incus - Debian Package Tracker

general

source: incus (main)
version: 6.0.5-2
maintainer: Debian Go Packaging Team (DMD)
uploaders: Free Ekanayaka [DMD] – Mathias Gibbens [DMD]
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 6.0.4-2~bpo12+1
stable: 6.0.4-2
testing: 6.0.5-1
unstable: 6.0.5-2
exp: 6.17.0-1~exp1

versioned links

6.0.4-2~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.0.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.0.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.0.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.17.0-1~exp1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-github-lxc-incus-dev
incus (1 bugs: 0, 1, 0, 0)
incus-agent
incus-base
incus-client
incus-extra

action needed

8 security issues in trixie high

There are 8 open security issues in trixie.

8 important issues:

CVE-2025-54286: Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
CVE-2025-54287: Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
CVE-2025-54288: Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.
CVE-2025-54289: Privilege Escalation in operations API in Canonical LXD 6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
CVE-2025-54290: Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
CVE-2025-54291: Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
CVE-2025-54292: Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.
CVE-2025-54293: Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

Created: 2025-10-03 Last update: 2025-10-03 16:26

8 security issues in sid high

There are 8 open security issues in sid.

8 important issues:

CVE-2025-54286: Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
CVE-2025-54287: Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
CVE-2025-54288: Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.
CVE-2025-54289: Privilege Escalation in operations API in Canonical LXD 6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
CVE-2025-54290: Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
CVE-2025-54291: Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
CVE-2025-54292: Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.
CVE-2025-54293: Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

Created: 2025-10-03 Last update: 2025-10-03 16:26

8 security issues in forky high

There are 8 open security issues in forky.

8 important issues:

CVE-2025-54286: Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
CVE-2025-54287: Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
CVE-2025-54288: Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.
CVE-2025-54289: Privilege Escalation in operations API in Canonical LXD 6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
CVE-2025-54290: Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
CVE-2025-54291: Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
CVE-2025-54292: Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.
CVE-2025-54293: Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

Created: 2025-10-03 Last update: 2025-10-03 16:26

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2025-06-01 Last update: 2025-09-28 04:30

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2025-09-30 Last update: 2025-10-04 01:25

debian/patches: 1 patch to forward upstream low

Among the 5 debian patches available in version 6.0.5-2 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-08-18 Last update: 2025-09-28 10:33

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2024-01-18 Last update: 2025-04-05 23:55

testing migrations

excuses:
- Migration status: Blocked. Can't migrate due to a non-migratable dependency. Check status below.
- Blocked by: golang-github-tinylib-msgp
- Migrates after: golang-github-spf13-cast, golang-github-spf13-viper
- Migration status for incus (6.0.5-1 to 6.0.5-2): BLOCKED: Cannot migrate due to another item, which is blocked (please check which dependencies are stuck)
- Issues preventing migration:
- ∙ ∙ Built-Using: incus golang-github-tinylib-msgp (not considered)
- ∙ ∙ Invalidated by built-using
- ∙ ∙ Built-Using: incus golang-github-spf13-cast (not considered)
- ∙ ∙ Built-Using: incus golang-github-spf13-viper (not considered)
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/i/incus.html
- ∙ ∙ autopkgtest for incus/6.0.5-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- ∙ ∙ 6 days old (needed 2 days)
- Not considered

news

[rss feed]

[2025-09-27] Accepted incus 6.17.0-1~exp1 (source) into experimental (Mathias Gibbens)
[2025-09-27] Accepted incus 6.0.5-2 (source) into unstable (Mathias Gibbens)
[2025-08-29] Accepted incus 6.16.0-1~exp1 (source) into experimental (Mathias Gibbens)
[2025-08-22] incus 6.0.5-1 MIGRATED to testing (Debian testing watch)
[2025-08-16] Accepted incus 6.15.0-1~exp1 (source) into experimental (Mathias Gibbens)
[2025-08-16] Accepted incus 6.0.5-1 (source) into unstable (Mathias Gibbens)
[2025-08-10] Accepted incus 6.0.4-3 (source) into unstable (Mathias Gibbens)
[2025-06-27] Accepted incus 6.14.0-1~exp1 (source) into experimental (Mathias Gibbens)
[2025-05-08] Accepted incus 6.0.4-2~bpo12+1 (source) into stable-backports (Mathias Gibbens)
[2025-05-08] incus 6.0.4-2 MIGRATED to testing (Debian testing watch)
[2025-04-27] Accepted incus 6.0.4-2 (source) into unstable (Mathias Gibbens)
[2025-04-06] Accepted incus 6.0.4-1~bpo12+1 (source) into stable-backports (Mathias Gibbens)
[2025-04-06] incus 6.0.4-1 MIGRATED to testing (Debian testing watch)
[2025-04-04] incus 6.0.3-5 MIGRATED to testing (Debian testing watch)
[2025-04-04] Accepted incus 6.0.4-1 (source) into unstable (Mathias Gibbens)
[2025-04-03] Accepted incus 6.0.3-5~bpo12+1 (source) into stable-backports (Mathias Gibbens)
[2025-03-31] Accepted incus 6.0.3-5 (source) into unstable (Mathias Gibbens)
[2025-03-11] Accepted incus 6.0.3-4~bpo12+1 (source all amd64) into stable-backports (Debian FTP Masters) (signed by: Mathias Gibbens)
[2025-03-10] incus 6.0.3-4 MIGRATED to testing (Debian testing watch)
[2025-03-03] Accepted incus 6.0.3-4 (source) into unstable (Mathias Gibbens)
[2025-03-02] Accepted incus 6.0.3-3 (source all amd64) into unstable (Debian FTP Masters) (signed by: Mathias Gibbens)
[2025-01-29] Accepted incus 6.0.3-2~bpo12+1 (source) into stable-backports (Mathias Gibbens)
[2025-01-29] incus 6.0.3-2 MIGRATED to testing (Debian testing watch)
[2025-01-26] Accepted incus 6.0.3-2 (source) into unstable (Mathias Gibbens)
[2024-12-22] Accepted incus 6.0.3-1~bpo12+1 (source) into stable-backports (Mathias Gibbens)
[2024-12-22] incus 6.0.3-1 MIGRATED to testing (Debian testing watch)
[2024-12-20] Accepted incus 6.0.3-1 (source) into unstable (Mathias Gibbens)
[2024-10-10] Accepted incus 6.0.2-1~bpo12+1 (source) into stable-backports (Mathias Gibbens)
[2024-09-21] incus 6.0.2-1 MIGRATED to testing (Debian testing watch)
[2024-09-19] Accepted incus 6.0.2-1 (source) into unstable (Mathias Gibbens)

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, exp, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 14)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.0.4-2