Debian Patches
Status for incus/6.0.5-8
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 001-skip-TestConvertNetworkConfig.patch | lxc prior to version 4.0.12 had a logic bug in do_lxcapi_create() that returned success in error conditions. Since this is a very simple test, that didn’t actually matter, but now to properly pass would require the setting up of a user-specific lxc configuration and sub[u|g]id mappings, which is just too much effort for a small test.diff --git a/cmd/lxc-to-incus/main_migrate_test.go b/cmd/lxc-to-incus/main_migrate_test.go index 6fbff5fce..d3783b998 100644 |
Mathias Gibbens <gibmat@debian.org> | not-needed | |||
| 002-adjust-import-paths.patch | Adjust import paths to reflect Debian packagingdiff --git a/cmd/incusd/daemon.go b/cmd/incusd/daemon.go index 139fe549b..59f347c02 100644 |
Mathias Gibbens <gibmat@debian.org> | not-needed | |||
| 003-Compile-against-go-criu-v7.patch | Compile against go-criu v7 | Reinhard Tartler <siretart@tauware.de> | no | 2024-08-08 | ||
| 004-include-incusos-network-structs.patch | Incus now consumes the IncusOS network API. This causes a dependency loop, so extract the relevant structs needed by Incus.diff --git a/cmd/incusd/networks.go b/cmd/incusd/networks.go index f6ea927ca..7a1b93ce1 100644 |
Mathias Gibbens <gibmat@debian.org> | not-needed | |||
| 005-revert-4e828ca.patch | Temporarily revert commit that broke running `incus exec` for VMsdiff --git a/cmd/incus-agent/dev_incus.go b/cmd/incus-agent/dev_incus.go index 9dbf0c175..bc64243b6 100644 |
Mathias Gibbens <gibmat@debian.org> | yes | |||
| 006-update-libovsdb-import-path.patch | [PATCH 1/4] internal/server/network: Update libovsdb import path | Mathias Gibbens <mathias.gibbens@futurfusion.io> | no | 2025-10-14 | ||
| 007-cherry-pick-fix-nested-docker.patch | [PATCH] incusd/apparmor/lxc: Don't bother with sys/proc protections when nesting enabled When nesting is enabled, it's possible for the container to get a clean copy of /proc or /sys mounted anywhere without AppArmor being able to mediate. So there's little point in trying to apply safety checks on top of the main /proc and /sys. On top of that, we've recently discovered that AppArmor doesn't properly handle file access relative to a file descriptor, causing a bunch of those checks to deny access when they shouldn't. Closes #2623 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-05 | ||
| 106a-GHSA-56mx-8g9f-5crf.patch | [PATCH] incusd/storage: Tighten storage pool volume permissions Closes #2641 |
Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-09 | ||
| 106b-GHSA-56mx-8g9f-5crf.patch | [PATCH] incusd/patches: Re-apply storage permissions on update | Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-09 | ||
| 106c-GHSA-56mx-8g9f-5crf.patch | [PATCH] incusd/patches: Fix incorrect error check in permission patch | Stéphane Graber <stgraber@stgraber.org> | no | 2025-11-10 | ||
| 107-CVE-2026-23953.patch | [PATCH] internal/instance: Prevent line breaks in environment variables LXC doesn't currently have a syntax to hold a multi-line environment variable in its configuration. The use of multi-line environment variables leads to a corrupted configuration file and to a security issue where additional lines may be added by an unprivileged user to escalate their privileges. This fixes CVE-2026-23953. |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-01-20 | ||
| 108-CVE-2026-23954.patch | [PATCH] incusd/instance/lxc: Restrict path of template files and targets This fixes three security issues related to file templates: - The template target path could be made to be relative or gothrough symlinks in a way that could lead to arbitrary write to the host filesystem. - The template directory could be relative, allowing for arbitrary read from the host filesystem. - The template file itself could be made relative, allowing for arbitrary reads from the host filesystem. In the case of the template target path, the new logic makes use of the kernel's openat2 system call which brings a variety of flags that can be used to restrict path resolution and detect potential issues. For the template path itself, we now validate that it is a simple local file and that the template directory isn't a symlink. This fixes CVE-2026-23954 |
Stéphane Graber <stgraber@stgraber.org> | no | 2026-01-21 |
All known versions for source package 'incus'
- 6.21.0-1~exp1 (experimental)
- 6.0.5-8 (sid, forky)
- 6.0.4-2+deb13u4 (trixie-security, trixie-proposed-updates)
- 6.0.4-2+deb13u4~bpo12+1 (bookworm-backports)
- 6.0.4-2+deb13u3 (trixie)