chore(deps): update dependency lxc/incus to v6.19.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
lxc/incus	minor	6.18.0 -> 6.19.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

lxc/incus (lxc/incus)

v6.19.0: Incus 6.19

Compare Source

What's Changed

• incusd/network/ovn: Tweak port removal logic by @​stgraber in #​2600
• Initial SELinux detection and handling by @​stgraber in #​2599
• github: Build the agent on MacOS by @​stgraber in #​2602
• Translations update from Hosted Weblate by @​weblate in #​2603
• incusd/instance/qemu: Disable virtio-snd on Windows by @​stgraber in #​2604
• Quiesce the VM QMP log by @​stgraber in #​2608
• incusd/device/disk: Skip VirtioFS Posix ACLs on Windows by @​stgraber in #​2609
• incusd/selinux: Add basic refpolicy support by @​stgraber in #​2612
• client: Add GetEventsByType and GetEventsAllProjectsByType by @​breml in #​2613
• Fix cluster event issues by @​stgraber in #​2615
• cmd/generate-database/db: Fix create/update with composite keys by @​masnax in #​2616
• client: Omit trailing ? for /events without query parameters by @​breml in #​2618
• incusd/storage_volumes: Better handle bad patterns by @​stgraber in #​2617
• incusd/apparmor/lxc: Don't bother with sys/proc protections when nest… by @​stgraber in #​2624
• incusd/acme: Handle HTTPS proxies by @​stgraber in #​2625
• Fix lifecycle events being emited on pending entities by @​presztak in #​2633
• Fix vlan/parent modification on physical uplink by @​gbilic in #​2632
• Feat: --format raw added added for getting raw data. by @​Mujib-Ahasan in #​2622
• Allow incus admin os on all platforms by @​stgraber in #​2635
• Fix sparse writer performance by @​stgraber in #​2637
• Tighten storage pool permissions by @​stgraber in #​2642
• incus-migrate: Strict error checking by @​stgraber in #​2639
• incusd/patches: Fix incorrect error check in permission patch by @​stgraber in #​2643
• incusd/instance/qemu: Properly parse dashed disk names when detaching by @​bensmrs in #​2648
• incusd/instance/qemu: Fix macOS agent by @​bensmrs in #​2647
• incusd/api: Refresh OIDC on changes to oidc.scopes by @​stgraber in #​2649
• incus/instance: Add missing godocs by @​dector in #​2644
• incusd: only apply qemu rtc adjustments if it is configured by @​The127 in #​2645
• Translations update from Hosted Weblate by @​weblate in #​2658
• Allow some remote internal API interactions by @​stgraber in #​2657
• gomod: Update dependencies by @​stgraber in #​2664
• Translations update from Hosted Weblate by @​weblate in #​2667
• cmd/incus-agent: address golangci-lint issues by @​RageZBla in #​2661
• Make /var/lib/incus/devices a tmpfs by @​stgraber in #​2668
• incus/util: #​2636 fix linter complaints in internal/util by @​dector in #​2655
• doc: Remove mentions of IRC by @​stgraber in #​2672
• Support for the Incus Agent as a Service on Windows by @​MOBergeron in #​2671
• doc/image_format: Tweak wording by @​stgraber in #​2676
• incusd/storage/zfs: Rework zvol resolution logic by @​stgraber in #​2673
• Workaround Linstor URL parsing issue by @​stgraber in #​2677
• incusd/device/unix_hotplug: Prevent duplicate uevent injection by @​zgttotev in #​2679
• Fix determination of target path for storage volume file mount command by @​presztak in #​2683
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​2694
• cmd/lxd-to-incus: address golangci-lint issues by @​RageZBla in #​2692
• cmd/lxc-to-incus: address golangci lint issues by @​RageZBla in #​2691
• cmd/incus-simplestream: output of golangci-lint run --fix by @​RageZBla in #​2689
• cmd/incus-user: refactor to not use os.Exit and instead close listener by @​RageZBla in #​2690
• cmd/generate-config: address golangci-lint issues by @​RageZBla in #​2660
• shared/resources: Skip broken udev symlinks by @​stgraber in #​2695
• incusd/network/zone: Support setting top level records by @​stgraber in #​2696
• Correct response documentation for recursively fetching an instance by @​Hye-Dev in #​2699
• Support retrieving client certificate as PFX (PKCS12) by @​stgraber in #​2700
• Fix file access issues (crash and OpenFGA model) by @​stgraber in #​2701
• Translations update from Hosted Weblate by @​weblate in #​2703
• Add Full structs for storage volumes and backups by @​stgraber in #​2704
• Feature: Support deleting multiple objects in CLI by @​Mujib-Ahasan in #​2656
• Add option for disabling PCI firmware by @​Mujib-Ahasan in #​2698
• Support serial devices to resource API by @​baconYao in #​2675
• tests: Optimize CI test matrix to reduce workflow duration by @​baconYao in #​2629
• Add support for NIC limits on OVN by @​stgraber in #​2711
• Various fixes for Incus 6.19 by @​stgraber in #​2713
• incusd/instance/lxc: Tweak SELinux category by @​stgraber in #​2653

New Contributors

• @​gbilic made their first contribution in #​2632
• @​Mujib-Ahasan made their first contribution in #​2622
• @​dector made their first contribution in #​2644
• @​RageZBla made their first contribution in #​2661
• @​MOBergeron made their first contribution in #​2671
• @​Hye-Dev made their first contribution in #​2699
• @​baconYao made their first contribution in #​2675

Full Changelog: lxc/incus@v6.18.0...v6.19.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/incus:6.19.0

📦 Image Reference ghcr.io/uniget-org/tools/incus:6.19.0

digest	sha256:e9173764910c949756280c30372209d00f68f8bdc64f446c6a93631057a789c8
vulnerabilities
platform	linux/amd64
size	16 MB
packages	70

github.com/lxc/incus/v6 6.0.0-20251129060529-b19f4195c0f5 (golang) pkg:golang/github.com/lxc/incus/v6@6.0.0-20251129060529-b19f4195c0f5 Improper Privilege Management Affected range <=6.0.6 Fixed version Not Fixed CVSS Score 8.6 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Description Impact This affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the security.shifted property set to true as well as access to the host as an unprivileged user. The most common case for this would be systems using incus-user with the less privileged incus group to provide unprivileged users with an isolated restricted access to Incus. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unpriivleged user on the host to gain root privileges. Patches A patch for this issue is available here: lxc/incus#2642 The first commit changes the permissions for any new storage pool, the second commit applies it on startup to all existing storage pools. Workarounds Permissions can be manually restricted until a patched version of Incus is deployed. This is done with: chmod 0700 /var/lib/incus/storage-pools/*/* chmod 0711 /var/lib/incus/storage-pools/*/buckets* chmod 0711 /var/lib/incus/storage-pools/*/container* Those are the same permissions which will be applied by the patched Incus for both new and existing storage pools. References This was reported publicly on Github: lxc/incus#2641

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/19781565451.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/19781565451.