Since the public commits do not reference this vulnerability, keeping this bug private until the agreed upon CRD (which is tentatively set for 2019-02-06 16:00 UTC. If that changes, I will update the bug). I will also make the bug public at the appropriate time.
The issue can be considered semi-public since a public commit refactored the offending code and fixed the issue along the way: https:/ /github. com/snapcore/ snapd/pull/ 6443 and the followup https:/ /github. com/snapcore/ snapd/pull/ 6447. This information was included in the coordination email with the other distributions.
Since the public commits do not reference this vulnerability, keeping this bug private until the agreed upon CRD (which is tentatively set for 2019-02-06 16:00 UTC. If that changes, I will update the bug). I will also make the bug public at the appropriate time.