Lets take CVE-2021-3448 as an example.
It's easy to see when the deb package got the backported fix, and what package is installed on the server.
But the same package in a snap:
/snap/lxd/21468/bin/dnsmasq --version
Dnsmasq version 2.80 .....
snap list
lxd 4.18 21468 latest/stable/… canonical✓ -
Do you know if there is a way to see if that CVE is backported to 2.80 in the Canonical lxd snap somewhere?
Perhaps I am missing some really easy way to get this information.
With the deb update information, you're halfway there.
Since LXD is distributed as a snap, you should always be running the latest version for your channel automatically. In this example, LXD 4.0.7 is in the stable channel, and installed on a 20.04 server:
$ snap list lxd
Name Version Rev Tracking Publisher Notes
lxd 4.0.7 21029 4.0/stable/… canonical✓ -
Next, let's head over to https://launchpad.net/lxd/+snaps and find that stable version...
...aha. Here it is: https://launchpad.net/~ubuntu-lxc/+snap/lxd-4.0-candidate . You can see the build date --which is after the CVE (good)-- and a link to the build log for each architecture.
Let's take a closer look at that build log. This particular snap is built, under the hood, from debs! Let's zero in on the exact deb package used for the build.
The URL for the buildlog is https://launchpadlibrarian.net/549848217/buildlog_snap_ubuntu_bionic_arm64_lxd-4.0-candidate_BUILDING.txt.gz . The word '_bionic_' in there shows us that the LXD snap is built from 18.04 (Bionic) packages; that it's running on a 20.04 system isn't relevant.
A quick grep gives us the actual dnsmasq deb package used: Get:1 dnsmasq-base_2.79-1ubuntu0.4_amd64.deb [279 kB]
(Wait a second....It's the dnsmasq-base package instead of the dnsmasq package. No dnsmasq package suggests that the CVE may-or-may-not apply after all. However, let's overlook that and keep going for the final step)
Finally, let's look at the Ubuntu Security Team CVE tracker to make sure that the package is properly fixed. Were the LXD snap using dnsmasq instead of dnsmasq-base, you can see that the build used a properly patched version (highlighted).
