``
+snapd (2.48.3) UNRELEASED; urgency=medium
+
+ * SECURITY UPDATE: sandbox escape vulnerability for containers
+ - many: add Delegate=true to generated systemd units for special
+ interfaces
+ - CVE-2020-27352
+ - LP: #1910456
+ * interfaces/builtin/docker-support: allow /run/containerd/s/...
+ - This is a new path that docker 19.03.14 (with a new version of
+ containerd) uses to avoid containerd CVE issues around the unix
+ socket. See also CVE-2020-15257.
+
+ -- Michael Vogt <email address hidden> Mon, 01 Feb 2021 11:55:18 +0100
```
Please let me know if this looks good, if so I will prepare debdiffs/snaps.
Ian asked me to also pull in: https:/ /github. com/snapcore/ snapd/pull/ 9764 to 2.48.3 to support the other docker CVE fix. With that the new changelog suggestion would be:
`` builtin/ docker- support: allow /run/containerd /s/...
+snapd (2.48.3) UNRELEASED; urgency=medium
+
+ * SECURITY UPDATE: sandbox escape vulnerability for containers
+ - many: add Delegate=true to generated systemd units for special
+ interfaces
+ - CVE-2020-27352
+ - LP: #1910456
+ * interfaces/
+ - This is a new path that docker 19.03.14 (with a new version of
+ containerd) uses to avoid containerd CVE issues around the unix
+ socket. See also CVE-2020-15257.
+
+ -- Michael Vogt <email address hidden> Mon, 01 Feb 2021 11:55:18 +0100
```
Please let me know if this looks good, if so I will prepare debdiffs/snaps.