SRU of LXC 2.0.6 (upstream bugfix release)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| lxc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Trusty |
Fix Released
|
Undecided
|
Stéphane Graber | ||
| Xenial |
Fix Released
|
Undecided
|
Stéphane Graber | ||
| Yakkety |
Fix Released
|
Undecided
|
Stéphane Graber | ||
Bug Description
LXC upstream released LXC 2.0.5 as a bugfix release with following changelog:
- Security fix for CVE-2016-8649
- utils: make detect_
- tests: add test for detect_
- add Documentation entries to lxc and lxc@ units
- mark the python examples as having utf-8 encoding
- log: sanity check the returned value from snprintf()
- lxc-alpine: mount /dev/shm as tmpfs
- archlinux: Do DHCP on eth0
- archlinux: Fix resolving
- Drop leftover references to lxc_strerror()
- tests: fix image download for s390x
- tools: fix coding style in lxc_attach
- tools: make overlay valid backend
- tools: better error reporting for lxc-start
- alpine: Fix installing extra packages
- lxc-alpine: do not drop setfcap
- s390x: Fix seccomp handling of personalities
- tools: correct the argument typo in lxc_copy
- Use libtool for liblxc.so
- c/r: use --external instead of --veth-pair
- c/r: remember to increment netnr
- c/r: add checkpoint/restore support for macvlan interfaces
- ubuntu: Fix package upgrades requiring proc
- c/r: drop duplicate hunk from macvlan case
- c/r: use snprintf to compute device name
- Tweak libtool handling to work with Android
- tests: add lxc_error() and lxc_debug()
- container start: clone newcgroup immediately
- use python3_sitearch for including the python code
- fix rpm build, include all built files, but only once
- cgfs: fix invalid free()
- find OpenSUSE's build also as obs-build
- improve help text for --fancy and --fancy-format
- improve wording of the help page for lxc-ls
- cgfs: add print_cgfs_
- cgfs: skip empty entries under /proc/self/cgroup
- cgfs: explicitly check for NULL
- tools: use correct exit code for lxc-stop
- c/r: explicitly emit bind mounts as criu arguments
- log: bump LXC_LOG_BUFFER_SIZE to 4096
- conf: merge network namespace move & rename on shutdown
- c/r: save criu's stdout during dump too
- c/r: remove extra \ns from logs
- c/r: fix off-by-one error
- c/r: check state before doing a checkpoint/restore
- start: CLONE_NEWCGROUP after we have setup cgroups
- create symlink for /var/run
- utils: add lxc_append_string()
- cgroups: remove isolated cpus from cpuset.cpus
- Update Ubuntu release name: add zesty and remove wily
- templates: add squashfs support to lxc-ubuntu-cloud.in
- cgroups: skip v2 hierarchy entry
- also stop lxc-net in runlevels 0 and 6
- add lxc.egg-info to gitignore
- install bash completion where pkg-config tells us to
- conf: do not use %m format specifier
- debian: Don't depend on libui-dialog-perl
- cgroups: use %zu format specifier to print size_t
- lxc-checkpoint: automatically detect if --external or --veth-pair
- cgroups: prevent segfault in cgfsng
- utils: add lxc_preserve_ns()
- start: add netnsfd to lxc_handler
- conf: use lxc_preserve_ns()
- attach: use lxc_preserve_ns()
- lxc_user_nic: use lxc_preserve_ns()
- conf, start: improve log output
- conf: explicitly remove veth device from host
- conf, start: be smarter when deleting networks
- start, utils: improve preserve_ns()
- start, error: improve log + non-functional changes
- start, namespace: move ns_info to namespace.{c,h}
- attach, utils: bugfixes
- attach: use ns_info[LXC_NS_MAX] struct
- namespace: always attach to user namespace first
- cgroup: improve isolcpus handling
- cgroups: handle non-existent isolcpus file
- utils: add lxc_safe_uint()
- tests: add unit tests for lxc_safe_uint()
- utils: add lxc_safe_int()
- tests: add unit tests for lxc_safe_int()
- conf/ile: get ip prefix via lxc_safe_uint()
- confile: use lxc_safe_u/int in config_init_{u,g}id
- conf/ile: use lxc_safe_uint() in config_pts()
- conf/ile: use lxc_safe_u/int() in config_start()
- conf/ile: use lxc_safe_uint() in config_monitor()
- conf/ile: use lxc_safe_uint() in config_tty()
- conf/ile: use lxc_safe_uint() in config_kmsg()
- conf/ile: avoid atoi in config_
- conf/ile: use lxc_safe_uint() in config_autodev()
- conf/ile: avoid atoi() in config_ephemeral()
- utils: use lxc_safe_int()
- lxc_monitord: use lxc_safe_int() && use exit()
- start: use lxc_safe_int()
- conf: use lxc_safe_{u}int()
- tools/lxc_execute: use lxc_safe_uint()
- tools/lxc_stop: use lxc_safe_uint()
- utils: add lxc_safe_long()
- tests: add unit tests for lxc_safe_long()
- tools/lxc_stop: use lxc_safe_long()
- tools/lxc_top: use lxc_safe_int()
- tools/lxc_ls: use lxc_safe_uint()
- tools/lxc_
- tools/lxc_console: use lxc_safe_uint()
- tools: replace non-standard namespace identifiers
- Configure a static MAC address on the LXC bridge
- tests: remove overflow tests
- attach: do not send procfd to attached process
Just like Ubuntu itself, upstream releases long term support releases, as is 2.0 and then periodic point releases including all the accumulated bugfixes.
Only the latest upstream release gets full support from the upstream developers, everyone else is expected to first update to it before receiving any kind of support.
This bugfix release has already been uploaded to Zesty and automatically backported in the upstream PPAs for all Ubuntu releases. So far without any reported regression.
This should qualify under the minor upstream bugfix release allowance of the SRU policy, letting us SRU this without paperwork for every single change included in this upstream release.
Once the SRU hits -updates, we will be backporting this to trusty-backports as well, making sure we have the same version everywhere.
CVE References
| Changed in lxc (Ubuntu Trusty): | |
| status: | New → In Progress |
| Changed in lxc (Ubuntu Xenial): | |
| status: | New → In Progress |
| Changed in lxc (Ubuntu Yakkety): | |
| status: | New → In Progress |
| Changed in lxc (Ubuntu Trusty): | |
| assignee: | nobody → Stéphane Graber (stgraber) |
| Changed in lxc (Ubuntu Xenial): | |
| assignee: | nobody → Stéphane Graber (stgraber) |
| Changed in lxc (Ubuntu Yakkety): | |
| assignee: | nobody → Stéphane Graber (stgraber) |
| Brian Murray (brian-murray) wrote Please test proposed package | #1 |
| Changed in lxc (Ubuntu Yakkety): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed |
| Changed in lxc (Ubuntu Xenial): | |
| status: | In Progress → Fix Committed |
| Brian Murray (brian-murray) wrote | #2 |
| Stéphane Graber (stgraber) wrote | #3 |
| tags: |
added: verification-done removed: verification-needed |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in lxc (Ubuntu Xenial): | |
| status: | Fix Committed → Fix Released |
| Stéphane Graber (stgraber) wrote Update Released | #5 |
| Launchpad Janitor (janitor) wrote | #6 |
| Changed in lxc (Ubuntu Yakkety): | |
| status: | Fix Committed → Fix Released |
| Changed in lxc (Ubuntu Trusty): | |
| status: | In Progress → Fix Released |
Hello Stéphane, or anyone else affected,
Accepted lxc into yakkety-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/