Ubuntu
snapd package

[SRU] 2.48.2

Bug #1906690 reported by Michael Vogt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

placeholder

CVE References

Michael Vogt (mvo)
summary: - [SRU] 2.48.1
+ [SRU] 2.48.2
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.48.3+20.10

---------------
snapd (2.48.3+20.10) groovy-security; urgency=medium

  * SECURITY UPDATE: sandbox escape vulnerability for containers
    (LP: #1910456)
    - many: add Delegate=true to generated systemd units for special
      interfaces
    - interfaces/greengrass-support: back-port interface changes to
      2.48
    - CVE-2020-27352
  * interfaces/builtin/docker-support: allow /run/containerd/s/...
    - This is a new path that docker 19.03.14 (with a new version of
      containerd) uses to avoid containerd CVE issues around the unix
      socket. See also CVE-2020-15257.

snapd (2.48.2) xenial; urgency=medium

  * New upstream release, LP: #1906690
    - tests: sign new nested-18|20* models to allow for generic serials
    - secboot: add extra paranoia when waiting for that fde-reveal-key
    - tests: backport netplan workarounds from #9785
    - secboot: add workaround for snapcore/core-initrd issue #13
    - devicestate: log checkEncryption errors via logger.Noticef
    - tests: add nested spread end-to-end test for fde-hooks
    - devicestate: implement checkFDEFeatures()
    - boot: tweak resealing with fde-setup hooks
    - sysconfig/cloudinit.go: add "manual_cache_clean: true" to cloud-
      init restrict file
    - secboot: add new LockSealedKeys() that uses either TPM or
      fde-reveal-key
    - gadget: use "sealed-keys" to determine what method to use for
      reseal
    - boot: add sealKeyToModeenvUsingFdeSetupHook()
    - secboot: use `fde-reveal-key` if available to unseal key
    - cmd/snap-update-ns: fix sorting of overname mount entries wrt
      other entries
    - o/devicestate: save model with serial in the device save db
    - devicestate: add runFDESetupHook() helper
    - secboot,devicestate: add scaffoling for "fde-reveal-key" support
    - hookstate: add new HookManager.EphemeralRunHook()
    - update-pot: fix typo in plural keyword spec
    - store,cmd/snap-repair: increase initial expontential time
      intervals
    - o/devicestate,daemon: fix reboot system action to not require a
      system label
    - github: run nested suite when commit is pushed to release branch
    - tests: reset fakestore unit status
    - tests: fix uc20-create-parition-* tests for updated gadget
    - hookstate: implement snapctl fde-setup-{request,result}
    - devicestate: make checkEncryption fde-setup hook aware
    - client,snapctl: add naive support for "stdin"
    - devicestate: support "storage-safety" defaults during install
    - snap: use the boot-base for kernel hooks
    - vendor: update secboot repo to avoid including secboot.test binary

snapd (2.48.1) xenial; urgency=medium

  * New upstream release, LP: #1906690
    - gadget: disable ubuntu-boot role validation check

 -- Michael Vogt <email address hidden> Tue, 02 Feb 2021 09:21:12 +0100

Changed in snapd (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.48.3+20.04

---------------
snapd (2.48.3+20.04) focal-security; urgency=medium

  * SECURITY UPDATE: sandbox escape vulnerability for containers
    (LP: #1910456)
    - many: add Delegate=true to generated systemd units for special
      interfaces
    - interfaces/greengrass-support: back-port interface changes to
      2.48
    - CVE-2020-27352
  * interfaces/builtin/docker-support: allow /run/containerd/s/...
    - This is a new path that docker 19.03.14 (with a new version of
      containerd) uses to avoid containerd CVE issues around the unix
      socket. See also CVE-2020-15257.

snapd (2.48.2) xenial; urgency=medium

  * New upstream release, LP: #1906690
    - tests: sign new nested-18|20* models to allow for generic serials
    - secboot: add extra paranoia when waiting for that fde-reveal-key
    - tests: backport netplan workarounds from #9785
    - secboot: add workaround for snapcore/core-initrd issue #13
    - devicestate: log checkEncryption errors via logger.Noticef
    - tests: add nested spread end-to-end test for fde-hooks
    - devicestate: implement checkFDEFeatures()
    - boot: tweak resealing with fde-setup hooks
    - sysconfig/cloudinit.go: add "manual_cache_clean: true" to cloud-
      init restrict file
    - secboot: add new LockSealedKeys() that uses either TPM or
      fde-reveal-key
    - gadget: use "sealed-keys" to determine what method to use for
      reseal
    - boot: add sealKeyToModeenvUsingFdeSetupHook()
    - secboot: use `fde-reveal-key` if available to unseal key
    - cmd/snap-update-ns: fix sorting of overname mount entries wrt
      other entries
    - o/devicestate: save model with serial in the device save db
    - devicestate: add runFDESetupHook() helper
    - secboot,devicestate: add scaffoling for "fde-reveal-key" support
    - hookstate: add new HookManager.EphemeralRunHook()
    - update-pot: fix typo in plural keyword spec
    - store,cmd/snap-repair: increase initial expontential time
      intervals
    - o/devicestate,daemon: fix reboot system action to not require a
      system label
    - github: run nested suite when commit is pushed to release branch
    - tests: reset fakestore unit status
    - tests: fix uc20-create-parition-* tests for updated gadget
    - hookstate: implement snapctl fde-setup-{request,result}
    - devicestate: make checkEncryption fde-setup hook aware
    - client,snapctl: add naive support for "stdin"
    - devicestate: support "storage-safety" defaults during install
    - snap: use the boot-base for kernel hooks
    - vendor: update secboot repo to avoid including secboot.test binary

snapd (2.48.1) xenial; urgency=medium

  * New upstream release, LP: #1906690
    - gadget: disable ubuntu-boot role validation check

 -- Michael Vogt <email address hidden> Tue, 02 Feb 2021 09:21:12 +0100

Changed in snapd (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.48.3+18.04

---------------
snapd (2.48.3+18.04) bionic-security; urgency=medium

  * SECURITY UPDATE: sandbox escape vulnerability for containers
    (LP: #1910456)
    - many: add Delegate=true to generated systemd units for special
      interfaces
    - interfaces/greengrass-support: back-port interface changes to
      2.48
    - CVE-2020-27352
  * interfaces/builtin/docker-support: allow /run/containerd/s/...
    - This is a new path that docker 19.03.14 (with a new version of
      containerd) uses to avoid containerd CVE issues around the unix
      socket. See also CVE-2020-15257.

snapd (2.48.2) xenial; urgency=medium

  * New upstream release, LP: #1906690
    - tests: sign new nested-18|20* models to allow for generic serials
    - secboot: add extra paranoia when waiting for that fde-reveal-key
    - tests: backport netplan workarounds from #9785
    - secboot: add workaround for snapcore/core-initrd issue #13
    - devicestate: log checkEncryption errors via logger.Noticef
    - tests: add nested spread end-to-end test for fde-hooks
    - devicestate: implement checkFDEFeatures()
    - boot: tweak resealing with fde-setup hooks
    - sysconfig/cloudinit.go: add "manual_cache_clean: true" to cloud-
      init restrict file
    - secboot: add new LockSealedKeys() that uses either TPM or
      fde-reveal-key
    - gadget: use "sealed-keys" to determine what method to use for
      reseal
    - boot: add sealKeyToModeenvUsingFdeSetupHook()
    - secboot: use `fde-reveal-key` if available to unseal key
    - cmd/snap-update-ns: fix sorting of overname mount entries wrt
      other entries
    - o/devicestate: save model with serial in the device save db
    - devicestate: add runFDESetupHook() helper
    - secboot,devicestate: add scaffoling for "fde-reveal-key" support
    - hookstate: add new HookManager.EphemeralRunHook()
    - update-pot: fix typo in plural keyword spec
    - store,cmd/snap-repair: increase initial expontential time
      intervals
    - o/devicestate,daemon: fix reboot system action to not require a
      system label
    - github: run nested suite when commit is pushed to release branch
    - tests: reset fakestore unit status
    - tests: fix uc20-create-parition-* tests for updated gadget
    - hookstate: implement snapctl fde-setup-{request,result}
    - devicestate: make checkEncryption fde-setup hook aware
    - client,snapctl: add naive support for "stdin"
    - devicestate: support "storage-safety" defaults during install
    - snap: use the boot-base for kernel hooks
    - vendor: update secboot repo to avoid including secboot.test binary

snapd (2.48.1) xenial; urgency=medium

  * New upstream release, LP: #1906690
    - gadget: disable ubuntu-boot role validation check

 -- Michael Vogt <email address hidden> Tue, 02 Feb 2021 09:21:12 +0100

Changed in snapd (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.