control: severity -1 minor control: tags -1 + wontfix Due to code changes/refactoring between LXD 5.0.4 and the snapshot of 5.0.2 in Debian, an unreasonable amount of work would be required to fix this minor issue. Lowering severity and tagging with "wontfix" to reflect this.
Mathias On Fri, 2024-12-20 at 03:18 +0000, Mathias Gibbens wrote: > Hi Security Team, > > I've just uploaded incus 6.0.3-1 that contains a fix for CVE-2024- > 6156, which I mentioned in its changelog. > > For LXD, I'm pretty sure the fix is commit fb0525e[1], but cleanly > applying it to the version of LXD in Debian quickly snowballs into a > ton of other diffs due to code changes and refactoring. > > Since this is a very low severity issue, for LXD I'd recommend the > CVE be tagged as "won't fix". (Beyond the scope of this CVE, when > trixie is released users will be encouraged to migrate any LXD > installs to Incus, and src:lxd will be removed when forky development opens > up. More background is in bug #1058592.) > > Mathias > > [1] -- > https://github.com/canonical/lxd/commit/fb0525e1bdd6a99c4eedacbe9e6c2c7b8e0d9a89
signature.asc
Description: This is a digitally signed message part
