Store sending out notices for ESM-only CVEs (for `base: core20`, too)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snap Store Server |
Invalid
|
Undecided
|
Unassigned | ||
review-tools |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I got notice of a handful of outdated packages in some of my snaps, e.g. mir-kiosk-kodi:
```
A scan of this snap shows that it was built with packages from the Ubuntu
archive that have since received security updates. The following lists new
USNs for affected binary packages in each snap revision:
Revision r459 (amd64; channels: stable, candidate, beta)
* libsmbclient: 5822-2
* libwbclient0: 5822-2
* python3-samba: 5822-2
* samba-common: 5822-2
* samba-common-bin: 5822-2
* samba-libs: 5822-2
Revision r460 (arm64; channels: stable, candidate, beta)
* libmysofa1: 5184-1
* libpython2.7: 5342-2
* libpython2.
* libpython2.
* libsmbclient: 5822-2
* libwbclient0: 5822-2
* libzmq5: 4920-1
* python-pil: 5777-2
* python2.7: 5342-2
* python2.7-minimal: 5342-2
* python3-samba: 5822-2
* samba-common: 5822-2
* samba-common-bin: 5822-2
* samba-libs: 5822-2
# ...
```
Most of these CVEs are only fixed in ESM:
* https:/
* https:/
* https:/
* https:/
* https:/
Is there even a story for building snaps with ESM? Shouldn't this be opt-in per snap?
Related branches
- Emilia Torino: Approve
-
Diff: 1229 lines (+892/-14)15 files modifiedbin/rock-check-notices (+5/-1)
bin/rock-updates-available (+17/-2)
bin/snap-check-notices (+4/-1)
bin/snap-updates-available (+17/-2)
reviewtools/available.py (+22/-6)
reviewtools/store.py (+14/-2)
reviewtools/tests/test_available.py (+47/-0)
reviewtools/tests/test_store.py (+49/-0)
reviewtools/tests/test_usn.py (+154/-0)
reviewtools/usn.py (+8/-0)
tests/test-store-unittest-esm-apps.db (+23/-0)
tests/test-updates-available.sh (+22/-0)
tests/test-updates-available.sh.expected (+52/-0)
tests/test-usn-unittest-esm-apps.db (+103/-0)
tests/test.sh.expected (+355/-0)
The store does nothing in the notification- sending process; we just generate a dump of stage-packages for other tools to analyze and email about.