Introduction
The LXD team would like to announce the release of LXD 5.0.6!
Thank you to everyone who contributed to this release!
This is the sixth bugfix release for LXD 5.0, which is supported until June 2027.
Highlights
This release includes fixes for several security issues:
- Container environment configuration newline injection (CVE-2026-23953 from Incus)
- Container image templating arbitrary host file read and write (CVE-2026-23954 from Incus)
- Container hook project command injection (from Incus)
Snap packaging dependency updates
- go: Bump to 1.25.6
Complete changelog
Here is a complete list of all changes in this release:
Full commit list
- build(deps): bump google.golang.org/protobuf from 1.36.9 to 1.36.10
- build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0
- build(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
- build(deps): bump golang.org/x/sys from 0.36.0 to 0.37.0
- build(deps): bump golang.org/x/term from 0.35.0 to 0.36.0
- build(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
- workflows/tests: lxd-agent size increased by 1 MB
- build(deps): bump actions/upload-artifact from 4 to 5
- build(deps): bump github.com/pkg/sftp from 1.13.9 to 1.13.10
- build(deps): bump github.com/minio/minio-go/v7 from 7.0.95 to 7.0.97
- build(deps): bump golang.org/x/sys from 0.37.0 to 0.38.0
- build(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0
- build(deps): bump golang.org/x/sync from 0.17.0 to 0.18.0
- lxd/storage: Tighten storage pool volume permissions
- lxd/storage/drivers/volume: Add comments explaining differences in BaseDirectories permissions
- lxd/storage/backend/lxd: Replace deprecated os.IsExist
- lxd/patches: Re-apply storage permissions on update
- test: Add tests for storage directory permissions
- build(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
- build(deps): bump actions/checkout from 5.0.0 to 6.0.0
- build(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
- lxd/apparmor/instance/lxc: Don’t bother with sys/proc protections when nesting enabled
- build(deps): bump actions/checkout from 5.0.1 to 6.0.0
- build(deps): bump actions/checkout from 6.0.0 to 6.0.1
- build(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
- build(deps): bump actions/upload-artifact from 5 to 6
- build(deps): bump actions/checkout from 6.0.1 to 6.0.2
- shared/version/useragent: support adding more than one feature
- lxd/ubuntupro: minimal backport of
pro attachdetection - lxd/api_cluster: ignore failures to update the user agent
- lxd/daemon: ignore failures to update the user agent
- lxd/daemon: add
profeature if the host is pro attach - github: copy
actions/setup-microcephfrommainbranch - github: use
actions/setup-microcephin tests - lxd/ubuntupro/client: move away from
pro status --format jsondue to it being experimental - lxd/ubuntupro/client_test: add tests for the new
parseProAPIIsAttachedV1helper - doc/index: avoid permanent HTTP redirections with direct links
- doc/conf: ignore links to https://docutils.sourceforge.io/docs/ (403)
- github: use the branch copy of the
actions/setup-microceph - github: use
squid/edgechannel withactions/setup-microceph - github: bump loop file sized for
actions/setup-microceph - doc: fix cloud-init cloud config link
- doc: add terms to spellcheck ignore list
- doc: fix broken discourse link in README
- shared/util: Add SingleQuote
- shared/util: Rework SingleQuote to ShellQuote
- lxd/instance/drivers/lxc: Use ShellQuote instead of Quote
- lxd/instance/drivers/driver/lxc: Reduce duplicated calls to ShellQuote
- lxd/instance/instancetype/instance: Prevent line breaks in environment variables
- test: Adds tests to check for line breaks not being accepted in env vars
- lxd/instance/drivers/driver/lxc: Restrict path of template files and targets
- lxd/instance/drivers/driver/lxc: Rework template security checks to allow error wrapping
- gomod: Update deps
Downloads
The release tarballs can be found on our download page.
Binary builds are also available for:
- Linux: snap install lxd
- MacOS: brew install lxc
- Windows: choco install lxc