Update to 19.03.15 #13
Conversation
|
Arg, @anonymouse64 looks like we need some new AppArmor adjustments for the containerd CVE mitigation... 😞 (That |
|
fun... I will file a PR to snapd then |
|
@tianon do you have a specific CVE I can reference in the commit message? |
|
Yes! That'd be CVE-2020-15257, documented in GHSA-36xw-fx78-c5r4. |
|
PR is at canonical/snapd#9764, after a little bit there will be a snapd snap you can download and install locally to test with this new version of the docker snap, could you validate that it fixes the issue? |
|
Yeah, absolutely - I should be able to hack it into the pipeline here to ensure it works in GitHub's pristine environment (my local environment doesn't seem to catch these issues reliably, which is part of why I set up GitHub Actions in the first place 😄). |
|
BTW, it would be really cool if there was an equivalent github action here which built the snap from a PR and made it available for download so you can easily test a PR locally if you wanted 😉 it's as simple as something like this: https://github.com/canonical/etrace/blob/master/.github/workflows/snap.yml |
Great idea - gonna rebase this on top of #14 once the current build test is finished. 👍 |
|
(moving back here to keep that snapd issue less noisy 😅) So, in the context of canonical/snapd#9764 (comment), if we put something like |
|
Yes but unfortunately there is already a snapd 2.48 that does not have the fix, we can only do |
tianon
force-pushed
the
19.03.14
branch
2 times, most recently
from
9521dc3
to
34d7faf
Compare
|
Hmm, what triggers (It seems |
|
Well, the apt version is 2.48.2+20.04, and the snapd version is 2.48.2, so the apt version "wins" since "+20.04" is higher than "". I'd recommend always installing the snapd snap to be sure you have the most up to date snapd. |
|
Well, this is on Xenial, so I think doesn't even have 2.48.2 (yet?). How common do you think this is going to be for users? In other words, how many users are likely to get broken if we move forward with this? 😬 😇 |
|
(I suppose the follow-up question is then whether we need to wait for 2.49+ so we can have a proper dependency relationship?) |
|
Well actually, as much as it saddens me to say this apparently we didn't
end up cherry-picking the associated snapd PR to release/2.48 branch
anyways so we need to either wait for a 2.48.3 (which may or may not
happen), or we need to wait for 2.49. How important is it that this docker
update is pushed through soon?
…On Wed, Jan 6, 2021 at 5:34 PM Tianon Gravi ***@***.***> wrote:
(I suppose the follow-up question is then whether we need to wait for
2.49+ so we can have a proper dependency relationship?)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABN2OLLPMKLU2UL4RFTLDJTSYTXPNANCNFSM4URB5PQQ>
.
|
|
Well, this includes the mitigation for CVE-2020-15257 (GHSA-36xw-fx78-c5r4), which seems especially relevant for Snaps - they typically run with the host network namespace, right? |
|
Yes snaps run in the same network namespace as the host. I guess I leave it up to you how critical it is to fix this bug soon. |
tianon
force-pushed
the
19.03.14
branch
3 times, most recently
from
35835c8
to
66681bb
Compare
|
@tianon on an unrelated note I realized I was mistaken earlier, you can use |
tianon
force-pushed
the
19.03.14
branch
2 times, most recently
from
0301979
to
cb0b108
Compare
snap/snapcraft.yaml
Outdated
| @@ -33,7 +33,7 @@ grade: stable | |||
|
|
|||
| base: core18 | |||
| confinement: strict | |||
| assumes: [snapd2.40] | |||
| assumes: [snapd2.48.3] | |||
There was a problem hiding this comment.
Soooo, this is complicated. We need the latest snapd (which includes canonical/snapd#9764, necessary to make this bump even work), which in all the distro builds (https://packages.ubuntu.com/search?keywords=snapd) is 2.48.3 but in https://snapcraft.io/snapd is 2.48.2.1. 😬
I guess it's probably rare that someone is going to be updating docker but not updating snapd, so we're probably safe to just go with 2.48.2 for now?
There was a problem hiding this comment.
for the purposes of that pr, then yes assumes: [snapd2.48.2] is sufficient, snapd2.48.2.1 would be best, but that is currently broken (but will eventually be fixed by canonical/snapd#9923)
There was a problem hiding this comment.
oh wait sorry I forgot that pr didn't make it into 2.48.2, gosh this is all so confusing to keep track of
There was a problem hiding this comment.
well I can say for sure for sure that snapd2.49 will have that pr in it, 2.49 is in beta now and should move to candidate/stable within the next 2 weeks (2.49 was blocked by the CVE)
There was a problem hiding this comment.
and checking in on the upgrade situation, we still have a sizable ( more than 10% of total userbase ) install base of 2.48.2 on core/snapd snaps (across all devices, not necessarily docker snap users), so if we do include 2.48.2 in the assumes it's possible that folks are still on 2.48.2 and as such they won't be required to update snapd before installing docker.
at this point I'm feeling like since we pushed out something that triggered refreshes to deal with that CVE, we should just make this wait until 2.49 :-|
There was a problem hiding this comment.
Heh, nice! I'm honestly a little confused why all the suites of Ubuntu got 2.48.3 but the store got 2.48.2.1 which appears to be the same underlying version? I would've expected that to be the other way around (if anything), TBH.
I think the likelihood of folks updating docker but not having updated snapd is terribly low, but it would be nice to have that actually validated (without having to wait another week or two to get there). I guess we could just plan to tell anyone who complains to update their snapd? I don't get to see https://snapcraft.io/snapd/metrics, but I have to imagine the number of (data reporting) users who didn't get the bump by now is pretty tiny. I'd worry more about users who aren't consuming snapd from the Snap, but their mitigation path is pretty straightforward. 😅
There was a problem hiding this comment.
In all likelihood, I think you're correct in that the number of affected docker snap users will likely be very small, so we are probably good to just go with assumes: [snapd2.48.2], and then after 2.49 is out maybe we can revisit and bump it again to 2.49 to be super extra sure
(This reverts cf4a338.)
No description provided.