaps@entry=0x7f1890003ae0, libDir=libDir@entry=0x7f186c1e70f0 > "/var/lib/libvirt/qemu", > + runUid=runUid@entry=955, runGid=runGid@entry=955, > onlyTCG=onlyTCG@entry=false) at ../src/qemu/qemu_capabilities.c:5832 > +3 0x00007f18b42fb1a5 in virQEMUCapsInitQMP (qemuCaps=0x7f1890003ae0, > libDir=0x7f186c1e70f0 "/var/lib/libvirt/qemu", runUid=955, runGid=955) > + at ../src/qemu/qemu_capabilities.c:5848 > +4 virQEMUCapsNewForBinaryInternal (hostArch=VIR_ARCH_X86_64, > binary=binary@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha", > + libDir=0x7f186c1e70f0 "/var/lib/libvirt/qemu", runUid=955, runGid=955, > + hostCPUSignature=0x7f186c1e9f20 "AuthenticAMD, AMD Ryzen 9 7950X 16-Core > Processor, family: 25, model: 97, stepping: 2", microcodeVersion=174068233, > + kernelVersion=0x7f186c194200 "6.14.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, > 29 May 2025 21:42:15 +0000", cpuData=0x7f186c1ea490) > + at ../src/qemu/qemu_capabilities.c:5907 > +5 0x00007f18b42fb4c9 in virQEMUCapsNewData (binary=0x7f1868002fc0 > "/usr/bin/qemu-system-alpha", privData=0x7f186c194280) > + at ../src/qemu/qemu_capabilities.c:5942 > +6 0x00007f18bd42d302 in virFileCacheNewData (cache=0x7f186c193730, > name=0x7f1868002fc0 "/usr/bin/qemu-system-alpha") at > ../src/util/virfilecache.c:206 > +7 virFileCacheValidate (cache=cache@entry=0x7f186c193730, > name=name@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha", > data=data@entry=0x7f18b67c37c0) > + at ../src/util/virfilecache.c:269 > +8 0x00007f18bd42d5b8 in virFileCacheLookup > (cache=cache@entry=0x7f186c193730, name=name@entry=0x7f1868002fc0 > "/usr/bin/qemu-system-alpha") > + at ../src/util/virfilecache.c:301 > +9 0x00007f18b42fb679 in virQEMUCapsCacheLookup > (cache=cache@entry=0x7f186c193730, binary=binary@entry=0x7f1868002fc0 > "/usr/bin/qemu-system-alpha") > + at ../src/qemu/qemu_capabilities.c:6036 > +10 0x00007f18b42fb785 in virQEMUCapsInitGuest (caps=<optimized out>, > cache=<optimized out>, hostarch=VIR_ARCH_X86_64, guestarch=VIR_ARCH_ALPHA) > + at ../src/qemu/qemu_capabilities.c:1037 > +11 virQEMUCapsInit (cache=0x7f186c193730) at > ../src/qemu/qemu_capabilities.c:1229 > +12 0x00007f18b431d311 in virQEMUDriverCreateCapabilities > (driver=driver@entry=0x7f186c01f410) at ../src/qemu/qemu_conf.c:1553 > +13 0x00007f18b431d663 in virQEMUDriverGetCapabilities > (driver=0x7f186c01f410, refresh=<optimized out>) at > ../src/qemu/qemu_conf.c:1623 > +14 0x00007f18b435e3e4 in qemuConnectGetVersion (conn=<optimized out>, > version=0x7f18b67c39b0) at ../src/qemu/qemu_driver.c:1492 > +15 0x00007f18bd69c5e8 in virConnectGetVersion (conn=0x55bc5f4cda20, > hvVer=hvVer@entry=0x7f18b67c39b0) at ../src/libvirt-host.c:201 > +16 0x000055bc34ef3627 in remoteDispatchConnectGetVersion > (server=0x55bc5f4b93f0, msg=0x55bc5f4cdf60, client=0x55bc5f4c66d0, > rerr=0x7f18b67c3a80, > + ret=0x55bc5f4b8670) at src/remote/remote_daemon_dispatch_stubs.h:1265 > +17 remoteDispatchConnectGetVersionHelper (server=0x55bc5f4b93f0, > client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60, rerr=0x7f18b67c3a80, args=0x0, > ret=0x55bc5f4b8670) > + at src/remote/remote_daemon_dispatch_stubs.h:1247 > +18 0x00007f18bd5506da in virNetServerProgramDispatchCall > (prog=0x55bc5f4cae90, server=0x55bc5f4b93f0, client=0x55bc5f4c66d0, > msg=0x55bc5f4cdf60) > + at ../src/rpc/virnetserverprogram.c:423 > +19 virNetServerProgramDispatch (prog=0x55bc5f4cae90, > server=server@entry=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60) > + at ../src/rpc/virnetserverprogram.c:299 > +20 0x00007f18bd556c32 in virNetServerProcessMsg > (srv=srv@entry=0x55bc5f4b93f0, client=<optimized out>, prog=<optimized out>, > msg=<optimized out>) > + at ../src/rpc/virnetserver.c:135 > +21 0x00007f18bd556f77 in virNetServerHandleJob (jobOpaque=0x55bc5f4d2bb0, > opaque=0x55bc5f4b93f0) at ../src/rpc/virnetserver.c:155 > +22 0x00007f18bd47dd19 in virThreadPoolWorker (opaque=<optimized out>) at > ../src/util/virthreadpool.c:164 > +23 0x00007f18bd47d253 in virThreadHelper (data=0x55bc5f4b7810) at > ../src/util/virthread.c:256 > +24 0x00007f18bce117eb in start_thread (arg=<optimized out>) at > pthread_create.c:448 > +25 0x00007f18bce9518c in __GI___clone3 () at > ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 > + > +Signed-off-by: anonymix007 <[email protected]> > +(cherry picked from commit e7239c619fcaf35b8b605ce07c5d5b15351b3a62) > + > +Bug-Debian: https://bugs.debian.org/1112481 > + > +Forwarded: not-needed > +Origin: > https://gitlab.com/libvirt/libvirt/-/commits/e7239c619fcaf35b8b605ce07c5d5b15351b3a62 > +--- > + src/qemu/qemu_capabilities.c | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c > +index a804335..e937fe3 100644 > +--- a/src/qemu/qemu_capabilities.c > ++++ b/src/qemu/qemu_capabilities.c > +@@ -3078,6 +3078,9 @@ virQEMUCapsProbeQMPCPUDefinitions(virQEMUCaps > *qemuCaps, > + if (virQEMUCapsFetchCPUDefinitions(mon, qemuCaps->arch, > &accel->cpuModels) < 0) > + return -1; > + > ++ if (!accel->cpuModels) > ++ return 0; > ++ > + defs = accel->cpuModels; > + for (i = 0; i < defs->ncpus; i++) { > + if (STREQ_NULLABLE(defs->cpus[i].name, "max")) { > diff -Nru > libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch > > libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch > --- > libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch > 2025-09-21 18:29:38.000000000 +0200 > @@ -0,0 +1,237 @@ > +From: Peter Krempa <[email protected]> > +Date: Tue, 1 Jul 2025 13:48:00 +0200 > +Subject: tests: virnettls*test: Drop use of GNUTLS_KEY_KEY_ENCIPHERMENT > +MIME-Version: 1.0 > +Content-Type: text/plain; charset="utf-8" > +Content-Transfer-Encoding: 8bit > + > +It's not needed with TLS 1.3 any more. > + > +Signed-off-by: Peter Krempa <[email protected]> > +Reviewed-by: Ján Tomko <[email protected]> > +(cherry picked from commit e67952b0e612c9ad3c3eec8bb692589602953ee8) > + > +Bug-Debian: https://bugs.debian.org/1110816 > + > +Forwarded: not-needed > +Origin: > https://gitlab.com/libvirt/libvirt/-/commits/e67952b0e612c9ad3c3eec8bb692589602953ee8 > +--- > + tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------ > + tests/virnettlssessiontest.c | 14 +++++++------- > + 2 files changed, 25 insertions(+), 25 deletions(-) > + > +diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c > +index 2311524..48bdefd 100644 > +--- a/tests/virnettlscontexttest.c > ++++ b/tests/virnettlscontexttest.c > +@@ -156,13 +156,13 @@ mymain(void) > + TLS_CERT_REQ(servercertreq, cacertreq, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + TLS_CERT_REQ(clientcertreq, cacertreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, > + 0, 0); > + > +@@ -182,7 +182,7 @@ mymain(void) > + TLS_CERT_REQ(servercert1req, cacert1req, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + > +@@ -196,7 +196,7 @@ mymain(void) > + TLS_CERT_REQ(servercert2req, cacert2req, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + > +@@ -210,7 +210,7 @@ mymain(void) > + TLS_CERT_REQ(servercert3req, cacert3req, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + > +@@ -230,7 +230,7 @@ mymain(void) > + TLS_CERT_REQ(servercert4req, cacert4req, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + /* no-basic */ > +@@ -243,7 +243,7 @@ mymain(void) > + TLS_CERT_REQ(servercert5req, cacert5req, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + /* Key usage:dig-sig:critical */ > +@@ -256,7 +256,7 @@ mymain(void) > + TLS_CERT_REQ(servercert6req, cacert6req, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + > +@@ -284,7 +284,7 @@ mymain(void) > + TLS_CERT_REQ(servercert8req, cacertreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_CERT_SIGN, > + false, false, NULL, NULL, > + 0, 0); > + /* usage:cert-sign:not-critical */ > +@@ -372,7 +372,7 @@ mymain(void) > + TLS_CERT_REQ(clientcert2req, cacertreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_CERT_SIGN, > + false, false, NULL, NULL, > + 0, 0); > + /* usage:cert-sign:not-critical */ > +@@ -459,19 +459,19 @@ mymain(void) > + TLS_CERT_REQ(servercertexpreq, cacertexpreq, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + TLS_CERT_REQ(servercertexp1req, cacertreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, -1); > + TLS_CERT_REQ(clientcertexp1req, cacertreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, > + 0, -1); > + > +@@ -491,19 +491,19 @@ mymain(void) > + TLS_CERT_REQ(servercertnewreq, cacertnewreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + TLS_CERT_REQ(servercertnew1req, cacertreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 1, 2); > + TLS_CERT_REQ(clientcertnew1req, cacertreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, > + 1, 2); > + > +@@ -538,13 +538,13 @@ mymain(void) > + TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, > + "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, > + 0, 0); > + > +diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c > +index 285cde5..459e17c 100644 > +--- a/tests/virnettlssessiontest.c > ++++ b/tests/virnettlssessiontest.c > +@@ -314,20 +314,20 @@ mymain(void) > + TLS_CERT_REQ(servercertreq, cacertreq, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + TLS_CERT_REQ(clientcertreq, cacertreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, > + 0, 0); > + > + TLS_CERT_REQ(clientcertaltreq, altcacertreq, > + "UK", "libvirt", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, > + 0, 0); > + > +@@ -342,14 +342,14 @@ mymain(void) > + TLS_CERT_REQ(servercertalt1req, cacertreq, > + "UK", "libvirt.org", "www.libvirt.org", "libvirt.org", > "192.168.122.1", "fec0::dead:beaf", > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + /* This intentionally doesn't replicate */ > + TLS_CERT_REQ(servercertalt2req, cacertreq, > + "UK", "libvirt.org", "www.libvirt.org", > "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf", > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + > +@@ -433,13 +433,13 @@ mymain(void) > + TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq, > + "UK", "libvirt.org", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, > + 0, 0); > + TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, > + "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL, > + true, true, false, > +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | > GNUTLS_KEY_KEY_ENCIPHERMENT, > ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, > + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, > + 0, 0); > + > diff -Nru > libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch > > libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch > --- > libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch > 2025-09-21 18:29:38.000000000 +0200 > @@ -0,0 +1,73 @@ > +From: Peter Krempa <[email protected]> > +Date: Tue, 17 Jun 2025 15:01:26 +0200 > +Subject: tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH > +MIME-Version: 1.0 > +Content-Type: text/plain; charset="utf-8" > +Content-Transfer-Encoding: 8bit > + > +Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV > +algorithms must not have 'keyEncipherment' present, but our code did > +check it. Add exemption for known algorithms which don't use it. > + > +[1] https://datatracker.ietf.org/doc/rfc8813/ > +[2] https://datatracker.ietf.org/doc/rfc5480 > + > +Closes: https://gitlab.com/libvirt/libvirt/-/issues/691 > +Signed-off-by: Peter Krempa <[email protected]> > +Reviewed-by: Daniel P. Berrangé <[email protected]> > +Reviewed-by: Michal Privoznik <[email protected]> > +Reviewed-by: Ján Tomko <[email protected]> > +(cherry picked from commit 11867b0224a2b8dc34755ff0ace446b6842df1c1) > + > +Bug-Debian: https://bugs.debian.org/1110816 > + > +Forwarded: not-needed > +Origin: > https://gitlab.com/libvirt/libvirt/-/commits/11867b0224a2b8dc34755ff0ace446b6842df1c1 > +--- > + src/rpc/virnettlscert.c | 33 +++++++++++++++++++++++++-------- > + 1 file changed, 25 insertions(+), 8 deletions(-) > + > +diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c > +index 1befbe0..f197995 100644 > +--- a/src/rpc/virnettlscert.c > ++++ b/src/rpc/virnettlscert.c > +@@ -163,14 +163,31 @@ static int > virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert, > + } > + } > + if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { > +- if (critical) { > +- virReportError(VIR_ERR_SYSTEM_ERROR, > +- _("Certificate %1$s usage does not permit > key encipherment"), > +- certFile); > +- return -1; > +- } else { > +- VIR_WARN("Certificate %s usage does not permit key > encipherment", > +- certFile); > ++ int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL); > ++ > ++ /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and > ECMQV > ++ * algorithms must not have 'keyEncipherment' present. > ++ * > ++ * [1] https://datatracker.ietf.org/doc/rfc8813/ > ++ * [2] https://datatracker.ietf.org/doc/rfc5480 > ++ */ > ++ > ++ switch (alg) { > ++ case GNUTLS_PK_ECDSA: > ++ case GNUTLS_PK_ECDH_X25519: > ++ case GNUTLS_PK_ECDH_X448: > ++ break; > ++ > ++ default: > ++ if (critical) { > ++ virReportError(VIR_ERR_SYSTEM_ERROR, > ++ _("Certificate %1$s usage does not > permit key encipherment"), > ++ certFile); > ++ return -1; > ++ } else { > ++ VIR_WARN("Certificate %s usage does not permit key > encipherment", > ++ certFile); > ++ } > + } > + } > + } > diff -Nru > libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch > > libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch > --- > libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch > 2025-09-21 18:29:38.000000000 +0200 > @@ -0,0 +1,84 @@ > +From: Peter Krempa <[email protected]> > +Date: Mon, 30 Jun 2025 19:19:42 +0200 > +Subject: tls: Don't require 'keyEncipherment' to be enabled altoghther > +MIME-Version: 1.0 > +Content-Type: text/plain; charset="utf-8" > +Content-Transfer-Encoding: 8bit > + > +Key encipherment is required only for RSA key exchange algorithm. With > +TLS 1.3 this is not even used as RSA is used only for authentication. > + > +Since we can't really check when it's required ahead of time drop the > +check completely. GnuTLS will moan if it will not be able to use RSA > +key exchange. > + > +In commit 11867b0224a2 I tried to relax the check for some eliptic > +curve algorithm that explicitly forbid it. Based on the above the proper > +solution is to completely remove it. > + > +Resolves: https://issues.redhat.com/browse/RHEL-100711 > +Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1 > +Signed-off-by: Peter Krempa <[email protected]> > +Reviewed-by: Ján Tomko <[email protected]> > +(cherry picked from commit 8cecd3249e5fa5478a7c53567971b4d969274ea3) > + > +Bug-Debian: https://bugs.debian.org/1110816 > + > +Forwarded: not-needed > +Origin: > https://gitlab.com/libvirt/libvirt/-/commits/8cecd3249e5fa5478a7c53567971b4d969274ea3 > +--- > + src/rpc/virnettlscert.c | 34 ++++------------------------------ > + 1 file changed, 4 insertions(+), 30 deletions(-) > + > +diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c > +index f197995..6a723c1 100644 > +--- a/src/rpc/virnettlscert.c > ++++ b/src/rpc/virnettlscert.c > +@@ -128,8 +128,10 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t > cert, > + VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, > status, usage, critical); > + if (status < 0) { > + if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { > +- usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN : > +- GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT; > ++ if (isCA) > ++ usage = GNUTLS_KEY_KEY_CERT_SIGN; > ++ else > ++ usage = GNUTLS_KEY_DIGITAL_SIGNATURE; > + } else { > + virReportError(VIR_ERR_SYSTEM_ERROR, > + _("Unable to query certificate %1$s key usage > %2$s"), > +@@ -162,34 +164,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t > cert, > + certFile); > + } > + } > +- if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { > +- int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL); > +- > +- /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and > ECMQV > +- * algorithms must not have 'keyEncipherment' present. > +- * > +- * [1] https://datatracker.ietf.org/doc/rfc8813/ > +- * [2] https://datatracker.ietf.org/doc/rfc5480 > +- */ > +- > +- switch (alg) { > +- case GNUTLS_PK_ECDSA: > +- case GNUTLS_PK_ECDH_X25519: > +- case GNUTLS_PK_ECDH_X448: > +- break; > +- > +- default: > +- if (critical) { > +- virReportError(VIR_ERR_SYSTEM_ERROR, > +- _("Certificate %1$s usage does not > permit key encipherment"), > +- certFile); > +- return -1; > +- } else { > +- VIR_WARN("Certificate %s usage does not permit key > encipherment", > +- certFile); > +- } > +- } > +- } > + } > + > + return 0; > diff -Nru libvirt-11.3.0/debian/patches/series > libvirt-11.3.0/debian/patches/series > --- libvirt-11.3.0/debian/patches/series 2025-07-02 22:15:28.000000000 > +0200 > +++ libvirt-11.3.0/debian/patches/series 2025-09-21 18:29:38.000000000 > +0200 > @@ -1,5 +1,10 @@ > backport/qemuProcessStartWithMemoryState-Don-t-setup-qemu-for-inco.patch > backport/qemu-Be-more-forgiving-when-acquiring-QUERY-job-when-form.patch > +backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch > +backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch > +backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch > +backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch > +backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch > debian/Debianize-libvirt-guests.patch > debian/apparmor_profiles_local_include.patch > debian/Use-sensible-editor-by-default.patch -- Sebastian Ramacher
