Security¶

Multiple flaws in TLS server certificate checking were found and fixed (CVE-2024-7383). See https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2/ (thanks Jon Szymaniak, Daniel P. Berrangé).

If you find a security issue, please read SECURITY in the source (online here: https://gitlab.com/nbdkit/libnbd/blob/master/SECURITY). To find out about previous security issues in libnbd, see libnbd-security(3).

New APIs¶

nbd_set_tls_hostname(3) and nbd_get_tls_hostname(3) can be used to set and get the hostname used for TLS server certificate checking. This hostname, if set, is used in preference to the hostname of the server. This can be used when NBD connections are proxied, or transported over a Unix domain socket.

nbd_is_uri(3) applies a heuristic to detect if something is likely to be an NBD URI or not.

nbd_get_subprocess_pid(3) returns the process ID (PID) of the subprocess created by functions such as nbd_connect_command(3).

Enhancements to existing APIs¶

As an extension to nbd_connect_uri(3), you can now connect to "nbd+ssh://" or "nbds+ssh://" URIs, creating an NBD tunnel over an SSH connection. This is very convenient when you have SSH access to a remote host, but a firewall prevents direct access to NBD ports.

Protocol¶

We now print the full error message string if one is sent by the server. nbdkit ≥ 1.42 will send full error messages from plugins over the NBD connection to compatible NBD clients like libnbd 1.22 or qemu.

Tools¶

Fix nbdfuse(1) so that TLS URIs using "?tls-certificates" or "?tls-psk-file" now work properly (Jon Szymaniak).

nbddump(1) has a new --offset option (Eric Blake).

Language bindings¶

Various fixes to the Rust bindings (thanks Hanna Czenczek).

The documentation included in the Rust bindings has been improved greatly.

Other improvements and bug fixes¶

Common code is now used to get the size of block devices, and this has been fixed to work properly on BSD. This affected at least nbdcopy when used to copy to and from block devices on BSD.

Documentation¶

Fix links to nbd-server(1) and other pages in HTML-generated documentation (Vera Wu).

In nbd_connect_uri(3) we documented small differences in the way that we parse NBD URIs versus qemu.

nbd_connect_uri(3) adds additional documentation on the reserved VSock port numbers.

Build¶

gnutls ≥ 3.5.18 is now required. This matches the version needed by qemu. If using RHEL, this means that RHEL ≥ 8 is now required.

libnbd should now compile on macOS.

examples/connect-benchmark is a new example that can be used to benchmark connections.

Add support for GCC 15.