Version in base suite: 5.0.2-5+deb12u2 Version in overlay suite: 5.0.2-5+deb12u4 Base version: lxd_5.0.2-5+deb12u4 Target version: lxd_5.0.2-5+deb12u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lxd/lxd_5.0.2-5+deb12u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lxd/lxd_5.0.2-5+deb12u5.dsc changelog | 8 ++ patches/110-CVE-2026-34177.patch | 50 +++++++++++++++++ patches/112-CVE-2026-34179.patch | 110 +++++++++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 170 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpm0a2fm3x/lxd_5.0.2-5+deb12u4.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpm0a2fm3x/lxd_5.0.2-5+deb12u5.dsc: no acceptable signature found diff -Nru lxd-5.0.2/debian/changelog lxd-5.0.2/debian/changelog --- lxd-5.0.2/debian/changelog 2026-03-24 23:43:38.000000000 +0000 +++ lxd-5.0.2/debian/changelog 2026-04-14 19:42:37.000000000 +0000 @@ -1,3 +1,11 @@ +lxd (5.0.2-5+deb12u5) bookworm-security; urgency=high + + * Cherry-pick fixes for the following security issues: + - CVE-2026-34177 / GHSA-fm2x-c5qw-4h6f + - CVE-2026-34179 / GHSA-c3h3-89qf-jqm5 + + -- Mathias Gibbens Tue, 14 Apr 2026 19:42:37 +0000 + lxd (5.0.2-5+deb12u4) bookworm-security; urgency=high * Cherry-pick fixes for the following security issues: diff -Nru lxd-5.0.2/debian/patches/110-CVE-2026-34177.patch lxd-5.0.2/debian/patches/110-CVE-2026-34177.patch --- lxd-5.0.2/debian/patches/110-CVE-2026-34177.patch 1970-01-01 00:00:00.000000000 +0000 +++ lxd-5.0.2/debian/patches/110-CVE-2026-34177.patch 2026-04-14 18:37:45.000000000 +0000 @@ -0,0 +1,50 @@ +From 0451314ab5b0ceb9d941831b0b578527eaac9094 Mon Sep 17 00:00:00 2001 +From: Din Music +Date: Thu, 19 Mar 2026 09:26:16 +0000 +Subject: [PATCH 1/2] lxd/project/limits: Add raw.apparmor and raw.qemu.conf to + the list of forbidden low level VM options + +Signed-off-by: Din Music +--- + lxd/project/permissions.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go +index a2024f0ccb0c..c2e400682d46 100644 +--- a/lxd/project/permissions.go ++++ b/lxd/project/permissions.go +@@ -847,8 +847,10 @@ func isVMLowLevelOptionForbidden(key string) bool { + return shared.StringInSlice(key, []string{ + "boot.host_shutdown_timeout", + "limits.memory.hugepages", ++ "raw.apparmor", + "raw.idmap", + "raw.qemu", ++ "raw.qemu.conf", + }) + } + + +From 607770a1bc1b919eeb9faa4a2dbe21d107b06be7 Mon Sep 17 00:00:00 2001 +From: Din Music +Date: Wed, 18 Mar 2026 09:16:08 +0000 +Subject: [PATCH 2/2] lxd/project/limits: Set instance type in + AllowInstanceCreation for consistency + +Signed-off-by: Din Music +--- + lxd/project/permissions.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go +index c2e400682d46..f3d92b8d3436 100644 +--- a/lxd/project/permissions.go ++++ b/lxd/project/permissions.go +@@ -61,6 +61,7 @@ func AllowInstanceCreation(tx *db.ClusterTx, projectName string, req api.Instanc + info.Instances = append(info.Instances, api.Instance{ + Name: req.Name, + Project: projectName, ++ Type: string(req.Type), + InstancePut: req.InstancePut, + }) + diff -Nru lxd-5.0.2/debian/patches/112-CVE-2026-34179.patch lxd-5.0.2/debian/patches/112-CVE-2026-34179.patch --- lxd-5.0.2/debian/patches/112-CVE-2026-34179.patch 1970-01-01 00:00:00.000000000 +0000 +++ lxd-5.0.2/debian/patches/112-CVE-2026-34179.patch 2026-04-14 19:42:37.000000000 +0000 @@ -0,0 +1,110 @@ +From 8955439529204a4404b7ba4730d91f75dfe97a14 Mon Sep 17 00:00:00 2001 +From: Mark Laing +Date: Mon, 23 Mar 2026 09:41:08 +0000 +Subject: [PATCH 1/2] lxd: Improve validation when editing certificates. + +Signed-off-by: Mark Laing +(cherry picked from commit 8c0c8dcc0f7b6ef59524bfeae198b6081248a88d) +Rebased-by: Mathias Gibbens +--- + lxd/certificates.go | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/lxd/certificates.go b/lxd/certificates.go +index a47194fd2036..375a903f6943 100644 +--- a/lxd/certificates.go ++++ b/lxd/certificates.go +@@ -7,6 +7,7 @@ import ( + "encoding/base64" + "encoding/json" + "encoding/pem" ++ "errors" + "fmt" + "net" + "net/http" +@@ -957,10 +958,14 @@ func certificatePatch(d *Daemon, r *http.Request) response.Response { + } + + func doCertificateUpdate(d *Daemon, dbInfo api.Certificate, req api.CertificatePut, clientType clusterRequest.ClientType, r *http.Request) response.Response { ++ if dbInfo.Type != req.Type { ++ return response.Forbidden(errors.New("The certificate type cannot be changed")) ++ } ++ + if clientType == clusterRequest.ClientTypeNormal { +- reqDBType, err := dbCluster.CertificateAPITypeToDBType(req.Type) ++ dbInfoType, err := dbCluster.CertificateAPITypeToDBType(dbInfo.Type) + if err != nil { +- return response.BadRequest(err) ++ return response.SmartError(fmt.Errorf("Invalid existing certificate type: %w", err)) + } + + // Convert to the database type. +@@ -982,7 +987,7 @@ func doCertificateUpdate(d *Daemon, dbInfo api.Certificate, req api.CertificateP + Fingerprint: dbInfo.Fingerprint, + Restricted: req.Restricted, + Name: req.Name, +- Type: reqDBType, ++ Type: dbInfoType, + } + + // Non-admins are able to change their own certificate but no other fields. +@@ -995,7 +1000,7 @@ func doCertificateUpdate(d *Daemon, dbInfo api.Certificate, req api.CertificateP + } + + // Ensure the user in not trying to change fields other than the certificate. +- if dbInfo.Restricted != req.Restricted || dbInfo.Name != req.Name || len(dbInfo.Projects) != len(req.Projects) { ++ if dbInfo.Restricted != req.Restricted || dbInfo.Name != req.Name || len(dbInfo.Projects) != len(req.Projects) || dbInfo.Type != req.Type { + return response.Forbidden(fmt.Errorf("Only the certificate can be changed")) + } + +@@ -1011,7 +1016,7 @@ func doCertificateUpdate(d *Daemon, dbInfo api.Certificate, req api.CertificateP + Fingerprint: dbInfo.Fingerprint, + Restricted: dbInfo.Restricted, + Name: dbInfo.Name, +- Type: reqDBType, ++ Type: dbInfoType, + } + + certProjects = dbInfo.Projects + +From 8d020089fae6d13b4904392e416fd9e6598534ae Mon Sep 17 00:00:00 2001 +From: Mark Laing +Date: Mon, 23 Mar 2026 09:55:36 +0000 +Subject: [PATCH 2/2] test/suites: Test improved validation. + +Signed-off-by: Mark Laing +(cherry picked from commit 5f4b8e20afa321e0be436a908a8a92b8b8700557) +--- + test/suites/tls_restrictions.sh | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/test/suites/tls_restrictions.sh b/test/suites/tls_restrictions.sh +index ab72b2c35ce5..c10bb61c1b85 100644 +--- a/test/suites/tls_restrictions.sh ++++ b/test/suites/tls_restrictions.sh +@@ -24,9 +24,25 @@ test_tls_restrictions() { + lxc_remote project list localhost: | grep -q default + lxc_remote project list localhost: | grep -q blah + ++ # Confirm certificates cannot be edited to have "server" type. ++ ! lxc_remote config trust show "localhost:${FINGERPRINT}" | sed -e "s/type: client/type: server/" | lxc_remote config trust edit "localhost:${FINGERPRINT}" || false ++ + # Apply restrictions + lxc config trust show "${FINGERPRINT}" | sed -e "s/restricted: false/restricted: true/" | lxc config trust edit "${FINGERPRINT}" + ++ # Confirm restricted client cannot edit certificate type, name, restrictions, or projects. ++ cert_name="$(lxc query "localhost:/1.0/certificates/${FINGERPRINT}" | jq -r '.name')" ++ ! lxc_remote config trust show "localhost:${FINGERPRINT}" | sed -e "s/type: client/type: server/" | lxc_remote config trust edit "localhost:${FINGERPRINT}" || false ++ ! lxc_remote config trust show "localhost:${FINGERPRINT}" | sed -e "s/type: client/type: metrics/" | lxc_remote config trust edit "localhost:${FINGERPRINT}" || false ++ ! lxc_remote config trust show "localhost:${FINGERPRINT}" | sed -e "s/name: ${cert_name}/name: bar/" | lxc_remote config trust edit "localhost:${FINGERPRINT}" || false ++ ! lxc_remote config trust show "localhost:${FINGERPRINT}" | sed -e "s/restricted: true/restricted: false/" | lxc_remote config trust edit "localhost:${FINGERPRINT}" || false ++ ! lxc_remote config trust show "localhost:${FINGERPRINT}" | sed -e "s/projects: \[\]/projects: ['default']/" | lxc_remote config trust edit "localhost:${FINGERPRINT}" || false ++ ! lxc_remote query -X PATCH "localhost:/1.0/certificates/${FINGERPRINT}" -d '{"type": "server"}' || false ++ ! lxc_remote query -X PATCH "localhost:/1.0/certificates/${FINGERPRINT}" -d '{"type": "metrics"}' || false ++ ! lxc_remote query -X PATCH "localhost:/1.0/certificates/${FINGERPRINT}" -d '{"restricted": false, "projects": []}' || false ++ ! lxc_remote query -X PATCH "localhost:/1.0/certificates/${FINGERPRINT}" -d '{"projects": ["default"]}' || false ++ ! lxc_remote query -X PATCH "localhost:/1.0/certificates/${FINGERPRINT}" -d '{"name": "bar"}' || false ++ + # Confirm no project visible when none listed + [ "$(lxc_remote project list localhost: --format csv | wc -l)" = 0 ] + diff -Nru lxd-5.0.2/debian/patches/series lxd-5.0.2/debian/patches/series --- lxd-5.0.2/debian/patches/series 2026-03-24 23:43:38.000000000 +0000 +++ lxd-5.0.2/debian/patches/series 2026-04-14 19:42:37.000000000 +0000 @@ -16,3 +16,5 @@ 107-CVE-2026-28384.patch 108-CVE-2026-33542.patch 109-CVE-2026-33897.patch +110-CVE-2026-34177.patch +112-CVE-2026-34179.patch