Is there a security changelog for Canonical snap packages?

Falk

1/10/23, 10:27 AM

Lets take CVE-2021-3448 as an example.

It's easy to see when the deb package got the backported fix, and what package is installed on the server.

But the same package in a snap:

/snap/lxd/21468/bin/dnsmasq --version
Dnsmasq version 2.80 .....

snap list
lxd     4.18      21468  latest/stable/…  canonical✓  -

Do you know if there is a way to see if that CVE is backported to 2.80 in the Canonical lxd snap somewhere?
Perhaps I am missing some really easy way to get this information.

186

0 + 0

security

canonical

snap

Score:9

Ubuntu

user535733

1/10/23, 1:25 PM

With the deb update information, you're halfway there.

Since LXD is distributed as a snap, you should always be running the latest version for your channel automatically. In this example, LXD 4.0.7 is in the stable channel, and installed on a 20.04 server:
```
$ snap list lxd
Name  Version  Rev    Tracking      Publisher   Notes
lxd   4.0.7    21029  4.0/stable/…  canonical✓  -
```
Next, let's head over to https://launchpad.net/lxd/+snaps and find that stable version...

...aha. Here it is: https://launchpad.net/~ubuntu-lxc/+snap/lxd-4.0-candidate . You can see the build date --which is after the CVE (good)-- and a link to the build log for each architecture.
Let's take a closer look at that build log. This particular snap is built, under the hood, from debs! Let's zero in on the exact deb package used for the build.
- The URL for the buildlog is https://launchpadlibrarian.net/549848217/buildlog_snap_ubuntu_bionic_arm64_lxd-4.0-candidate_BUILDING.txt.gz . The word '_bionic_' in there shows us that the LXD snap is built from 18.04 (Bionic) packages; that it's running on a 20.04 system isn't relevant.
- A quick grep gives us the actual dnsmasq deb package used: Get:1 dnsmasq-base_2.79-1ubuntu0.4_amd64.deb [279 kB]
(Wait a second....It's the dnsmasq-base package instead of the dnsmasq package. No dnsmasq package suggests that the CVE may-or-may-not apply after all. However, let's overlook that and keep going for the final step)
Finally, let's look at the Ubuntu Security Team CVE tracker to make sure that the package is properly fixed. Were the LXD snap using dnsmasq instead of dnsmasq-base, you can see that the build used a properly patched version (highlighted).
- Remember that we're looking for the 18.04 (Bionic) package, since that's what was used to build the Snap.

0 + 0

Rinzwind

1/10/23, 2:18 PM

May you get many upvotes :) 2 thumbs up

Falk

1/10/23, 3:16 PM

Marked as a correct answer. A huge thanks for your time!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is there a security changelog for Canonical snap packages?

TH: มีบันทึกการเปลี่ยนแปลงด้านความปลอดภัยสำหรับแพ็คเกจ Canonical snap หรือไม่

RO: Există un jurnal de modificări de securitate pentru pachetele snap Canonical?

RU: Есть ли журнал изменений безопасности для пакетов Canonical Snap?

VI: Có nhật ký thay đổi bảo mật cho các gói chụp Canonical không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.