Bug#1120520: trixie-pu: package lxd/5.0.2+git20231211.1364ae4-9+deb13u2

To: Mathias Gibbens <gibmat@debian.org>, 1120520@bugs.debian.org
Subject: Bug#1120520: trixie-pu: package lxd/5.0.2+git20231211.1364ae4-9+deb13u2
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 06 Dec 2025 16:32:39 +0000
Message-id: <[🔎] fc2a2e47e96c42afe0ba6a9d16be6b5e5a50c8be.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1120520@bugs.debian.org
In-reply-to: <731ba9cc13f322044c72bab85aeb0e88863f55d4.camel@debian.org>
References: <731ba9cc13f322044c72bab85aeb0e88863f55d4.camel@debian.org> <731ba9cc13f322044c72bab85aeb0e88863f55d4.camel@debian.org>

Control: tags -1 + confirmed

On Tue, 2025-11-11 at 16:51 +0000, Mathias Gibbens wrote:
> While investigating CVE-2025-64507, I discovered that filesystem ID
> mapping is broken for LXD in trixie. This renders the attack
> unexploitable (yay!) but is a regression for anyone who wants/needs
> to setup filesystem ID mapping.
> 
> After discussion with the Security Team, I have prepared this updated
> version of LXD that fixes both the ID mapping and relevant CVE. 

Please go ahead.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#1120520: trixie-pu: package lxd/5.0.2+git20231211.1364ae4-9+deb13u2
  - From: Mathias Gibbens <gibmat@debian.org>

Prev by Date: Bug#1120493: trixie-pu: package mirrorbits/0.6-1+deb13u1
Next by Date: Bug#1120661: trixie-pu: package symfony/6.4.21+dfsg-2+deb13u1
Previous by thread: Processed: Re: Bug#1120493: trixie-pu: package mirrorbits/0.6-1+deb13u1
Next by thread: Processed: Re: Bug#1120520: trixie-pu: package lxd/5.0.2+git20231211.1364ae4-9+deb13u2
Index(es):
- Date
- Thread