Debian Patches
Status for incus/6.0.4-2+deb13u7
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 001-skip-TestConvertNetworkConfig.patch | lxc prior to version 4.0.12 had a logic bug in do_lxcapi_create() that returned success in error conditions. Since this is a very simple test, that didn’t actually matter, but now to properly pass would require the setting up of a user-specific lxc configuration and sub[u|g]id mappings, which is just too much effort for a small test.diff --git a/cmd/lxc-to-incus/main_migrate_test.go b/cmd/lxc-to-incus/main_migrate_test.go index 6fbff5fce..d3783b998 100644 |
Mathias Gibbens <gibmat@debian.org> | not-needed | |||
| 002-adjust-import-paths.patch | Adjust import paths to reflect Debian packagingdiff --git a/cmd/incusd/daemon.go b/cmd/incusd/daemon.go index ab4793aaf..475ac9e7b 100644 |
Mathias Gibbens <gibmat@debian.org> | not-needed | |||
| 003-Compile-against-go-criu-v7.patch | Compile against go-criu v7 | Reinhard Tartler <siretart@tauware.de> | no | 2024-08-08 | ||
| 004-apparmor-4x-userns.patch | Update apparmor profile for userns permissiondiff --git a/internal/server/apparmor/instance_lxc.profile.go b/internal/server/apparmor/instance_lxc.profile.go index 5c46e8af0..c140988d4 100644 |
Mathias Gibbens <gibmat@debian.org> | yes | |||
| 005-cherry-pick-qemu-socket-cleanup.patch | incusd/instance/qemu: Clean leftover sockets on startup | Stéphane Graber <stgraber@stgraber.org> | no | 2025-04-08 | ||
| 006-cherry-pick-agent-mount-retry.patch | incus-agent: Retry mounts to avoid kernel races Closes #1881 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-04-04 | ||
| 007-cherry-pick-usb-hotplug-fix.patch | incusd/devices: Don't require a serial number for USB hotplug Closes #1944 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-04-18 | ||
| 008-cherry-pick-fix-nested-docker.patch | incusd/apparmor/lxc: Don't bother with sys/proc protections when nesting enabled When nesting is enabled, it's possible for the container to get a clean copy of /proc or /sys mounted anywhere without AppArmor being able to mediate. So there's little point in trying to apply safety checks on top of the main /proc and /sys. On top of that, we've recently discovered that AppArmor doesn't properly handle file access relative to a file descriptor, causing a bunch of those checks to deny access when they shouldn't. Closes #2623 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-05 | ||
| 100-CVE-2025-54293.patch | incusd/instance_logs: Perform stricter path validation | Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-17 | ||
| 101-CVE-2025-54287.patch | [PATCH 1/2] internal/util: Add recursion limit to RenderTemplate | Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-18 | ||
| 102-CVE-2025-54288.patch | incusd/dev_incus: Add extra validation for monitor We shouldn't just rely on the process name but also make sure that it's running outside of the container as this is a unique characteristic of the real monitor process. |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-17 | ||
| 103-CVE-2025-54286.patch | [PATCH 1/2] [lxd-import] lxd/daemon: Validate browser fetch metadata if supplied to reject non-same-origin requests Imported from stable-5.0 (Apache 2.0 licensed) (cherry picked from commit 35ac3922d60763c24b1474459c4401f7c8ed619b) (cherry picked from commit 569b7d472b4fc1622579e0aed32dd445ba6f53d0) |
Thomas Parrott <thomas.parrott@canonical.com> | no | 2025-06-30 | ||
| 104-CVE-2025-54290_CVE-2025-54291.patch | [PATCH 1/2] incusd/images: Restrict public image listing to default project | Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-18 | ||
| 105-CVE-2025-54289.patch | [PATCH 1/5] incusd/operations: Add IsSameRequestor | Stéphane Graber <stgraber@stgraber.org> | no | 2025-07-25 | ||
| 106a-GHSA-56mx-8g9f-5crf.patch | incusd/storage: Tighten storage pool volume permissions Closes #2641 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-09 | ||
| 106b-GHSA-56mx-8g9f-5crf.patch | incusd/patches: Re-apply storage permissions on update | Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-09 | ||
| 106c-GHSA-56mx-8g9f-5crf.patch | incusd/patches: Fix incorrect error check in permission patch | Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-10 | ||
| 107-CVE-2026-23953.patch | internal/instance: Prevent line breaks in environment variables LXC doesn't currently have a syntax to hold a multi-line environment variable in its configuration. The use of multi-line environment variables leads to a corrupted configuration file and to a security issue where additional lines may be added by an unprivileged user to escalate their privileges. This fixes CVE-2026-23953. |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-01-20 | ||
| 108-CVE-2026-23954.patch | incusd/instance/lxc: Restrict path of template files and targets This fixes three security issues related to file templates: - The template target path could be made to be relative or gothrough symlinks in a way that could lead to arbitrary write to the host filesystem. - The template directory could be relative, allowing for arbitrary read from the host filesystem. - The template file itself could be made relative, allowing for arbitrary reads from the host filesystem. In the case of the template target path, the new logic makes use of the kernel's openat2 system call which brings a variety of flags that can be used to restrict path resolution and detect potential issues. For the template path itself, we now validate that it is a simple local file and that the template directory isn't a symlink. This fixes CVE-2026-23954 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-01-21 | ||
| 109-CVE-2026-28384.patch | [PATCH 1/9] shared/validate: Allow a specific set of compressors | Stéphane Graber <stgraber@stgraber.org> | no | 2026-02-24 | ||
| 110-CVE-2026-33542.patch | [PATCH 1/4] client: Make ImageFileRequest require a ReadWriteSeeker This is a small Go API break which is needed to address a security issue where we need the ability to re-hash the final image files. This is part of a fix for CVE-2026-33542. |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-03-23 | ||
| 111-CVE-2026-33743.patch | incusd/storage/s3: Don't assume backup structure Properly skip anything that doesn't have the expected path prefix for a file within the bucket. Then use strings.TrimPrefix rather than a fixed offset to clear the prefix. This addresses CVE-2026-33743 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-03-23 | ||
| 112-CVE-2026-33897.patch | incusd/instance: Use restricted pongo2 parser The chroot logic in pongo2 doesn't work and therefore allows all templates to read and write to arbitrary paths on the host filesystem. Given the logic seemingly never worked properly, no template out there should be dependent on the file related functions being functional. Transition to our standard RenderTemplate logic which specifically block all file related functions. Introduces a new RenderTemplateFile to handle cases where we want to directly write to a file (useful for write quotas). This addresses CVE-2026-33897 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-03-24 | ||
| 115-CVE-2026-34178.patch | [PATCH 1/2] incusd/instances_post: Add extra validation during backup import | Stéphane Graber <stgraber@stgraber.org> | no | 2026-03-25 | ||
| 116-CVE-2026-34179.patch | [PATCH 1/2] incusd/certificates: Prevent any type change | Stéphane Graber <stgraber@stgraber.org> | no | 2026-03-23 | ||
| 117-CVE-2026-40195.patch | incusd/storage/bucket: Validate expected metadata on import This adds missing validation for bucket metadata when processing a bucket import. The missing logic would allow a malformed backup to crash the Incus daemon, potentially allowing for a DoS by a user with access to the Incus storage bucket functionality. This addresses CVE-2026-40195 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-04-09 | ||
| 118-CVE-2026-40197.patch | incusd/storage/volume: Validate snapshot entries on import The volume import logic was missing some validation of the snapshot data provided through the index. A nil snapshot entry would trigger a nil pointer dereference causing the Incus daemon to crash. This addresses CVE-2026-40197 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-04-09 | ||
| 119-CVE-2026-40243.patch | incusd/network/ovn: Fix TLS validation logic All 4 of the OVN connection handlers (NB, SB, IC-NB, IC-SB) were using a rather broken validation logic which would effectively treat any remote certificate as valid. The updated logic now correctly uses the configured CA as the only valid TLS root certificate and then loads the provided remote certificate and intermediates before validating that a path exists between the root CA and the server certificate. Custom logic is used as OVN certificates and connection URLs don't typically contain valid server name information. This addresses CVE-2026-40243 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-04-09 | ||
| 120-CVE-2026-40251.patch | incusd/storage/instance: Fix bad snapshot index calculation The logic used to check if we have additional volume configuration matching a backup was doing incorrect index math which could lead to crashes when fed a bad index file. This addresses CVE-2026-40251 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-04-10 | ||
| 121-CVE-2026-41647.patch | incusd/storage/s3: Fix nil pointer dereference on truncated input Bad error checking could lead a truncated s3 backup archive to trigger a nil pointer dereference during tar parsing. This would lead to a daemon crash and with repeated use, a DoS of Incus. This addresses CVE-2026-41647 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-04-17 | ||
| 122-CVE-2026-41648.patch | incusd: Limit tarball YAML reads to 1MiB User provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when parsed by Incus would lead to a very large YAML document being loaded into memory, potentially causing the entire server to run out of memory. This addresses CVE-2026-41648 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-04-17 | ||
| 123-CVE-2026-41684.patch | incusd: Fix nil pointer dereference in instance backup restore Both the user triggered and admin triggered instance backup restore mechanism could lead to a daemon crash by being fed partial backup metadata. This addresses CVE-2026-41684 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-04-17 | ||
| 124-CVE-2026-41685.patch | incusd: Use QuotaWriter for backup and ISO uploads Incus should always respect project disk limits when they are in place as those are a very useful safety net to prevent users from causing a denial of service by filling up the server's disk. This addresses CVE-2026-41685 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-04-20 |
All known versions for source package 'incus'
- 7.0.0-1 (sid)
- 6.0.6-3 (forky)
- 6.0.4-2+deb13u7 (trixie-security, trixie-proposed-updates)
- 6.0.4-2+deb13u7~bpo12+1 (bookworm-backports)
- 6.0.4-2+deb13u4 (trixie)