Cve-2021-3177

Is there any guidance from Canonical on when the core18 snap will be patched with python2.7 and 3.7?
There’s a page that discusses the Ubuntu response but I don’t see a similar page for Core snap patching.

What’s the best point of contact for the Canonical security team?

Not from Canonical, but the core18 and core20 base snaps cannot be patched until there are fixes in the Ubuntu archive. Those haven’t been added yet. AFAICT even Python upstream has not received any patching for this issue yet so expecting a timeline on fixes in a downstream project is a bit premature.

OK, I’ve done a bit of digging. I’m wrong here, there were two releases two days ago from upstream. https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html

@daniel is correct that before the core* snaps can be updated, the upstream debian packages in ubuntu archive for Xenial (for core), Bionic (for core18) and Focal (for core20) need to be fixed with SRU’ing here, then the core* snaps can be rebuilt with that.

You can always contact our security team confidentially at security@ubuntu.com.

2 Likes