Skip to content

LXC

v7.0.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 1mo Containers & Orchestration
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

c containers lxc

Summary

AI summary

Removes cgroup1 and bionic/android support; requires CLONE_PIDFD, clone3, and new mount API.

Full changelog

Announcement

https://discuss.linuxcontainers.org/t/lxc-7-0-lts-has-been-released/26612

What's Changed

  • meson: fix build on NixOS by @mihalicyn in https://github.com/lxc/lxc/pull/4428
  • Don't fail veth creation if ipv6 is disabled by @mihalicyn in https://github.com/lxc/lxc/pull/4432
  • Update lxc-attach.sgml.in by @MMFuba in https://github.com/lxc/lxc/pull/4442
  • Update lxc-execute.sgml.in by @MMFuba in https://github.com/lxc/lxc/pull/4441
  • Update lxc-{attach,execute}.sgml.in by @tenforward in https://github.com/lxc/lxc/pull/4446
  • lxc-local: fix broken templates processing by @jacobmcnamee in https://github.com/lxc/lxc/pull/4450
  • Apparmor profiles syntax fixes by @mihalicyn in https://github.com/lxc/lxc/pull/4452
  • AppArmor fixup by @mihalicyn in https://github.com/lxc/lxc/pull/4456
  • Update GitHub Actions to use Ubuntu 24.04 by @mihalicyn in https://github.com/lxc/lxc/pull/4453
  • meson: fix build with -Dtools-multicall=true on NixOS by @mihalicyn in https://github.com/lxc/lxc/pull/4459
  • Reduce logging for newuidmap/newgidmap by @stgraber in https://github.com/lxc/lxc/pull/4463
  • Exit 0 when there's no error by @Jip-Hop in https://github.com/lxc/lxc/pull/4462
  • doc: Fix definitions of get_config_path and set_config_path by @stgraber in https://github.com/lxc/lxc/pull/4472
  • README: Update security contact by @stgraber in https://github.com/lxc/lxc/pull/4475
  • fix possible clang compile error on AARCH by @yuncang123 in https://github.com/lxc/lxc/pull/4481
  • Add suppport for PuzzleFS images in the oci template by @ariel-miculas in https://github.com/lxc/lxc/pull/4483
  • meson.build: add -ffat-lto-objects by @hallyn in https://github.com/lxc/lxc/pull/4482
  • create_run_template: don't use txtuid and txtguid out of scope by @hallyn in https://github.com/lxc/lxc/pull/4487
  • Avoid null pointer dereference when using shared rootfs by @sgalgano in https://github.com/lxc/lxc/pull/4488
  • meson: fix minor typo by @tttuuu888 in https://github.com/lxc/lxc/pull/4493
  • lxc-net: Replace random IPv6 subnet by @stgraber in https://github.com/lxc/lxc/pull/4495
  • network config of unprivileged containers is not shown by @ElJeffe in https://github.com/lxc/lxc/pull/4497
  • init.lxc: Tweak signal handling by @stgraber in https://github.com/lxc/lxc/pull/4503
  • fix return code of recursive all of cgroup_tree_prune by @gjaekel in https://github.com/lxc/lxc/pull/4491
  • Github Actions improvements by @stgraber in https://github.com/lxc/lxc/pull/4506
    • LXC attach should exit on SIGCHLD by @asainkujovic in https://github.com/lxc/lxc/pull/4509
  • confile-vlanid: undefined is not a zero value by @asainkujovic in https://github.com/lxc/lxc/pull/4510
  • dbus: replace hardcoded dbus address with environment variable by @sdanailo-42 in https://github.com/lxc/lxc/pull/4511
  • conf: useful logging for capabilities by @sdanailo-42 in https://github.com/lxc/lxc/pull/4512
  • lxc/attach: Revert "- LXC attach should exit on SIGCHLD" by @mihalicyn in https://github.com/lxc/lxc/pull/4517
  • config-bcast: fix incorrect broadcast address calculation by @irnes in https://github.com/lxc/lxc/pull/4523
  • github: Switch to native arm64 runners by @stgraber in https://github.com/lxc/lxc/pull/4524
  • Added LXC_IPV6_ENABLE option for lxc-net to enable or disable IPv6 by @mathiasaerts in https://github.com/lxc/lxc/pull/4521
  • sysconfig/lxc: remove false comment by @Managor in https://github.com/lxc/lxc/pull/4527
  • Switch to new MAC address prefix by @stgraber in https://github.com/lxc/lxc/pull/4530
  • github: Add packaging workflow by @stgraber in https://github.com/lxc/lxc/pull/4532
  • A bunch of small fixes by @mihalicyn in https://github.com/lxc/lxc/pull/4533
  • lxc/start: do prctl(PR_SET_DUMPABLE) after last uid/gid switch by @mihalicyn in https://github.com/lxc/lxc/pull/4535
  • start: Re-introduce first SET_DUMPABLE call by @stgraber in https://github.com/lxc/lxc/pull/4536
  • Remove bionic/android support by @stgraber in https://github.com/lxc/lxc/pull/4537
  • meson_options.txt: don't use str when defining bool default values by @simondeziel in https://github.com/lxc/lxc/pull/4540
  • selinux: fix typo (AppArmor) by @hallyn in https://github.com/lxc/lxc/pull/4543
  • lxc/conf,start: fix setting container_ttys environment variable by @RomanGenexis in https://github.com/lxc/lxc/pull/4544
  • delay assumption of apparmor labels by @ianmerin in https://github.com/lxc/lxc/pull/4539
  • meson.build: remove quirk for Ubuntu 14.04 libcap-dev by @simondeziel in https://github.com/lxc/lxc/pull/4548
  • re-enable some tests by @mihalicyn in https://github.com/lxc/lxc/pull/4549
  • conf: Add support for "move" mount flag by @stgraber in https://github.com/lxc/lxc/pull/4550
  • Mount options (lxc.mount.entry) handling improvements by @mihalicyn in https://github.com/lxc/lxc/pull/4547
  • src/tests/oss-fuzz: pin meson to 1.7.2 to workaround build failures by @mihalicyn in https://github.com/lxc/lxc/pull/4552
  • Revert (delay assumption of apparmor labels) to fix a regression by @mihalicyn in https://github.com/lxc/lxc/pull/4554
  • Add loong64 to list of recognized architectures by @gibmat in https://github.com/lxc/lxc/pull/4555
  • meson.build: set LXC_DISTRO_SYSCONF when -Dspecfile=true by @RomanGenexis in https://github.com/lxc/lxc/pull/4557
  • meson.build: fix checks for fsconfig and calls by @DreamConnected in https://github.com/lxc/lxc/pull/4564
  • lxc/lxccontainer: stop printing misleading errors in enter_net_ns() by @mihalicyn in https://github.com/lxc/lxc/pull/4566
  • lxc/process_utils.h: use strsignal() or sys_siglist[] for Non-GNU dis… by @DreamConnected in https://github.com/lxc/lxc/pull/4565
  • A bunch of fixes (Jul 2025) by @mihalicyn in https://github.com/lxc/lxc/pull/4567
  • build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in https://github.com/lxc/lxc/pull/4571
  • README: update links by @kadinsayani in https://github.com/lxc/lxc/pull/4578
  • Implement initial protection of LXC monitor using Landlock by @stgraber in https://github.com/lxc/lxc/pull/4579
  • conf: split lxc.environment into runtime and hooks by @Filiprogrammer in https://github.com/lxc/lxc/pull/4582
  • Enable systemd to create /var/lib/lxc at runtime with StateDirectory by @vishwasudupa in https://github.com/lxc/lxc/pull/4583
  • doc: add lxc.environment.{runtime,hooks} in Japanese man page by @tenforward in https://github.com/lxc/lxc/pull/4584
  • Standardize log file create mode to 0640 by @rsyring in https://github.com/lxc/lxc/pull/4589
  • lxccontainer: check if target exists before remove in create_mount_target() by @kadinsayani in https://github.com/lxc/lxc/pull/4581
  • Automatically detect compression format in the lxc-local template by @stribika in https://github.com/lxc/lxc/pull/4590
  • start: Only include linux/landlock.h when landlock is enabled by @stgraber in https://github.com/lxc/lxc/pull/4592
  • github: Drop focal source packages by @stgraber in https://github.com/lxc/lxc/pull/4595
  • add MFD_NOEXEC_SEAL or MFD_EXEC by default if it‘s available by @DreamConnected in https://github.com/lxc/lxc/pull/4569
  • builds workflow: make .orig.tar.gz unique per build by @hallyn in https://github.com/lxc/lxc/pull/4596
  • build(deps): bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in https://github.com/lxc/lxc/pull/4599
  • Fix meson build generation of apparmor container-base by @gibmat in https://github.com/lxc/lxc/pull/4598
  • Update lxc.spec.in to use meson by @arrowd in https://github.com/lxc/lxc/pull/4602
  • apparmor: skip /proc and /sys restrictions if nesting is enabled by @ThomasLamprecht in https://github.com/lxc/lxc/pull/4609
  • build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in https://github.com/lxc/lxc/pull/4610
  • build: Check if P_PIDFD is defined by @jaeyoonjung in https://github.com/lxc/lxc/pull/4614
  • Ensure do_lxcapi_unfreeze returns false when getstate errors by @FernandoPicazo in https://github.com/lxc/lxc/pull/4601
  • Fix "initializer-string for character array is too long, array size is 16 but initializer has size 17" compile error with clang 21 by @James-Featherston in https://github.com/lxc/lxc/pull/4617
  • checkonfig: Fixed compatible with toybox/gunzip by @yangh in https://github.com/lxc/lxc/pull/4618
  • Fallback to XDG_RUNTIME_DIR when /run not found by @yangh in https://github.com/lxc/lxc/pull/4620
  • Add checks for "lxc-net fails when kernel has no IPv6" by @James-Featherston in https://github.com/lxc/lxc/pull/4621
  • added "--rbduser" option in "lxc-create -B rbd" by @Rahik-Sikder in https://github.com/lxc/lxc/pull/4622
  • build(deps): bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in https://github.com/lxc/lxc/pull/4625
  • Add Meson option for enabling API documentation generation with Doxygen by @chackoj-1204 in https://github.com/lxc/lxc/pull/4615
  • Fix "lxc-copy with overlayfs throws an error" by @James-Featherston in https://github.com/lxc/lxc/pull/4624
  • Do not ignore lxc.init.groups when using userns by @Filiprogrammer in https://github.com/lxc/lxc/pull/4626
  • Added documentation on unprivileged LXC containers by @chackoj-1204 in https://github.com/lxc/lxc/pull/4616
  • cgfsng: fix reboots when using dbus by @hallyn in https://github.com/lxc/lxc/pull/4628
  • Improve the dbus scope creation error handling by @hallyn in https://github.com/lxc/lxc/pull/4629
  • Improve build flow in https://github.com/lxc/lxc/pull/4574
  • github: test io_uring-based event loop by @mihalicyn in https://github.com/lxc/lxc/pull/4631
  • lxc-attach: fix data corruption during heavy IO on PTS by @mihalicyn in https://github.com/lxc/lxc/pull/4633
  • src/confile: fix values of lxc.cap.keep and lxc.cap.drop by @DreamConnected in https://github.com/lxc/lxc/pull/4634
  • lxc: added support OpenRC init system by @GermanAizek in https://github.com/lxc/lxc/pull/4636
  • meson.build: fix openat2 include typo, fix with glibc-2.43 +FORTIFY by @juippis in https://github.com/lxc/lxc/pull/4642
  • meson.build: fix open_how include with glibc-2.43+ by @DreamConnected in https://github.com/lxc/lxc/pull/4645
  • lxc/network: save/restore physical network interfaces altnames by @mihalicyn in https://github.com/lxc/lxc/pull/4649
  • lxc/network: define netlink uAPI constants for link properties by @mihalicyn in https://github.com/lxc/lxc/pull/4650
  • cmd/lxc-user-nic: prevent OOB read in name_is_in_groupnames by @mihalicyn in https://github.com/lxc/lxc/pull/4651
  • Update Japanese man pages by @tenforward in https://github.com/lxc/lxc/pull/4653
  • build(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in https://github.com/lxc/lxc/pull/4654
  • utils: Add quotes around exec arguments by @stgraber in https://github.com/lxc/lxc/pull/4659
  • utils: Update buffer size to account for quotes by @stgraber in https://github.com/lxc/lxc/pull/4660
  • Fix issue where pidfd_ functions were not being detected during meson… by @alex14641 in https://github.com/lxc/lxc/pull/4658
  • Fix issue where memfd functions were not being detected during meson setup. by @alex14641 in https://github.com/lxc/lxc/pull/4665
  • tests: mount_injection: ensure cleanup on test failure by @akash-hadke in https://github.com/lxc/lxc/pull/4639
  • Fix issue where lxc-start takes a long time to start up on a cgroup v2 system without systemd. by @alex14641 in https://github.com/lxc/lxc/pull/4666
  • [nesting] Extend mount permissions in apparmor to allow systemd servi… by @P-EB in https://github.com/lxc/lxc/pull/4668
  • remove cgroup1 support by @mihalicyn in https://github.com/lxc/lxc/pull/4671
  • assume CLONE_PIDFD, clone3, new mount api are supported by @mihalicyn in https://github.com/lxc/lxc/pull/4672
  • apparmor: allow nosymfollow remounts by @mihalicyn in https://github.com/lxc/lxc/pull/4466
  • lsm/apparmor: allow binfmt_misc RW mounts by @mihalicyn in https://github.com/lxc/lxc/pull/4673
  • tests/lxc-test-lxc-attach: Increase sleep time by @gibmat in https://github.com/lxc/lxc/pull/4674
  • Don't leak an open fd by @hallyn in https://github.com/lxc/lxc/pull/4677
  • lvm.c: make sure tp gets freed by @hallyn in https://github.com/lxc/lxc/pull/4676
  • Fix security issue with lxc-user-nic and OpenVswitch networks by @stgraber in https://github.com/lxc/lxc/pull/4678

New Contributors

  • @MMFuba made their first contribution in https://github.com/lxc/lxc/pull/4442
  • @Jip-Hop made their first contribution in https://github.com/lxc/lxc/pull/4462
  • @yuncang123 made their first contribution in https://github.com/lxc/lxc/pull/4481
  • @sgalgano made their first contribution in https://github.com/lxc/lxc/pull/4488
  • @tttuuu888 made their first contribution in https://github.com/lxc/lxc/pull/4493
  • @asainkujovic made their first contribution in https://github.com/lxc/lxc/pull/4509
  • @sdanailo-42 made their first contribution in https://github.com/lxc/lxc/pull/4511
  • @irnes made their first contribution in https://github.com/lxc/lxc/pull/4523
  • @mathiasaerts made their first contribution in https://github.com/lxc/lxc/pull/4521
  • @Managor made their first contribution in https://github.com/lxc/lxc/pull/4527
  • @RomanGenexis made their first contribution in https://github.com/lxc/lxc/pull/4544
  • @ianmerin made their first contribution in https://github.com/lxc/lxc/pull/4539
  • @DreamConnected made their first contribution in https://github.com/lxc/lxc/pull/4564
  • @kadinsayani made their first contribution in https://github.com/lxc/lxc/pull/4578
  • @Filiprogrammer made their first contribution in https://github.com/lxc/lxc/pull/4582
  • @vishwasudupa made their first contribution in https://github.com/lxc/lxc/pull/4583
  • @rsyring made their first contribution in https://github.com/lxc/lxc/pull/4589
  • @stribika made their first contribution in https://github.com/lxc/lxc/pull/4590
  • @arrowd made their first contribution in https://github.com/lxc/lxc/pull/4602
  • @jaeyoonjung made their first contribution in https://github.com/lxc/lxc/pull/4614
  • @FernandoPicazo made their first contribution in https://github.com/lxc/lxc/pull/4601
  • @James-Featherston made their first contribution in https://github.com/lxc/lxc/pull/4617
  • @yangh made their first contribution in https://github.com/lxc/lxc/pull/4618
  • @Rahik-Sikder made their first contribution in https://github.com/lxc/lxc/pull/4622
  • @chackoj-1204 made their first contribution in https://github.com/lxc/lxc/pull/4615
  • @GermanAizek made their first contribution in https://github.com/lxc/lxc/pull/4636
  • @juippis made their first contribution in https://github.com/lxc/lxc/pull/4642
  • @alex14641 made their first contribution in https://github.com/lxc/lxc/pull/4658
  • @akash-hadke made their first contribution in https://github.com/lxc/lxc/pull/4639

Full Changelog: https://github.com/lxc/lxc/compare/v6.0.0...v7.0.0

Breaking Changes

  • Cgroup1 support removed
  • Bionic/android support removed
  • Assumes kernel support for CLONE_PIDFD, clone3, and new mount API

Security Fixes

  • Out-of-bounds read in lxc-user-nic (name_is_in_groupnames)
  • Security issue with lxc-user-nic and OpenVswitch networks
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track LXC

Get notified when new releases ship.

Sign up free

About LXC

LXC - Linux Containers

All releases →

Related context

Beta — feedback welcome: [email protected]