[PATCH] NEWS: Mention CVE-2025-13193 and improvements for block stats/config and backups

Fri, 28 Nov 2025 07:00:08 -0800 

From: Peter Krempa <[email protected]>

Signed-off-by: Peter Krempa <[email protected]>
---
 NEWS.rst | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index 879e9e8448..91ed53ba7e 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -29,6 +29,14 @@ v11.10.0 (unreleased)
     identification parts of the XML definition (which is needed to perform the
     checks) and full parsing is done only after checking all ACLs.

+  * CVE-2025-13193: Incorrect permissions on images after external snapshot of 
an inactive VM
+
+    The overlay ``qcow2`` images which are created as part of creation of an
+    external snapshot of an inactive VM had world-readable (644) permissions
+    which would allow unauthorized users to see contents of blocks written by
+    the VM after snapshot was taken. Libvirt now sets proper umask so that
+    the images are created with 600 mode.
+
 * **Removed features**

 * **New features**
@@ -39,6 +47,11 @@ v11.10.0 (unreleased)
     feature requires Qemu version 10.2.0 or later and is available on Linux
     hosts where the /dev/mshv is present.

+  * Add more statistics for block devices on QEMU domains
+
+    The block devices now report optimal access request sizes as well as
+    statistics such as the queue depth.
+
 * **Improvements**

   * bhyve: VNC ``wait`` attribute support
@@ -57,6 +70,12 @@ v11.10.0 (unreleased)
     The virt-host-validate tool will now report extra details when certain
     checks pass.

+  * qemu: Allow backup jobs to continue if guest OS shuts down
+
+    When starting a backup job users can now use a flag which prevents the VM
+    to be completely cleaned up if the guest OS shuts down while the backup is
+    running so that the backup can be finalized.
+
 * **Bug fixes**

   * ch: Use correct domain definition in chDomainGetXMLDesc()
@@ -83,6 +102,13 @@ v11.10.0 (unreleased)
     if the QEMU binary had it built-in. It is now limited to only platforms
     with the TDX kernel feature available for use.

+  * qemu: set ``detect_zeroes`` for all backing chain layers
+
+    Some block jobs (snapshots, block commit) could modify the backing chain in
+    a way where ``detect_zeroes`` would no longer be honoured. We now set
+    it for all images in the backing chain, so that it will behave correctly
+    even after those operations.
+

 v11.9.0 (2025-11-03)
 ====================
-- 
2.52.0

Reply via email to