[Pkg-libvirt-maintainers] Bug#1076335: bookworm-pu: package libvirt/9.0.0-4

Andrea Bolognani eof at kiyuko.org
Sun Jul 14 16:15:58 BST 2024 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: libvirt at packages.debian.org
Control: affects -1 + src:libvirt

[ Reason ]

The update would cover a number of issues that have been found to
affect the version of libvirt in bookworm.

The first one is a user-visible issue where the "virsh domif-setlink"
command can only be successfully used in certain conditions: this has
been reported as

  * https://bugs.debian.org/1075718

and has already been fixed upstream, so fixing it in stable involves
cherry-picking the relevant upstream change.

The remaining ones are all security issues, which have CVEs assigned
to them and are tracked in the Debian security tracker:

  * https://security-tracker.debian.org/tracker/CVE-2023-3750
  * https://security-tracker.debian.org/tracker/CVE-2024-1441
  * https://security-tracker.debian.org/tracker/CVE-2024-2494
  * https://security-tracker.debian.org/tracker/CVE-2024-2496

For all of them too, the fix has already been committed upstream and
so we just need to cherry-pick those changes. In a couple of cases
the cherry-pick is not a completely clean one, but the conflict
resolution is trivial and documented.


[ Impact ]

If the update isn't approved, stable users will keep being unable to
use the "virsh domif-setlink" command in some scenarios and will
remain exposed to a number of security issues.


[ Tests ]

The update was smoke-tested by starting and connecting to a few VMs.

I have manually inspected all the added patches to confirm that they
appear to do what they claim to; since they are all cherry-picked
from upstream, I have high confidence that they are correct.


[ Risks ]

The fixes are all extremely small and targeted, and have already been
validated upstream. libvirt has an extremely high bar for breaking
backwards compatibility, so the risk of that being an issue is very
low.


[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable


[ Changes ]

Already detailed above.


[ Other info ]

This is my first time preparing a stable update, so it's not
unreasonable to expect that I might have gotten something wrong.
Please bear with me :)

The only thing that strikes me as a bit odd and we might need to
rectify is that CVE-2024-2496, while properly tracked in the Debian
security tracker, doesn't have a corresponding Debian bug. Should one
be filed?

I have been preparing unstable/experimental uploads for 4+ years, and
I'm also one of the upstream developers, so I am familiar both with
the Debian packaging and the underlying software.

-- 
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libvirt_9.0.0-4+deb12u1.diff
Type: text/x-diff
Size: 23350 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20240714/6512d284/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20240714/6512d284/attachment-0001.sig>

More information about the Pkg-libvirt-maintainers mailing list