{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "snapd" ] } }, "diff": { "deb": [ { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.71+ubuntu25.04", "version": "2.71+ubuntu25.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.72+ubuntu25.04", "version": "2.72+ubuntu25.04" }, "cves": [], "launchpad_bugs_fixed": [ 2124239, 2122054, 2117558, 1916244, 2121238, 2117121, 2112626, 2114704, 2112209, 2107443, 2104066, 2105854, 2102456, 2106121, 2088456, 2098137, 2109843 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2124239", " - FDE: support replacing TPM protected keys at runtime via the", " /v2/system-volumes endpoint", " - FDE: support secboot preinstall check fix actions for 25.10+", " hybrid installs via the /v2/system/{label} endpoint", " - FDE: tweak polkit message to remove jargon", " - FDE: ensure proper sealing with kernel command line defaults", " - FDE: provide generic reseal function", " - FDE: support using OPTEE for protecting keys, as an alternative to", " existing fde-setup hooks (Ubuntu Core only)", " - Confdb: 'snapctl get --view' supports passing default values", " - Confdb: content sub-rules in confdb-schemas inherit their parent", " rule's \"access\"", " - Confdb: make confdb error kinds used in API more generic", " - Confdb: fully support lists and indexed paths (including unset)", " - Prompting: add notice backend for prompting types (unused for now)", " - Prompting: include request cgroup in prompt", " - Prompting: handle unsupported xattrs", " - Prompting: add permission mapping for the camera interface", " - Notices: read notices from state without state lock", " - Notices: add methods to get notice fields and create, reoccur, and", " deepcopy notice", " - Notices: add notice manager to coordinate separate notice backends", " - Notices: support draining notices from state when notice backend", " registered as producer of a particular notice type", " - Notices: query notice manager from daemon instead of querying", " state for notices directly", " - Packaging: Ubuntu | ignore .git directory", " - Packaging: FIPS | bump deb Go FIPS to 1.23", " - Packaging: snap | bump FIPS toolchain to 1.23", " - Packaging: debian | sync most upstream changes", " - Packaging: debian-sid | depends on libcap2-bin for postint", " - Packaging: Fedora | drop fakeroot", " - Packaging: snap | modify snapd.mk to pass build tags when running", " unit tests", " - Packaging: snap | modify snapd.mk to pass nooptee build tag", " - Packaging: modify Makefile.am to fix snap-confine install profile", " with 'make hack'", " - Packaging: modify Makefile.am to fix out-of-tree use of 'make", " hack'", " - LP: #2122054 Snap installation: skip snap icon download when", " running in a cloud or using a proxy store", " - Snap installation: add timeout to http client when downloading", " snap icon", " - Snap installation: use http(s) proxy for icon downloads", " - LP: #2117558 snap-confine: fix error message with /root/snap not", " accessible", " - snap-confine: fix non-suid limitation by switching to root:root to", " operate v1 freezer", " - core-initrd: do not use writable-paths when not available", " - core-initrd: remove debian folder", " - LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev", " interface now with the more robust gpio-aggregator configfs kernel", " interface", " - Interfaces: gpio-chardev | exclusive snap connections, raise a", " conflict when both gpio-chardev and gpio are connected", " - Interfaces: gpio-chardev | fix gpio-aggregator module load order", " - Interfaces: ros-snapd-support | grant access to /v2/changes", " - Interfaces: uda-driver-libs, egl-driver-libs, gbm-driver-libs,", " opengl-driver-libs, opengles-driver-libs | new interfaces to", " support nvidia driver components", " - Interfaces: microstack-support | allow DPDK (hugepage related", " permissions)", " - Interfaces: system-observe | allow reading additional files in", " /proc, needed by node-exporter", " - Interfaces: u2f | add Cano Key, Thesis FIDO2 BioFP+ Security Key", " and Kensington VeriMark DT Fingerprint Key to device list", " - Interfaces: snap-interfaces-requests-control | allow shell API", " control", " - Interfaces: fwupd | allow access to Intel CVS sysfs", " - Interfaces: hardware-observe | allow read access to Kernel", " Samepage Merging (KSM)", " - Interfaces: xilinx-dma | support Multi Queue DMA (QDMA) IP", " - Interfaces: spi | relax sysfs permission rules to allow access to", " SPI device node attributes", " - Interfaces: content | introduce compatibility label", " - LP: #2121238 Interfaces: do not expose Kerberos tickets for", " classic snaps", " - Interfaces: ssh-public-keys | allow ro access to public host keys", " with ssh-key", " - Interfaces: Modify AppArmor template to allow listing systemd", " credentials and invoking systemd-creds", " - Interfaces: modify AppArmor template with workarounds for Go 1.35", " cgroup aware GOMAXPROCS", " - Interfaces: modify seccomp template to allow landlock_*", " - Prevent snap hooks from running while relevant snaps are unlinked", " - Make refreshes wait before unlinking snaps if running hooks can be", " affected", " - Fix systemd unit generation by moving \"WantedBy=\" from section", " \"unit\" to \"install\"", " - Add opt-in logging support for snap-update-ns", " - Unhide 'snap help' sign and export-key under Development category", " - LP: #2117121 Cleanly support socket activation for classic snap", " - Add architecture to 'snap version' output", " - Add 'snap debug api' option to disable authentication through", " auth.json", " - Show grade in notes for 'snap info --verbose'", " - Fix preseeding failure due to scan-disk issue on RPi", " - Support 'snap debug api' queries to user session agents", " - LP: #2112626 Improve progress reporting for snap install/refresh", " - Drop legacy BAMF_DESKTOP_FILE_HINT in desktop files", " - Fix /v2/apps error for root user when user services are present", " - LP: #2114704 Extend output to indicate when snap data snapshot was", " created during remove", " - Improve how we handle emmc volumes", " - Improve handling of system-user extra assertions", "" ], "package": "snapd", "version": "2.72+ubuntu25.04", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2124239, 2122054, 2117558, 1916244, 2121238, 2117121, 2112626, 2114704 ], "author": "Ernest Lotter ", "date": "Thu, 18 Sep 2025 10:00:54 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2112209", " - FDE: Fix reseal with v1 hook key format", " - FDE: set role in TPM keys", " - AppArmor prompting (experimental): add handling for expired", " requests or listener in the kernel", " - AppArmor prompting: log the notification protocol version", " negotiated with the kernel", " - AppArmor prompting: implement notification protocol v5 (manually", " disabled for now)", " - AppArmor prompting: register listener ID with the kernel and", " resend notifications after snapd restart (requires protocol v5+)", " - AppArmor prompting: select interface from metadata tags and set", " request interface accordingly (requires protocol v5+)", " - AppArmor prompting: include request PID in prompt", " - AppArmor prompting: move the max prompt ID file to a subdirectory", " of the snap run directory", " - AppArmor prompting: avoid race between closing/reading socket fd", " - Confdb (experimental): make save/load hooks mandatory if affecting", " ephemeral", " - Confdb: clear tx state on failed load", " - Confdb: modify 'snap sign' formats JSON in assertion bodies (e.g.", " confdb-schema)", " - Confdb: add NestedEphemeral to confdb schemas", " - Confdb: add early concurrency checks", " - Simplify building Arch package", " - Enable snapd.apparmor on Fedora", " - Build snapd snap with libselinux", " - Emit snapd.apparmor warning only when using apparmor backend", " - When running snap, on system key mismatch e.g. due to network", " attached HOME, trigger and wait for a security profiles", " regeneration", " - Avoid requiring state lock to get user, warnings, or pending", " restarts when handling API requests", " - Start/stop ssh.socket for core24+ when enabling/disabling the ssh", " service", " - Allow providing a different base when overriding snap", " - Modify snap-bootstrap to mount snapd snap directly to /snap", " - Modify snap-bootstrap to mount /lib/{modules,firmware} from snap", " as fallback", " - Modify core-initrd to use systemctl reboot instead of /sbin/reboot", " - Copy the initramfs 'manifest-initramfs.yaml' to initramfs file", " creation directory so it can be copied to the kernel snap", " - Build the early initrd from installed ucode packages", " - Create drivers tree when remodeling from UC20/22 to UC24", " - Load gpio-aggregator module before the helper-service needs it", " - Run 'systemctl start' for mount units to ensure they are run also", " when unchanged", " - Update godbus version to 'v5 v5.1.0'", " - Add support for POST to /v2/system-info with system-key-mismatch", " indication from the client", " - Add 'snap sign --update-timestamp' flag to update timestamp before", " signing", " - Add vfs support for snap-update-ns to use to simulate and evaluate", " mount sequences", " - Add refresh app awareness debug logging", " - Add snap-bootstrap scan-disk subcommand to be called from udev", " - Add feature to inject proxy store assertions in build image", " - Add OP-TEE bindings, enable by default in ARM and ARM64 builds", " - Fix systemd dependency options target to go under 'unit' section", " - Fix snap-bootstrap reading kernel snap instead of base resulting", " in bad modeenv", " - Fix a regression during seeding when using early-config", " - LP: #2107443 reset SHELL to /bin/bash in non-classic snaps", " - Make Azure kernels reboot upon panic", " - Fix snap-confine to not drop capabilities if the original user is", " already root", " - Fix data race when stopping services", " - Fix task dependency issue by temporarily disable re-refresh on", " prerequisite updates", " - Fix compiling against op-tee on armhf", " - Fix dbx update when not using FDE", " - Fix potential validation set deadlock due to bases waiting on", " snaps", " - LP: #2104066 Only cancel notices requests on stop/shutdown", " - Interfaces: bool-file | fix gpio glob pattern as required for", " '[XXXX]*' format", " - Interfaces: system-packages-doc | allow access to", " /usr/local/share/doc", " - Interfaces: ros-snapd-support interface | added new interface", " - Interfaces: udisks2 | allow chown capability", " - Interfaces: system-observe | allow reading cpu.max", " - Interfaces: serial-port | add ttyMAXX to allowed list", " - Interfaces: modified seccomp template to disallow", " 'O_NOTIFICATION_PIPE'", " - Interfaces: fwupd | add support for modem-manager plugin", " - Interfaces: gpio-chardev | make unsupported and remove", " experimental flag to hide this feature until gpio-aggregator is", " available", " - Interfaces: hardware-random | fix udev match rule", " - Interfaces: timeserver-control | extend to allow timedatectl", " timesync commands", " - Interfaces: add symlinks backend", " - Interfaces: system key mismatch handling", "" ], "package": "snapd", "version": "2.70", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2112209, 2107443, 2104066 ], "author": "Ernest Lotter ", "date": "Tue, 03 Jun 2025 11:46:44 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2105854", " - FDE: re-factor listing of the disks based on run mode model and", " model to correctly resolve paths", " - FDE: run snapd from snap-failure with the correct keyring mode", " - Snap components: allow remodeling back to an old snap revision", " that includes components", " - Snap components: fix remodel to a kernel snap that is already", " installed on the system, but not the current kernel due to a", " previous remodel.", " - Snap components: fix for snapctl inputs that can crash snapd", " - Confdb (experimental): load ephemeral data when reading data via", " snapctl get", " - Confdb (experimental): load ephemeral data when reading data via", " snap get", " - Confdb (experimental): rename {plug}-view-changed hook to observe-", " view-{plug}", " - Confdb (experimental): rename confdb assertion to confdb-schema", " - Confdb (experimental): change operator grouping in confdb-control", " assertion", " - Confdb (experimental): add confdb-control API", " - AppArmor: extend the probed features to include the presence of", " files, as well as directories", " - AppArmor prompting (experimental): simplify the listener", " - AppArmor metadata tagging (disabled): probe parser support for", " tags", " - AppArmor metadata tagging (disabled): implement notification", " protocol v5", " - Confidential VMs: sysroot.mount is now dynamically created by", " snap-bootstrap instead of being a static file in the initramfs", " - Confidential VMs: Add new implementation of snap integrity API", " - Non-suid snap-confine: first phase to replace snap-confine suid", " with capabilities to achieve the required permissions", " - Initial changes for dynamic security profiles updates", " - Provide snap icon fallback for /v2/icons without requiring network", " access at runtime", " - Add eMMC gadget update support", " - Support reexec when using /usr/libexec/snapd on the host (Arch", " Linux, openSUSE)", " - Auto detect snap mount dir location on unknown distributions", " - Modify snap-confine AppArmor template to allow all glibc HWCAPS", " subdirectories to prevent launch errors", " - LP: #2102456 update secboot to bf2f40ea35c4 and modify snap-", " bootstrap to remove usage of go templates to reduce size by 4MB", " - Fix snap-bootstrap to mount kernel snap from", " /sysroot/writable/system-data", " - LP: #2106121 fix snap-bootstrap busy loop", " - Fix encoding of time.Time by using omitzero instead of omitempty", " (on go 1.24+)", " - Fix setting snapd permissions through permctl for openSUSE", " - Fix snap struct json tags typo", " - Fix snap pack configure hook permissions check incorrect file mode", " - Fix gadget snap reinstall to honor existing sizes of partitions", " - Fix to update command line when re-executing a snapd tool", " - Fix 'snap validate' of specific missing newline and add error on", " missed case of 'snap validate --refresh' without another action", " - Workaround for snapd-confine time_t size differences between", " architectures", " - Disallow pack and install of snapd, base and os with specific", " configure hooks", " - Drop udev build dependency that is no longer required and add", " missing systemd-dev dependency", " - Build snap-bootstrap with nomanagers tag to decrease size by 1MB", " - Interfaces: polkit | support custom polkit rules", " - Interfaces: opengl | LP: #2088456 fix GLX on nvidia when xorg is", " confined by AppArmor", " - Interfaces: log-observe | add missing udev rule", " - Interfaces: hostname-control | fix call to hostnamectl in core24", " - Interfaces: network-control | allow removing created network", " namespaces", " - Interfaces: scsi-generic | re-enable base declaration for scsi-", " generic plug", " - Interfaces: u2f | add support for Arculus AuthentiKey", "" ], "package": "snapd", "version": "2.69", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2105854, 2102456, 2106121, 2088456 ], "author": "Ernest Lotter ", "date": "Tue, 08 Apr 2025 12:53:39 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2098137", " - LP: #2109843 fix missing preseed files when running in a container", "" ], "package": "snapd", "version": "2.68.5", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2098137, 2109843 ], "author": "Ernest Lotter ", "date": "Wed, 21 May 2025 17:46:09 +0200" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.04 plucky image from daily image serial 20251111 to 20251113", "from_series": "plucky", "to_series": "plucky", "from_serial": "20251111", "to_serial": "20251113", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }