CVE-2024-6219

NameCVE-2024-6219
DescriptionMark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)sid, trixie6.0.3-1fixed
lxd (PTS)bookworm5.0.2-5fixed
sid, trixie5.0.2+git20231211.1364ae4-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussource(unstable)(not affected)
lxdsource(unstable)(not affected)

Notes

- lxd <not-affected> (Vulnerable code introduced later)
- incus <not-affected> (Fixed before initial upload)
https://github.com/canonical/lxd/security/advisories/GHSA-jpmc-7p9c-4rxf
lxd: https://github.com/canonical/lxd/commit/5cdc9a35b9c51e981b1e70330bde0413ccacc7fd (lxd-5.20)
incus: https://github.com/lxc/incus/commit/d2bb0d86031cb0c1319914f1fb3842c058edb776 (v0.3.0)

Search for package or bug name: Reporting problems