-
snapd (2.49-1+deb11u2) bullseye-security; urgency=high
* SECURITY UPDATE: Local privilege escalation
- snap-confine: Fix race condition in snap-confine when preparing a
private tmp mount namespace for a snap
- CVE-2022-3328
-- Alex Murray <email address hidden> Mon, 28 Nov 2022 21:07:00 +1030
-
snapd (2.49-1+deb11u1) bullseye-security; urgency=high
* SECURITY UPDATE: local privilege escalation
- 0015-cve-2021-44730-44731-4120.patch: Add validations of the
location of the snap-confine binary within snapd.
- 0015-cve-2021-44730-44731-4120: Fix race condition in snap-confine
when preparing a private mount namespace for a snap.
- 0016-cve-2021-2021-44730-44731-4120-auto-remove.patch: automatic
remove vulnerable inactive core/snapd snaps
- CVE-2021-44730
- CVE-2021-44731
* SECURITY UPDATE: data injection from malicious snaps
- 0015-cve-2021-44730-44731-4120: Add validations of snap content
interface and layout paths in snapd
- CVE-2021-4120
- LP: #1949368
-- Michael Vogt <email address hidden> Wed, 16 Feb 2022 10:56:34 +0100
-
snapd (2.49-1) unstable; urgency=high
* New upstream release with security updates:
* SECURITY UPDATE: sandbox escape vulnerability for containers
(LP: #1910456)
- many: add Delegate=true to generated systemd units for special
interfaces
- interfaces/greengrass-support: back-port interface changes to
2.48
- CVE-2020-27352
* interfaces/builtin/docker-support: allow /run/containerd/s/...
- This is a new path that docker 19.03.14 (with a new version of
containerd) uses to avoid containerd CVE issues around the unix
socket. See also CVE-2020-15257.
* debian/patches/0013-cherry-pick-pr9936.patch:
- cherry pick PR#9936 to use all apparmor available (closes: 923500)
* d/p/0011-cherry-pick-pr9809, d/p/0012-cherry-pick-pr9844:
- dropped, applied upstream
-- Michael Vogt <email address hidden> Wed, 24 Feb 2021 09:23:51 +0100