Rebuilding snap does not remove vulnerability

tingdahl · February 1, 2023, 10:14am

Hi,

I got an e-mail from the store stating that my snap imap2gmail has old packages. Rebuilding the snap should resolve this. However, after rebuilding, I get messages that the new revisions still have the vulnerability.

As far as I can see, I don’t explicitly specify the versions of these packages, so they should simply update:

libpython2.7-minimal: 5342-2
libpython2.7-stdlib: 5342-2
python2.7: 5342-2
python2.7-minimal: 5342-2

The snap is based on core20 with the ‘python’ plugin. Full code is at https://github.com/tingdahl/imap2gmail

I have waited a few days (perhaps updates were not published), but after a few days the problem remains.

Any clue?

alan_g · February 1, 2023, 11:58am

tingdahl · February 1, 2023, 1:01pm

Thanks for pointing this out Alan.

Three things:

I find it weird that the security update does not apply to a core20. The ESM kicks in after 5 years (that was at least my understanding), and that fixes would be included for first 5 years.
The instructions are clearly wrong. Rebuilding will not solve the problem with the current setup.
I don’t use Python2, but it is in the snap. Feels weird that it is in there.

I’ll write a comment on the

ogra · February 1, 2023, 1:20pm

This is a brand new feature. Up to last week universe packages did never get security updates from canonical … with the introduction of the (free) pro option, you can now get additional security updates for 20000+ packages in universe …

It is a bug that is being solved currently, that the snap auto-builds are not integrated wit this yet…

tingdahl · February 1, 2023, 2:38pm

Thanks ogra! I’ll wait for the resolution!

Kristofer