Is there a security changelog for Canonical snap packages?

With the deb update information, you're halfway there.

  1. Since LXD is distributed as a snap, you should always be running the latest version for your channel automatically. In this example, LXD 4.0.7 is in the stable channel, and installed on a 20.04 server:

    $ snap list lxd
    Name  Version  Rev    Tracking      Publisher   Notes
    lxd   4.0.7    21029  4.0/stable/…  canonical✓  -
    
  2. Next, let's head over to https://launchpad.net/lxd/+snaps and find that stable version...

    enter image description here

    ...aha. Here it is: https://launchpad.net/~ubuntu-lxc/+snap/lxd-4.0-candidate . You can see the build date --which is after the CVE (good)-- and a link to the build log for each architecture.

    enter image description here

  3. Let's take a closer look at that build log. This particular snap is built, under the hood, from debs! Let's zero in on the exact deb package used for the build.

    • The URL for the buildlog is https://launchpadlibrarian.net/549848217/buildlog_snap_ubuntu_bionic_arm64_lxd-4.0-candidate_BUILDING.txt.gz . The word '_bionic_' in there shows us that the LXD snap is built from 18.04 (Bionic) packages; that it's running on a 20.04 system isn't relevant.

    • A quick grep gives us the actual dnsmasq deb package used: Get:1 dnsmasq-base_2.79-1ubuntu0.4_amd64.deb [279 kB]

    (Wait a second....It's the dnsmasq-base package instead of the dnsmasq package. No dnsmasq package suggests that the CVE may-or-may-not apply after all. However, let's overlook that and keep going for the final step)

  4. Finally, let's look at the Ubuntu Security Team CVE tracker to make sure that the package is properly fixed. Were the LXD snap using dnsmasq instead of dnsmasq-base, you can see that the build used a properly patched version (highlighted).

    • Remember that we're looking for the 18.04 (Bionic) package, since that's what was used to build the Snap.

    enter image description here