Debian Patches
Status for incus/6.0.4-2+deb13u5
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 001-skip-TestConvertNetworkConfig.patch | lxc prior to version 4.0.12 had a logic bug in do_lxcapi_create() that returned success in error conditions. Since this is a very simple test, that didn’t actually matter, but now to properly pass would require the setting up of a user-specific lxc configuration and sub[u|g]id mappings, which is just too much effort for a small test.diff --git a/cmd/lxc-to-incus/main_migrate_test.go b/cmd/lxc-to-incus/main_migrate_test.go index 6fbff5fce..d3783b998 100644 |
Mathias Gibbens <gibmat@debian.org> | not-needed | |||
| 002-adjust-import-paths.patch | Adjust import paths to reflect Debian packagingdiff --git a/cmd/incusd/daemon.go b/cmd/incusd/daemon.go index ab4793aaf..475ac9e7b 100644 |
Mathias Gibbens <gibmat@debian.org> | not-needed | |||
| 003-Compile-against-go-criu-v7.patch | Compile against go-criu v7 | Reinhard Tartler <siretart@tauware.de> | no | 2024-08-08 | ||
| 004-apparmor-4x-userns.patch | Update apparmor profile for userns permissiondiff --git a/internal/server/apparmor/instance_lxc.profile.go b/internal/server/apparmor/instance_lxc.profile.go index 5c46e8af0..c140988d4 100644 |
Mathias Gibbens <gibmat@debian.org> | yes | |||
| 005-cherry-pick-qemu-socket-cleanup.patch | incusd/instance/qemu: Clean leftover sockets on startup | Stéphane Graber <stgraber@stgraber.org> | no | 2025-04-08 | ||
| 006-cherry-pick-agent-mount-retry.patch | incus-agent: Retry mounts to avoid kernel races Closes #1881 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-04-04 | ||
| 007-cherry-pick-usb-hotplug-fix.patch | incusd/devices: Don't require a serial number for USB hotplug Closes #1944 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-04-18 | ||
| 008-cherry-pick-fix-nested-docker.patch | incusd/apparmor/lxc: Don't bother with sys/proc protections when nesting enabled When nesting is enabled, it's possible for the container to get a clean copy of /proc or /sys mounted anywhere without AppArmor being able to mediate. So there's little point in trying to apply safety checks on top of the main /proc and /sys. On top of that, we've recently discovered that AppArmor doesn't properly handle file access relative to a file descriptor, causing a bunch of those checks to deny access when they shouldn't. Closes #2623 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-05 | ||
| 100-CVE-2025-54293.patch | incusd/instance_logs: Perform stricter path validation | Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-17 | ||
| 101-CVE-2025-54287.patch | [PATCH 1/2] internal/util: Add recursion limit to RenderTemplate | Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-18 | ||
| 102-CVE-2025-54288.patch | incusd/dev_incus: Add extra validation for monitor We shouldn't just rely on the process name but also make sure that it's running outside of the container as this is a unique characteristic of the real monitor process. |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-17 | ||
| 103-CVE-2025-54286.patch | [PATCH 1/2] [lxd-import] lxd/daemon: Validate browser fetch metadata if supplied to reject non-same-origin requests Imported from stable-5.0 (Apache 2.0 licensed) (cherry picked from commit 35ac3922d60763c24b1474459c4401f7c8ed619b) (cherry picked from commit 569b7d472b4fc1622579e0aed32dd445ba6f53d0) |
Thomas Parrott <thomas.parrott@canonical.com> | no | 2025-06-30 | ||
| 104-CVE-2025-54290_CVE-2025-54291.patch | [PATCH 1/2] incusd/images: Restrict public image listing to default project | Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-18 | ||
| 105-CVE-2025-54289.patch | [PATCH 1/5] incusd/operations: Add IsSameRequestor | Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-25 | ||
| 106a-GHSA-56mx-8g9f-5crf.patch | incusd/storage: Tighten storage pool volume permissions Closes #2641 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-09 | ||
| 106b-GHSA-56mx-8g9f-5crf.patch | incusd/patches: Re-apply storage permissions on update | Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-09 | ||
| 106c-GHSA-56mx-8g9f-5crf.patch | incusd/patches: Fix incorrect error check in permission patch | Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-10 | ||
| 107-CVE-2026-23953.patch | internal/instance: Prevent line breaks in environment variables LXC doesn't currently have a syntax to hold a multi-line environment variable in its configuration. The use of multi-line environment variables leads to a corrupted configuration file and to a security issue where additional lines may be added by an unprivileged user to escalate their privileges. This fixes CVE-2026-23953. |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-01-20 | ||
| 108-CVE-2026-23954.patch | incusd/instance/lxc: Restrict path of template files and targets This fixes three security issues related to file templates: - The template target path could be made to be relative or gothrough symlinks in a way that could lead to arbitrary write to the host filesystem. - The template directory could be relative, allowing for arbitrary read from the host filesystem. - The template file itself could be made relative, allowing for arbitrary reads from the host filesystem. In the case of the template target path, the new logic makes use of the kernel's openat2 system call which brings a variety of flags that can be used to restrict path resolution and detect potential issues. For the template path itself, we now validate that it is a simple local file and that the template directory isn't a symlink. This fixes CVE-2026-23954 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-01-21 | ||
| 109-CVE-2026-28384.patch | [PATCH 1/9] shared/validate: Allow a specific set of compressors | Stéphane Graber <stgraber@stgraber.org> | no | 2026-02-24 | ||
| 110-CVE-2026-33542.patch | [PATCH 1/4] client: Make ImageFileRequest require a ReadWriteSeeker This is a small Go API break which is needed to address a security issue where we need the ability to re-hash the final image files. This is part of a fix for CVE-2026-33542. |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-03-23 | ||
| 111-CVE-2026-33743.patch | incusd/storage/s3: Don't assume backup structure Properly skip anything that doesn't have the expected path prefix for a file within the bucket. Then use strings.TrimPrefix rather than a fixed offset to clear the prefix. This addresses CVE-2026-33743 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-03-23 | ||
| 112-CVE-2026-33897.patch | incusd/instance: Use restricted pongo2 parser The chroot logic in pongo2 doesn't work and therefore allows all templates to read and write to arbitrary paths on the host filesystem. Given the logic seemingly never worked properly, no template out there should be dependent on the file related functions being functional. Transition to our standard RenderTemplate logic which specifically block all file related functions. Introduces a new RenderTemplateFile to handle cases where we want to directly write to a file (useful for write quotas). This addresses CVE-2026-33897 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-03-24 |
All known versions for source package 'incus'
- 6.23.0-1~exp1 (experimental)
- 6.0.6-2 (sid, forky)
- 6.0.4-2+deb13u5 (trixie-security)
- 6.0.4-2+deb13u5~bpo12+1 (bookworm-backports)
- 6.0.4-2+deb13u4 (trixie)