Hey guys, Looking for a way to upgrade our curl from 7.81 to 8.4 due to the vulnerability. We are running Ubuntu 22.04 and I see it in the /snap/landscape-api/10(and 11)/usr/lib/x86_64-linux-gnu/ directory. I’ve tried doing the apt upgrade and it finds nothing for it. I am new to snap is there a different way to do this?
Which vulnerability exactly, do you have a CVE number?
Note that security fixes in Ubuntu are usually backported to the existing version of a package in the archive, new major versions are usually not entering a release, so while the CVE fix will be included in the existing 7.x version as a security patch you will not find an 8.x version in the archive…
Snap packages are self contained packages, they ship their dependencies inside and to update a shipped dependency they need to be re-built and re-released… Once they are released they will automatically update themselves (unless you explicitly prevent this by a setting), so once the curl package has the fix, you will get an updated version of the snap without having to do anything… (You can also manually trigger an update if you feel like with the sudo snap refresh
command)
The apt
tool has no effect on snap packages
If you want to know more about snap management, the output of snap help
is worth a read
Hi Orga, thanks for replying back. The CVE is CVE-2023-38545. I see the same issue on 2 of your Ubuntu servers in different directories. Thank you for the explanations as well.
Moved to the Support & Help category
Alerted the Security team just in case there is anything they need to action on their end. Granted landscape-api
is a snap, but seeing as how release 10 is latest/stable
, this might garner some attention.
For what it’s worth, latest/edge
is release 12, which seems to be newer than either that are mentioned, but I’d hate to have that run on production systems unless the Landscape people were confident in it and it were well-tested.
However, the mention of Landscape does make me wonder if this is under Pro under a contract tier.
$ snap download landscape-api
[...]
$ unsquashfs landscape-api_10.snap
[...]
$ zcat squashfs-root/usr/share/doc/libcurl4/changelog.Debian.gz|head -1
curl (7.81.0-1ubuntu1.15) jammy-security; urgency=medium
$
The snap obviously has 7.81.0-1ubuntu1.15 … the CVE fix landed in 7.81.0-1ubuntu1.14 according to the CVE tracker, so there is no need to notify anyone, it is all fine …
Oh perfect! I didn’t do too much digging, but that said, I already had notified them. I’ll call off the cavalry now.