Ubuntu
snapd package

[SRU] 2.37.4

Bug #1817949 reported by Michael Vogt
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned

Bug Description

This is a new bugfix release of snapd - it fixes some corner case regressions we found in the 2.37 release series.

The changelog is available here https://github.com/snapcore/snapd/blob/2.37.4/packaging/ubuntu-16.04/changelog, the raw git changelog is available here: https://github.com/snapcore/snapd/commits/2.37.4 (note that the debian changelog is auto-generated from the merges of the git commits so there is usually no need to look at the raw git commits).

The travis logs for 2.37.4 can be found here: https://travis-ci.org/snapcore/snapd/branches

We currently have no autopkgtest logs before snapd hits -proposed because we got asked to disable our autopkgtest integration as it was using too many resources from the autopkgtest infrastructure.

The snappy team released a new release that we want SRU into xenial. The new process described in https://wiki.ubuntu.com/SnapdUpdates was used and we have done integration-tests on the snappy images, autopkgtests on classic and unit tests.

= PACKAGING CHANGES =

1. debian/rules: Fix the apparmor loading order, this change ensures that the new apparmor profiles are loaded *before* snapd is restarted. The old behaviour was buggy and when jumping from a very old version of snapd the old behaviour would cause snap services to fail to start.
2. debian/rules: Disable /usr/lib/systemd/system-environment-generators/snapd-env-generator on 18.04 because the systemd environment generator is not working correctly in 18.04 (this triggered LP: #1811233).
3. debian/postinst: Remove leftover /etc/apparmor.d/usr.lib.snapd.snap-confine - without this change apparmor loads the wrong profile for snap-confine which will lead to service restart failures and failure to run snaps on upgrades from older versions of snapd

= TEST CASE =
1. This is tested in tests/main/upgrade-from-2.15 - without this change the go-example-webserver will fail to (re)start when snapd is upgraded.
2. This is tested in tests/main/snap-system-env which will ensure that PATH still has .*/local/.*
3. This is tested in tests/main/upgrade-from-2.15 - without that the snap apptest-snapd-tools.echo would not work after the upgrade of snapd.

= REGRESSION POTENTIAL =
1. low regression potential, the order of the snippets is changed only, no new code or removed code in postinst
2. low regression risk, worst case is that the chmod does not work and we break PATH again - we have an automated test for this
3. low regression potential: removing the snap-confine file has the risk that someone who downgrades the deb from 2.37 to 2.15 has a missing conffile now and snap-confine does not run properly anymore.

See original description

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.37.4+19.04

---------------
snapd (2.37.4+19.04) disco; urgency=medium

  * New upstream release, LP: #1817949
    - squashfs: unset SOURCE_DATE_EPOCH in the TestBuildDate test
    - overlord/ifacestate: fix migration of connections on upgrade from
      ubuntu-core
    - tests: fix upgrade-from-2.15 with kernel 4.15
    - interfaces/seccomp: increase filter precision
    - tests: remove snapweb from tests

 -- Michael Vogt <email address hidden> Wed, 27 Feb 2019 19:53:36 +0100

Changed in snapd (Ubuntu):
status: New → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The upload includes changes to debian/rules and debian/snapd.postinst that need to be accounted for in the SRU template (test case / regression potential) before acceptance into -proposed.

Changed in snapd (Ubuntu Cosmic):
status: New → Incomplete
Steve Langasek (vorlon)
Changed in snapd (Ubuntu Bionic):
status: New → Incomplete
Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello Michael, or anyone else affected,

Accepted snapd into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.37.4+18.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in snapd (Ubuntu Cosmic):
status: Incomplete → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Michael Vogt (mvo)
description: updated
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Michael, or anyone else affected,

Accepted snapd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.37.4+18.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in snapd (Ubuntu Bionic):
status: Incomplete → Fix Committed
tags: added: verification-needed-bionic
Changed in snapd (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Michael, or anyone else affected,

Accepted snapd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.37.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in snapd (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed-trusty
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Michael, or anyone else affected,

Accepted snapd into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.37.4~14.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Sergio Cazzolato (sergio-j-cazzolato) wrote :

SRU validation done for xenial bionic and cosmic. For Trusty is still missing the autopckgtests execution on http://people.canonical.com/~ubuntu-archive/proposed-migration/trusty/update_excuses.html#snapd

tags: added: verification-done verification-done-bionic verification-done-cosmic verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-xenial
Revision history for this message
Brian Murray (brian-murray) wrote : Reminder of SRU verification policy change

Thank you for taking the time to verify this stable release fix. We have noticed that you have used the verification-done tag for marking the bug as verified and would like to point out that due to a recent change in SRU bug verification policy fixes now have to be marked with per-release tags (i.e. verification-done-$RELEASE). Please remove the verification-done tag and add one for the release you have tested the package in. Thank you!

https://wiki.ubuntu.com/StableReleaseUpdates#Verification

Sergio Cazzolato (sergio-j-cazzolato)
tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
Sergio Cazzolato (sergio-j-cazzolato) wrote :

I already updated the tags. Thanks

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.37.4+18.10

---------------
snapd (2.37.4+18.10) cosmic; urgency=medium

  * New upstream release, LP: #1817949
    - squashfs: unset SOURCE_DATE_EPOCH in the TestBuildDate test
    - overlord/ifacestate: fix migration of connections on upgrade from
      ubuntu-core
    - tests: fix upgrade-from-2.15 with kernel 4.15
    - interfaces/seccomp: increase filter precision
    - tests: remove snapweb from tests

 -- Michael Vogt <email address hidden> Wed, 27 Feb 2019 19:53:36 +0100

Changed in snapd (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for snapd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.37.4+18.04

---------------
snapd (2.37.4+18.04) bionic; urgency=medium

  * New upstream release, LP: #1817949
    - squashfs: unset SOURCE_DATE_EPOCH in the TestBuildDate test
    - overlord/ifacestate: fix migration of connections on upgrade from
      ubuntu-core
    - tests: fix upgrade-from-2.15 with kernel 4.15
    - interfaces/seccomp: increase filter precision
    - tests: remove snapweb from tests

 -- Michael Vogt <email address hidden> Wed, 27 Feb 2019 19:53:36 +0100

Changed in snapd (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.37.4

---------------
snapd (2.37.4) xenial; urgency=medium

  * New upstream release, LP: #1817949
    - squashfs: unset SOURCE_DATE_EPOCH in the TestBuildDate test
    - overlord/ifacestate: fix migration of connections on upgrade from
      ubuntu-core
    - tests: fix upgrade-from-2.15 with kernel 4.15
    - interfaces/seccomp: increase filter precision
    - tests: remove snapweb from tests

 -- Michael Vogt <email address hidden> Wed, 27 Feb 2019 19:53:36 +0100

Changed in snapd (Ubuntu Xenial):
status: Fix Committed → Fix Released
Sergio Cazzolato (sergio-j-cazzolato)
tags: added: verification-done verification-done-trusty
removed: verification-needed verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.37.4~14.04.1

---------------
snapd (2.37.4~14.04.1) trusty-security; urgency=medium

  * No change rebuild for trusty-security (LP: #1812973)
    - CVE-2019-7303

 -- Jamie Strandboge <email address hidden> Fri, 15 Mar 2019 20:00:21 +0000

Changed in snapd (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.