Is there a security changelog for Canonical snap packages?
With the deb update information, you're halfway there.
-
Since LXD is distributed as a snap, you should always be running the latest version for your channel automatically. In this example, LXD 4.0.7 is in the stable channel, and installed on a 20.04 server:
$ snap list lxd Name Version Rev Tracking Publisher Notes lxd 4.0.7 21029 4.0/stable/… canonical✓ - -
Next, let's head over to https://launchpad.net/lxd/+snaps and find that stable version...
...aha. Here it is: https://launchpad.net/~ubuntu-lxc/+snap/lxd-4.0-candidate . You can see the build date --which is after the CVE (good)-- and a link to the build log for each architecture.
-
Let's take a closer look at that build log. This particular snap is built, under the hood, from debs! Let's zero in on the exact deb package used for the build.
-
The URL for the buildlog is https://launchpadlibrarian.net/549848217/buildlog_snap_ubuntu_bionic_arm64_lxd-4.0-candidate_BUILDING.txt.gz . The word '
_bionic_' in there shows us that the LXD snap is built from 18.04 (Bionic) packages; that it's running on a 20.04 system isn't relevant. -
A quick grep gives us the actual dnsmasq deb package used:
Get:1 dnsmasq-base_2.79-1ubuntu0.4_amd64.deb [279 kB]
(Wait a second....It's the
dnsmasq-basepackage instead of thednsmasqpackage. Nodnsmasqpackage suggests that the CVE may-or-may-not apply after all. However, let's overlook that and keep going for the final step) -
-
Finally, let's look at the Ubuntu Security Team CVE tracker to make sure that the package is properly fixed. Were the LXD snap using
dnsmasqinstead ofdnsmasq-base, you can see that the build used a properly patched version (highlighted).- Remember that we're looking for the 18.04 (Bionic) package, since that's what was used to build the Snap.
