SRU of LXC 2.0.8

Bug #1691911 reported by Stéphane Graber on 2017-05-19
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Status tracked in Artful
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned
Artful
Undecided
Unassigned

Bug Description

LXC upstream released LXC 2.0.8 as a bugfix release with following changelog:
    - Security fix for CVE-2017-5985 (previously fixed in Ubuntu)

    - All templates have been updated to not set default passwords anymore,
      instead requiring lxc-attach be used to configure users.

      This may affect some automated environments that were relying on our
      default (very much insecure) users.

    - Make lxc-start-ephemeral Python 3.2-compatible
    - Fix typo
    - Allow build without sys/capability.h
    - lxc-opensuse: fix default value for release code
    - util: always malloc for setproctitle
    - util: update setproctitle comments
    - confile: clear lxc.network..ipv{4,6} when empty
    - lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals
    - Make lxc-net return non-zero on failure
    - seccomp: allow x32 guests on amd64 hosts.
    - Add HAVE_LIBCAP
    - c/r: only supply --ext-mount-map for bind mounts
    - Added 'mkdir -p' functionality in create_or_remove_cgroup
    - Use LXC_ROOTFS_MOUNT in clonehostname hook
    - squeeze is not a supported release anymore, drop the key
    - start: dumb down SIGCHLD from WARN() to NOTICE()
    - log: fix lxc_unix_epoch_to_utc()
    - cgfsng: make trim() safer
    - seccomp: set SCMP_FLTATR_ATL_TSKIP if available
    - lxc-user-nic: re-order #includes
    - lxc-user-nic: improve + bugfix
    - lxc-user-nic: delete link on failure
    - conf: only try to delete veth when privileged
    - Fix lxc-containers to support multiple bridges
    - Fix mixed tab/spaces in previous patch
    - lxc-alpine: use dl-cdn.a.o as default mirror instead of random one
    - lxc-checkconfig: verify new[ug]idmap are setuid-root
    - [templates] archlinux: resolve conflicting files
    - [templates] archlinux: noneed default_timezone variable
    - python3: Deal with potential NULL char*
    - lxc-download.in / allow setting keyserver from env
    - lxc-download.in / Document keyserver change in help
    - Change variable check to match existing style
    - tree-wide: include directly
    - conf/ile: make sure buffer is large enough
    - tree-wide: include directly
    - tests: Support running on IPv6 networks
    - tests: Kill containers (don't wait for shutdown)
    - Fix opening wrong file in suggest_default_idmap
    - do not set the root password in the debian template
    - do not set insecure passwords
    - don't set a default password for altlinux, gentoo, openmandriva and pld
    - tools: exit with return code of lxc_execute()
    - Keep veth.pair.name on network shutdown
    - Makefile: fix static clang init.lxc build
    - Avoid waiting for bridge interface if disabled in sysconfig/lxc
    - Increased buffer length in print_stats()
    - avoid assigning to a variable which is not POSIX shell proof (bug #1498)
    - remove obsolete note about api stability
    - conf: less error prone pointer access
    - conf: lxc_map_ids() non-functional changes
    - caps: add lxc_{proc,file}_cap_is_set()
    - conf: check for {filecaps,setuid} on new{g,u}idmap
    - conf: improve log when mounting rootfs
    - ls: simplify the judgment condition when list active containers
    - fix typo introduced in #1509
    - attach|unshare: fix the wrong comment
    - caps: skip file capability checks on android
    - autotools: check for cap_get_file
    - caps: return false if caps are not supported
    - conf: non-functional changes to setup_pts()
    - conf: use bind-mount for /dev/ptmx
    - conf: non-functional changes
    - utils: use loop device helpers from LXD
    - create ISSUE_TEMPLATE.md
    - cgroups: improve cgfsng debugging
    - issue template: fix typo
    - conf: close fd in lxc_setup_devpts()
    - conf: non-functional changes
    - utils: tweak lxc_mount_proc_if_needed()
    - Change sshd template to work with Ubuntu 17.04
    - conf: order mount options
    - conf: add MS_LAZYTIME to mount options
    - monitor: report errno on exec() error
    - af unix: allow for maximum socket name
    - commands: avoid NULL pointer dereference
    - commands: non-functional changes
    - lxccontainer: avoid NULL pointer dereference
    - monitor: simplify abstract socket logic
    - precise is not the latest LTS, let's use xenial instead
    - fix the wrong exit status
    - conf: non-functional changes lxc_fill_autodev()
    - conf: remove /dev/console from lxc_fill_autodev()
    - conf: non-functional changes lxc_setup()
    - conf: non-functional changes to console functions
    - conf: improve lxc_setup_dev_console()
    - conf: lxc_setup_ttydir_console()
    - config: remove /dev/console bind mount
    - doc: document console behavior
    - utils: add lxc_unstack_mountpoint()
    - conf: unstack all mounts atop /dev/console
    - console: fail when we cannot allocate peer tty
    - start: remove umount2()
    - conf: non-functional changes
    - utils: handle > 2^31 in lxc_unstack_mountpoint()
    - Install systemd units for CentOS
    - Merge ubuntu and debiancase
    - start: add crucial details about lxc_spawn()

Just like Ubuntu itself, upstream releases long term support releases, as is 2.0 and then periodic point releases including all the accumulated bugfixes.

Only the latest upstream release gets full support from the upstream developers, everyone else is expected to first update to it before receiving any kind of support.

This bugfix release has already been uploaded to Zesty and automatically backported in the upstream PPAs for all Ubuntu releases. So far without any reported regression.

This should qualify under the minor upstream bugfix release allowance of the SRU policy, letting us SRU this without paperwork for every single change included in this upstream release.

Once the SRU hits -updates, we will be backporting this to trusty-backports as well, making sure we have the same version everywhere.

Changed in lxc (Ubuntu Artful):
status: New → Fix Released
Changed in lxc (Ubuntu Zesty):
status: New → In Progress
Changed in lxc (Ubuntu Yakkety):
status: New → In Progress
Changed in lxc (Ubuntu Xenial):
status: New → In Progress

Hello Stéphane, or anyone else affected,

Accepted lxc into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/2.0.8-0ubuntu1~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed
Łukasz Zemczak (sil2100) wrote :

Hello Stéphane, or anyone else affected,

Accepted lxc into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/2.0.8-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Yakkety):
status: In Progress → Fix Committed
Changed in lxc (Ubuntu Xenial):
status: In Progress → Fix Committed
Łukasz Zemczak (sil2100) wrote :

Hello Stéphane, or anyone else affected,

Accepted lxc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/2.0.8-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers