NEWS: Mention CVE-2025-13193 and improvements for block stats/config and backups

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

NEWS.rst

@@ -13,6 +13,30 @@ v11.10.0 (unreleased)
 
 * **Security**
 
+  * CVE-2025-12748: Denial of service by some ACL-limited accounts
+
+    Parsing of user provided XMLs in APIs which needed the identification
+    information from those XML definitions was done in full before ACL checks
+    were performed.  Some valid, but useless, definitions could cause allocation
+    of too much memory, leading to denial of service. APIs which do equate to
+    full root access (such as ``domain:write``), and were parsing XML
+    definitions in full before performing ACL checks could, potentially, be
+    exploited in a way that would allow users (which were about to be denied the
+    API call) to cause aforementioned overallocation even before the ACL checks
+    were performed.
+
+    A change was made so that parsing before ACL checks are done only for the
+    identification parts of the XML definition (which is needed to perform the
+    checks) and full parsing is done only after checking all ACLs.
+
+  * CVE-2025-13193: Incorrect permissions on images after external snapshot of an inactive VM
+
+    The overlay ``qcow2`` images which are created as part of creation of an
+    external snapshot of an inactive VM had world-readable (644) permissions
+    which would allow unauthorized users to see contents of blocks written by
+    the VM after snapshot was taken. Libvirt now sets proper umask so that
+    the images are created with 600 mode.
+
 * **Removed features**
 
 * **New features**
@@ -23,6 +47,11 @@ v11.10.0 (unreleased)
     feature requires Qemu version 10.2.0 or later and is available on Linux
     hosts where the /dev/mshv is present.
 
+  * Add more statistics for block devices on QEMU domains
+
+    The block devices now report optimal access request sizes as well as
+    statistics such as the queue depth.
+
 * **Improvements**
 
   * bhyve: VNC ``wait`` attribute support
@@ -30,8 +59,56 @@ v11.10.0 (unreleased)
     Bhyve guests can now be configured to wait for a VNC connection before
     booting.
 
+  * remote: multiple certificate support
+
+    The remote daemon and client can be configured to load multiple x509
+    certificate identities. This facilitates a transition to certificates
+    supporting Post-Quantum Crytographic algorithms.
+
+  * tools: improved virt-host-validate output
+
+    The virt-host-validate tool will now report extra details when certain
+    checks pass.
+
+  * qemu: Allow backup jobs to continue if guest OS shuts down
+
+    When starting a backup job users can now use a flag which prevents the VM
+    to be completely cleaned up if the guest OS shuts down while the backup is
+    running so that the backup can be finalized.
+
 * **Bug fixes**
 
+  * ch: Use correct domain definition in chDomainGetXMLDesc()
+
+    Cloud-Hypervisor driver claims to support ``VIR_DOMAIN_XML_INACTIVE`` but
+    in fact it never formatted the inactive XML. This is now fixed.
+
+  * esx: Allow disk images in subdirectories
+
+    If a domain has a disk image that's not in a datastore path but in a
+    subdirectory, the ESX driver would have failed to parse that and an error
+    was reported when obtaining domain XML. This is now fixed.
+
+ * qemu: Fix incoming migration to QEMU 10.0.0 and newer
+
+    Due to a change in the way QEMU 10.0.0 reports the state of "ht" CPU
+    feature, incoming migration of a domain with multiple CPU threads would
+    fail with "guest CPU doesn't match specification: extra features: ht"
+    error.
+
+  * qemu: fix incorrect reporting of the TDX launch security type
+
+    The TDX launch security type was incorrectly reported on all platforms
+    if the QEMU binary had it built-in. It is now limited to only platforms
+    with the TDX kernel feature available for use.
+
+  * qemu: set ``detect_zeroes`` for all backing chain layers
+
+    Some block jobs (snapshots, block commit) could modify the backing chain in
+    a way where ``detect_zeroes`` would no longer be honoured. We now set
+    it for all images in the backing chain, so that it will behave correctly
+    even after those operations.
+
 
 v11.9.0 (2025-11-03)
 ====================

docs/formatdomaincaps.rst

@@ -871,7 +871,7 @@ are supported. The ``features`` enum corresponds to the ``<hyperv/>`` element
 (well, its children) as documented in `Hypervisor features
 <formatdomain.html#hypervisor-features>`__. The ``defaults`` element then
 contains child elements describing default values as reported by hypervisor,
-e.h. whether direct or extended TLB flushes are available. :since:`(since
+e.g. whether direct or extended TLB flushes are available. :since:`(since
 11.9.0)`
 
 Launch security

libvirt.spec.in

@@ -32,12 +32,22 @@
 %define arches_ch               x86_64 aarch64
 
 # The hypervisor drivers that run in libvirtd
-%define with_qemu          0%{!?_without_qemu:1}
 %define with_lxc           0%{!?_without_lxc:1}
 %define with_libxl         0%{!?_without_libxl:1}
 %define with_vbox          0%{!?_without_vbox:1}
 %define with_ch            0%{!?_without_ch:1}
 
+%ifarch %{arches_64bit}
+    %define with_qemu      0%{!?_without_qemu:1}
+%else
+    # QEMU drops 32-bit in Fedora 44
+    %if %{?fedora} > 43
+        %define with_qemu  0
+    %else
+        %define with_qemu  0%{!?_without_qemu:1}
+    %endif
+%endif
+
 %ifarch %{arches_qemu_kvm}
     %define with_qemu_kvm      %{with_qemu}
 %else

src/util/virhostcpu.c

@@ -1328,8 +1328,7 @@ virHostCPUGetMicrocodeVersion(virArch hostArch G_GNUC_UNUSED)
 
 
 #if WITH_LINUX_KVM_H && defined(KVM_GET_MSRS) && \
-    (defined(__i386__) || defined(__x86_64__)) && \
-    (defined(__linux__) || defined(__FreeBSD__))
+    (defined(__i386__) || defined(__x86_64__))
 static int
 virHostCPUGetMSRFromKVM(unsigned long index,
                         uint64_t *result)
@@ -1585,8 +1584,7 @@ virHostCPUGetTscInfo(void)
 }
 
 #endif /* WITH_LINUX_KVM_H && defined(KVM_GET_MSRS) && \
-          (defined(__i386__) || defined(__x86_64__)) && \
-          (defined(__linux__) || defined(__FreeBSD__)) */
+          (defined(__i386__) || defined(__x86_64__)) */
 
 int
 virHostCPUReadSignature(virArch arch,