Backports (stable-5.21)#17577
Merged
tomponline merged 13 commits intocanonical:stable-5.21from Feb 6, 2026
Merged
Conversation
Signed-off-by: Stéphane Graber <[email protected]> Suggested-by: Rory McNamara <[email protected]> (cherry picked from commit a5c1c73b535fb12d2c1ccd1c6b9a933fd312dc79) Signed-off-by: Thomas Parrott <[email protected]> License: Apache-2.0 (cherry picked from commit 6e6b022)
Fixes it to actually single-quote. Signed-off-by: Thomas Parrott <[email protected]> (cherry picked from commit 6433705)
This avoids potential shell expansion of the strings should some special characters manage to make it through. Signed-off-by: Rory McNamara <[email protected]> (cherry picked from commit 0e0cf45ecdcc902a6f319f11971ed27df81bd29f) Signed-off-by: Thomas Parrott <[email protected]> License: Apache-2.0 (cherry picked from commit dbc1323)
Signed-off-by: Thomas Parrott <[email protected]> (cherry picked from commit 24fc892)
…tecture issue
LXD images from CPC have started to include duplicate architecture values, e.g.
```
cat metadata.yaml
architecture: "x86_64
x86_64"
creation_date: 1769772831
properties:
architecture: "x86_64
x86_64"
```
Signed-off-by: Thomas Parrott <[email protected]>
(cherry picked from commit 09d9034)
…t variables LXC doesn't currently have a syntax to hold a multi-line environment variable in its configuration. The use of multi-line environment variables leads to a corrupted configuration file and to a security issue where additional lines may be added by an unprivileged user to escalate their privileges. This fixes CVE-2026-23953. Reported-by: Rory McNamara <[email protected]> Signed-off-by: Stéphane Graber <[email protected]> (cherry picked from commit cdf037409fbb35ab0f9fdc4e0e8cc706adbca99e) Signed-off-by: Thomas Parrott <[email protected]> License: Apache-2.0 (cherry picked from commit a53d166)
Signed-off-by: Thomas Parrott <[email protected]> (cherry picked from commit 42d8287)
Signed-off-by: Thomas Parrott <[email protected]> (cherry picked from commit 7d5a13b)
…targets This fixes three security issues related to file templates: - The template target path could be made to be relative or gothrough symlinks in a way that could lead to arbitrary write to the host filesystem. - The template directory could be relative, allowing for arbitrary read from the host filesystem. - The template file itself could be made relative, allowing for arbitrary reads from the host filesystem. In the case of the template target path, the new logic makes use of the kernel's openat2 system call which brings a variety of flags that can be used to restrict path resolution and detect potential issues. For the template path itself, we now validate that it is a simple local file and that the template directory isn't a symlink. This fixes CVE-2026-23954 Reported-by: Rory McNamara <[email protected]> Signed-off-by: Stéphane Graber <[email protected]> (cherry picked from commit c1d90bd34a7ccc224276b87644d7c75437f1cb64) Signed-off-by: Thomas Parrott <[email protected]> License: Apache-2.0 (cherry picked from commit d1c8ba1)
…llow error wrapping Also: - Closes rootfs file handle earlier. - Handles errors if file handles error when closing. Signed-off-by: Thomas Parrott <[email protected]> (cherry picked from commit c981c47)
tomponline
force-pushed
the
stable-5.21
branch
from
bc5a9fd to
27f35f4
Compare
Signed-off-by: Minae Lee <[email protected]> (cherry picked from commit ec4aa43)
Signed-off-by: Minae Lee <[email protected]> (cherry picked from commit 497c63f)
Signed-off-by: Minae Lee <[email protected]> (cherry picked from commit 5053215)
Member
Author
|
I'll fix the docs failure with routine backports. |
skozina
approved these changes
Feb 6, 2026
tomponline
added a commit
to tomponline/lxd-pkg-snap
that referenced
this pull request
Feb 9, 2026
Cherry-picks from canonical/lxd#17577 Includes fixes from: - canonical/lxd#17478 - canonical/lxd#17549 - canonical/lxd#17550 - canonical/lxd#17551 Signed-off-by: Thomas Parrott <[email protected]>
tomponline
added a commit
to tomponline/lxd-pkg-snap
that referenced
this pull request
Feb 9, 2026
Cherry-picks from canonical/lxd#17577 Includes fixes from: - canonical/lxd#17478 - canonical/lxd#17549 - canonical/lxd#17550 - canonical/lxd#17551 Signed-off-by: Thomas Parrott <[email protected]>
tomponline
added a commit
to canonical/lxd-pkg-snap
that referenced
this pull request
Feb 9, 2026
Cherry-picks from canonical/lxd#17577 Includes fixes from: - canonical/lxd#17478 - canonical/lxd#17549 - canonical/lxd#17550 - canonical/lxd#17551
tomponline
added a commit
to tomponline/lxd-pkg-snap
that referenced
this pull request
Feb 9, 2026
From canonical/lxd#17577 Signed-off-by: Thomas Parrott <[email protected]>
tomponline
added a commit
to canonical/lxd-pkg-snap
that referenced
this pull request
Feb 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backports from: