Version in base suite: 6.0.4-2+deb13u4
Version in overlay suite: 6.0.4-2+deb13u5

Base version: incus_6.0.4-2+deb13u5
Target version: incus_6.0.4-2+deb13u6
Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/incus/incus_6.0.4-2+deb13u5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/i/incus/incus_6.0.4-2+deb13u6.dsc

 changelog                        |    8 ++
 patches/115-CVE-2026-34178.patch |  143 +++++++++++++++++++++++++++++++++++++++
 patches/116-CVE-2026-34179.patch |   59 ++++++++++++++++
 patches/series                   |    2 
 4 files changed, 212 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnxflz31g/incus_6.0.4-2+deb13u5.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnxflz31g/incus_6.0.4-2+deb13u6.dsc: no acceptable signature found
diff -Nru incus-6.0.4/debian/changelog incus-6.0.4/debian/changelog
--- incus-6.0.4/debian/changelog	2026-03-24 22:18:57.000000000 +0000
+++ incus-6.0.4/debian/changelog	2026-04-14 16:44:29.000000000 +0000
@@ -1,3 +1,11 @@
+incus (6.0.4-2+deb13u6) trixie-security; urgency=high
+
+  * Cherry-pick fixes for the following security issues:
+    - CVE-2026-34178 / GHSA-q96j-3fmm-7fv4
+    - CVE-2026-34179 / GHSA-c3h3-89qf-jqm5
+
+ -- Mathias Gibbens <gibmat@debian.org>  Tue, 14 Apr 2026 16:44:29 +0000
+
 incus (6.0.4-2+deb13u5) trixie-security; urgency=high
 
   * Cherry-pick fixes for the following security issues:
diff -Nru incus-6.0.4/debian/patches/115-CVE-2026-34178.patch incus-6.0.4/debian/patches/115-CVE-2026-34178.patch
--- incus-6.0.4/debian/patches/115-CVE-2026-34178.patch	1970-01-01 00:00:00.000000000 +0000
+++ incus-6.0.4/debian/patches/115-CVE-2026-34178.patch	2026-04-14 16:39:13.000000000 +0000
@@ -0,0 +1,143 @@
+From 4330648a956d31418de76049bb936ea250eba2fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Wed, 25 Mar 2026 21:22:17 -0400
+Subject: [PATCH 1/2] incusd/instances_post: Add extra validation during backup
+ import
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+Rebased-by: Mathias Gibbens <gibmat@debian.org>
+---
+ cmd/incusd/instances_post.go | 70 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 67 insertions(+), 3 deletions(-)
+
+diff --git a/cmd/incusd/instances_post.go b/cmd/incusd/instances_post.go
+index 945946225..8947ff410 100644
+--- a/cmd/incusd/instances_post.go
++++ b/cmd/incusd/instances_post.go
+@@ -704,7 +704,7 @@ func createFromBackup(s *state.State, r *http.Request, projectName string, data
+ 		return response.BadRequest(fmt.Errorf("Backup file is missing required information"))
+ 	}
+ 
+-	// Check project permissions.
++	// Early project permissions check (pre-override and pre-backup.yaml).
+ 	var req api.InstancesPost
+ 	err = s.DB.Cluster.Transaction(r.Context(), func(ctx context.Context, tx *db.ClusterTx) error {
+ 		req = api.InstancesPost{
+@@ -813,6 +813,7 @@ func createFromBackup(s *state.State, r *http.Request, projectName string, data
+ 			return fmt.Errorf("Failed importing backup: %w", err)
+ 		}
+ 
++		// Load the newly imported instance.
+ 		inst, err := instance.LoadByProjectAndName(s, bInfo.Project, bInfo.Name)
+ 		if err != nil {
+ 			return fmt.Errorf("Failed loading instance: %w", err)
+@@ -821,8 +822,32 @@ func createFromBackup(s *state.State, r *http.Request, projectName string, data
+ 		// Clean up created instance if the post hook fails below.
+ 		runRevert.Add(func() { _ = inst.Delete(true) })
+ 
+-		// Run the storage post hook to perform any final actions now that the instance has been created
+-		// in the database (this normally includes unmounting volumes that were mounted).
++		// Run a late project restriction check on the instance.
++		instState, _, err := inst.Render()
++		if err != nil {
++			return fmt.Errorf("Failed loading instance state: %w", err)
++		}
++
++		instStateAPI, ok := instState.(*api.Instance)
++		if !ok {
++			return fmt.Errorf("Unexpected instance state type %T", instStateAPI)
++		}
++
++		err = s.DB.Cluster.Transaction(context.TODO(), func(ctx context.Context, tx *db.ClusterTx) error {
++			req = api.InstancesPost{
++				InstancePut: instStateAPI.Writable(),
++				Name:        inst.Name(),
++				Source:      api.InstanceSource{},
++				Type:        inst.Type().ToAPI(),
++			}
++
++			return project.AllowInstanceCreation(tx, projectName, req)
++		})
++		if err != nil {
++			return err
++		}
++
++		// Run any post hook for the instance.
+ 		if postHook != nil {
+ 			err = postHook(inst)
+ 			if err != nil {
+@@ -830,6 +855,44 @@ func createFromBackup(s *state.State, r *http.Request, projectName string, data
+ 			}
+ 		}
+ 
++		// And wrap up validation by running a check on all snapshots too.
++		snaps, err := inst.Snapshots()
++		if err != nil {
++			return fmt.Errorf("Failed loading instance snapshots: %w", err)
++		}
++
++		for _, snap := range snaps {
++			snapState, _, err := snap.Render()
++			if err != nil {
++				return fmt.Errorf("Failed loading instance snapshot state: %w", err)
++			}
++
++			snapStateAPI, ok := snapState.(*api.InstanceSnapshot)
++			if !ok {
++				return fmt.Errorf("Unexpected snapshot type %T", snapStateAPI)
++			}
++
++			err = s.DB.Cluster.Transaction(context.TODO(), func(ctx context.Context, tx *db.ClusterTx) error {
++				req = api.InstancesPost{
++					InstancePut: api.InstancePut{
++						Architecture: snapStateAPI.Architecture,
++						Config:       snapStateAPI.Config,
++						Devices:      snapStateAPI.Devices,
++						Ephemeral:    snapStateAPI.Ephemeral,
++						Profiles:     snapStateAPI.Profiles,
++					},
++					Name:   inst.Name(),
++					Source: api.InstanceSource{},
++					Type:   inst.Type().ToAPI(),
++				}
++
++				return project.AllowInstanceCreation(tx, projectName, req)
++			})
++			if err != nil {
++				return err
++			}
++		}
++
+ 		runRevert.Success()
+ 
+ 		return instanceCreateFinish(s, &req, db.InstanceArgs{Name: bInfo.Name, Project: bInfo.Project}, op)
+
+From 82d3fcd5f2e9fdb8d6ae2ca3ed898f81f24a0589 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Wed, 25 Mar 2026 21:30:19 -0400
+Subject: [PATCH 2/2] incus/import: Fix bad rendering on error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+Rebased-by: Mathias Gibbens <gibmat@debian.org>
+---
+ cmd/incus/import.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cmd/incus/import.go b/cmd/incus/import.go
+index 31ca61339..abd31bc39 100644
+--- a/cmd/incus/import.go
++++ b/cmd/incus/import.go
+@@ -110,6 +110,7 @@ func (c *cmdImport) Run(cmd *cobra.Command, args []string) error {
+ 
+ 	op, err := resource.server.CreateInstanceFromBackup(createArgs)
+ 	if err != nil {
++		progress.Done("")
+ 		return err
+ 	}
+ 
diff -Nru incus-6.0.4/debian/patches/116-CVE-2026-34179.patch incus-6.0.4/debian/patches/116-CVE-2026-34179.patch
--- incus-6.0.4/debian/patches/116-CVE-2026-34179.patch	1970-01-01 00:00:00.000000000 +0000
+++ incus-6.0.4/debian/patches/116-CVE-2026-34179.patch	2026-04-14 16:29:31.000000000 +0000
@@ -0,0 +1,59 @@
+From 0670e760c8ad2b276b89d729c7d16d9f1456fa42 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Mon, 23 Mar 2026 16:42:48 -0400
+Subject: [PATCH 1/2] incusd/certificates: Prevent any type change
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+Rebased-by: Mathias Gibbens <gibmat@debian.org>
+---
+ cmd/incusd/certificates.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/cmd/incusd/certificates.go b/cmd/incusd/certificates.go
+index 1b06d6cf687..35e2fcaa8d6 100644
+--- a/cmd/incusd/certificates.go
++++ b/cmd/incusd/certificates.go
+@@ -984,6 +984,11 @@ func doCertificateUpdate(d *Daemon, dbInfo api.Certificate, req api.CertificateP
+ 	s := d.State()
+ 
+ 	if clientType == clusterRequest.ClientTypeNormal {
++		// Prevent any type change.
++		if dbInfo.Type != req.Type {
++			return response.BadRequest(fmt.Errorf("The certificate type cannot be changed"))
++		}
++
+ 		reqDBType, err := certificate.FromAPIType(req.Type)
+ 		if err != nil {
+ 			return response.BadRequest(err)
+
+From b845b9334e9a0169a94a1d7924ec6d55cf06bfdb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
+Date: Mon, 23 Mar 2026 16:46:05 -0400
+Subject: [PATCH 2/2] tests: Confirm certificate type can't be changed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
+Rebased-by: Mathias Gibbens <gibmat@debian.org>
+---
+ test/suites/tls_restrictions.sh | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/test/suites/tls_restrictions.sh b/test/suites/tls_restrictions.sh
+index 7b43a2b75..b2c1628d8 100644
+--- a/test/suites/tls_restrictions.sh
++++ b/test/suites/tls_restrictions.sh
+@@ -39,6 +39,9 @@ test_tls_restrictions() {
+ 
+   ! incus_remote project create localhost:blah1 || false
+ 
++  # Confirm inability to change certificate type
++  ! incus query "/1.0/certificates/${FINGERPRINT}" -X PATCH -d '{"type": "server"}' || false
++
+   # Cleanup
+   incus config trust show "${FINGERPRINT}" | sed -e "s/restricted: true/restricted: false/" | incus config trust edit "${FINGERPRINT}"
+   incus project delete blah
diff -Nru incus-6.0.4/debian/patches/series incus-6.0.4/debian/patches/series
--- incus-6.0.4/debian/patches/series	2026-03-24 22:18:57.000000000 +0000
+++ incus-6.0.4/debian/patches/series	2026-04-14 16:03:20.000000000 +0000
@@ -21,3 +21,5 @@
 110-CVE-2026-33542.patch
 111-CVE-2026-33743.patch
 112-CVE-2026-33897.patch
+115-CVE-2026-34178.patch
+116-CVE-2026-34179.patch