diff --git a/_service b/_service
index c0869b6..0e528cf 100644
--- a/_service
+++ b/_service
@@ -1,8 +1,8 @@
 <services>
   <service name="tar_scm" mode="manual">
     <param name="scm">git</param>
-    <param name="url">https://gitlab.suse.de/virtualization/libvirt.git</param>
-    <param name="revision">v10.0.0-sle15sp6</param>
+    <param name="url">https://github.com/openSUSE/libvirt.git</param>
+    <param name="revision">factory</param>
     <param name="extract">libvirt.spec</param>
     <param name="extract">README.packaging.txt</param>
     <param name="extract">libvirt-supportconfig</param>
diff --git a/libvirt-10.0.0.tar.xz b/libvirt-10.0.0.tar.xz
deleted file mode 100644
index 1eba9aa..0000000
--- a/libvirt-10.0.0.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1121b59825f1ced5280a8a5c93267a32b96e0f1c48cd0cdb7cee146be020c821
-size 9751304
diff --git a/libvirt-10.8.0.tar.xz b/libvirt-10.8.0.tar.xz
new file mode 100644
index 0000000..ac1190c
--- /dev/null
+++ b/libvirt-10.8.0.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bbd976d3f0fb0a98ec4a35f997167ae78dbcc58a092a94e7426fcb8e1260883c
+size 9932916
diff --git a/libvirt.changes b/libvirt.changes
index d64090e..35f3129 100644
--- a/libvirt.changes
+++ b/libvirt.changes
@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Tue Oct  1 19:57:06 UTC 2024 - James Fehlig <jfehlig@suse.com>
+
+- Update to libvirt 10.8.0
+  - libvirt-daemon-driver-storage-core: Change dependency on
+    nfs-utils from Requires to Recommends
+  - Switch from YAJL to json-c for JSON parsing and formatting
+  - jsc#PED-8909
+  - Many incremental improvements and bug fixes, see
+    https://libvirt.org/news.html#v10-8-0-2024-10-01
+
+-------------------------------------------------------------------
+Tue Sep  3 17:23:41 UTC 2024 - James Fehlig <jfehlig@suse.com>
+
+- Update to libvirt 10.7.0
+  - CVE-2024-8235, bsc#1230024
+  - jsc#PED-8909
+  - Many incremental improvements and bug fixes, see
+    https://libvirt.org/news.html#v10-7-0-2024-09-02
+
+-------------------------------------------------------------------
+Mon Aug  5 22:02:12 UTC 2024 - James Fehlig <jfehlig@suse.com>
+
+- Update to libvirt 10.6.0
+  - jsc#PED-8909
+  - Many incremental improvements and bug fixes, see
+    https://libvirt.org/news.html#v10-6-0-2024-08-05
+
 -------------------------------------------------------------------
 Wed Jun 26 19:16:35 UTC 2024 - James Fehlig <jfehlig@suse.com>
 
diff --git a/libvirt.spec b/libvirt.spec
index 948f76e..38235dc 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -47,6 +47,7 @@
 %define with_libssh2       0%{!?_without_libssh2:1}
 %define with_numactl       0%{!?_without_numactl:1}
 %define with_modular_daemons 0%{!?_without_modular_daemons:1}
+%define with_userfaultfd_sysctl 0%{!?_without_userfaultfd_sysctl:1}
 
 # A few optional bits off by default, we enable later
 %define with_numad         0%{!?_without_numad:0}
@@ -67,6 +68,12 @@
     %define with_numactl   0
 %endif
 
+# Tumbleweeed and SLE15 SP7 are new enough to support /dev/userfaultfd,
+# which does not require enabling vm.unprivileged_userfaultfd sysct
+%if 0%{?suse_version} > 1500 || 0%{?sle_version} > 150600
+    %define with_userfaultfd_sysctl 0
+%endif
+
 # vbox is available only on i386 x86_64
 %ifnarch %{ix86} x86_64
     %define with_vbox      0
@@ -112,6 +119,16 @@
     %define with_storage_gluster 0
 %endif
 
+# Prefer nftables for Tumbleweed, but keep using iptables for distros based
+# on SLE15 codestream
+%if 0%{?suse_version} > 1500
+    %define prefer_nftables 1
+    %define firewall_backend_priority nftables,iptables
+%else
+    %define prefer_nftables 0
+    %define firewall_backend_priority iptables,nftables
+%endif
+
 # Force QEMU to run as qemu:qemu
 %define qemu_user          qemu
 %define qemu_group         qemu
@@ -128,7 +145,7 @@
 
 Name:           libvirt
 URL:            https://libvirt.org/
-Version:        10.0.0
+Version:        10.8.0
 Release:        0
 Summary:        Library providing a virtualization API
 License:        LGPL-2.1-or-later
@@ -175,7 +192,7 @@ BuildRequires:  libacl-devel
 BuildRequires:  qemu-tools
 %endif
 BuildRequires:  bash-completion-devel >= 2.0
-BuildRequires:  glib2-devel >= 2.56
+BuildRequires:  glib2-devel >= 2.58
 BuildRequires:  libattr-devel
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libgnutls-devel
@@ -189,8 +206,8 @@ BuildRequires:  python3-pytest
 BuildRequires:  readline-devel
 # For pool-build probing for existing pools
 BuildRequires:  libblkid-devel >= 2.17
+BuildRequires:  libjson-c-devel
 BuildRequires:  libpciaccess0-devel >= 0.10.9
-BuildRequires:  libyajl-devel
 BuildRequires:  pkgconfig(libudev) >= 145
 %if %{with_sanlock}
 BuildRequires:  sanlock-devel >= 2.4
@@ -204,8 +221,6 @@ BuildRequires:  apparmor-rpm-macros
 BuildRequires:  libapparmor-devel
 %endif
 BuildRequires:  cyrus-sasl-devel
-BuildRequires:  ebtables
-BuildRequires:  iptables
 BuildRequires:  polkit >= 0.112
 %if %{with_nbdkit}
 BuildRequires:  libnbd-devel
@@ -330,6 +345,11 @@ Requires:       group(libvirt)
 # Needed by libvirt-guests init script.
 Requires:       gettext-runtime
 Requires:       bash-completion >= 2.0
+# virt-manager uses netcat for accessing spice and VNC servers running in
+# qemu processes. See boo#1222100 for details. Although libvirt does not
+# use netcat, it's in a good position to provide the dependency for
+# virt-manager. netcat-openbsd is a tiny package, so it's a tolerable hack.
+Requires:       netcat-openbsd
 
 %if %{with_apparmor}
 Recommends:     apparmor-abstractions
@@ -369,10 +389,6 @@ Server side daemon used to manage logs from virtual machine consoles
 %package daemon-proxy
 Summary:        Server side daemon providing libvirtd proxy
 Requires:       %{name}-libs = %{version}-%{release}
-# netcat is needed on the server side so that clients that have
-# libvirt < 6.9.0 can connect, but newer versions will prefer
-# virt-ssh-helper
-Recommends:     netcat-openbsd
 
 %description daemon-proxy
 Server side daemon providing functionality previously provided by
@@ -406,7 +422,11 @@ Summary:        Network driver plugin for the libvirtd daemon
 Requires:       %{name}-daemon-common = %{version}-%{release}
 Requires:       %{name}-libs = %{version}-%{release}
 Requires:       dnsmasq >= 2.41
+%if %{prefer_nftables}
+Requires:       nftables
+%else
 Requires:       iptables
+%endif
 
 %description daemon-driver-network
 The network driver plugin for the libvirtd daemon, providing
@@ -463,7 +483,7 @@ an implementation of the secret key APIs.
 Summary:        Storage driver plugin including base backends for the libvirtd daemon
 Requires:       %{name}-daemon-common = %{version}-%{release}
 Requires:       %{name}-libs = %{version}-%{release}
-Requires:       nfs-utils
+Recommends:     nfs-utils
 # For mkfs
 Requires:       util-linux
 %if %{with_qemu}
@@ -588,6 +608,7 @@ Requires:       /usr/bin/bzip2
 Requires:       /usr/bin/gzip
 Requires:       /usr/bin/lzop
 Requires:       /usr/bin/xz
+Requires:       /usr/bin/zstd
 Requires:       qemu
 Requires:       systemd-container
 # swtp is needed to manage <tpm> devices.
@@ -743,10 +764,7 @@ capabilities of VirtualBox
 %package client
 Summary:        Client side utilities of the libvirt library
 Requires:       %{name}-libs = %{version}-%{release}
-# Needed by virt-pki-validate script.
-Requires:       cyrus-sasl
 Requires:       bash-completion >= 2.0
-Requires:       gnutls
 
 # Ensure smooth upgrades
 Obsoletes:      libvirt-bash-completion < 7.3.0
@@ -809,6 +827,13 @@ Requires:       %{name}-daemon-driver-network = %{version}-%{release}
 %description nss
 libvirt plugin for NSS for translating domain names into IP addresses.
 
+%package ssh-proxy
+Summary:        Libvirt SSH proxy
+Requires:       %{name}-libs = %{version}-%{release}
+
+%description ssh-proxy
+Allows SSH into domains via VSOCK without need for network.
+
 %prep
 %autosetup -p1
 
@@ -900,6 +925,11 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %else
     %define arg_numad -Dnumad=disabled
 %endif
+%if %{with_userfaultfd_sysctl}
+    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=enabled
+%else
+    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=disabled
+%endif
 %if %{with_nbdkit}
     %define arg_nbdkit -Dnbdkit=enabled
 %else
@@ -988,6 +1018,8 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %meson \
            --libexecdir=%{_libexecdir} \
            -Drunstatedir=%{_rundir} \
+           -Dunitdir=%{_unitdir} \
+           -Dsysusersdir=%{_sysusersdir} \
            %{?arg_qemu} \
            %{?arg_openvz} \
            %{?arg_lxc} \
@@ -1020,8 +1052,11 @@ libvirt plugin for NSS for translating domain names into IP addresses.
            -Dstorage_vstorage=disabled \
            %{?arg_numactl} \
            %{?arg_numad} \
+           %{?arg_userfaultfd_sysctl} \
            %{?arg_nbdkit} \
            %{?arg_nbdkit_config_default} \
+           -Dssh_proxy=enabled \
+           -Dsysctl_config=enabled \
            -Dcapng=enabled \
            -Dfuse=enabled \
            -Dnetcf=disabled \
@@ -1031,7 +1066,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
            %{?arg_apparmor} \
            %{?arg_apparmor_profiles} \
            -Dudev=enabled \
-           -Dyajl=enabled \
+           -Djson_c=enabled \
            %{?arg_sanlock} \
            -Dlibpcap=enabled \
            -Dlibnl=enabled \
@@ -1051,6 +1086,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
            -Dexpensive_tests=enabled \
            %{?arg_loader_nvram} \
            -Dinit_script=systemd \
+           -Dfirewall_backend_priority=%{firewall_backend_priority} \
            -Ddocs=enabled \
            -Dtests=enabled \
            -Drpath=disabled \
@@ -1111,6 +1147,7 @@ rm -f %{buildroot}/%{_datadir}/augeas/lenses/libvirt_sanlock.aug
 rm -f %{buildroot}/%{_datadir}/augeas/lenses/tests/test_libvirt_sanlock.aug
 %endif
 
+rm -f %{buildroot}/%{_sysusersdir}/libvirt-qemu.conf
 rm -f %{buildroot}/usr/lib/sysctl.d/60-libvirtd.conf
 # Provide rc symlink backward compatibility
 ln -s %{_sbindir}/service %{buildroot}/%{_sbindir}/rclibvirtd
@@ -1161,7 +1198,8 @@ mv %{buildroot}/%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
 %endif
 
 %check
-VIR_TEST_DEBUG=1 %meson_test -t 5 --no-suite syntax-check
+export VIR_TEST_DEBUG=1
+%meson_test -t 5 --no-suite syntax-check
 
 # For daemons with only UNIX sockets
 %define libvirt_daemon_systemd_pre() %service_add_pre %1.socket %1-ro.socket %1-admin.socket %1.service
@@ -1566,6 +1604,9 @@ fi
 %config(noreplace) %{_sysconfdir}/%{name}/virtnetworkd.conf
 %{_datadir}/augeas/lenses/virtnetworkd.aug
 %{_datadir}/augeas/lenses/tests/test_virtnetworkd.aug
+%config(noreplace) %{_sysconfdir}/%{name}/network.conf
+%{_datadir}/augeas/lenses/libvirtd_network.aug
+%{_datadir}/augeas/lenses/tests/test_libvirtd_network.aug
 %{_unitdir}/virtnetworkd.service
 %{_unitdir}/virtnetworkd.socket
 %{_unitdir}/virtnetworkd-ro.socket
@@ -1696,7 +1737,9 @@ fi
 %if %{with_apparmor}
 %config(noreplace) %{_sysconfdir}/apparmor.d/usr.sbin.virtqemud
 %endif
+%if %{with_userfaultfd_sysctl}
 %config(noreplace) %{_prefix}/lib/sysctl.d/60-qemu-postcopy-migration.conf
+%endif
 %{_datadir}/augeas/lenses/virtqemud.aug
 %{_datadir}/augeas/lenses/tests/test_virtqemud.aug
 %{_unitdir}/virtqemud.service
@@ -1916,4 +1959,10 @@ fi
 %{_libdir}/libnss_libvirt.so.2
 %{_libdir}/libnss_libvirt_guest.so.2
 
+%files ssh-proxy
+%dir %{_sysconfdir}/ssh/
+%dir %{_sysconfdir}/ssh/ssh_config.d/
+%config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf
+%{_libexecdir}/libvirt-ssh-proxy
+
 %changelog