ELBA-2026-66284
- ULN >
- Oracle Linux Errata repository >
- ELBA-2026-66284
ELBA-2026-66284 - snapd Bug Fix update
| Type: | BUG |
| Impact: | NA |
| Release Date: | 2026-06-09 |
Description
* Thu May 28 2026 Ernest Lotter
- New upstream release 2.76
- assertions: add helper for validating integrity data
- assertions: drop incorrect/non-standard Ed25519 support
- confdb: allow only API admin read access to confdb secrets
- confdb: block concurrent confdb accesses
- confdb: block concurrent snapctl accesses to configuration
database
- confdb: check for ephemeral data when missing save-view hook on
commit
- confdb: ignore not-found errors in confdb-schema refreshes
- confdb: support --wait-for timeouts when accessing confdb
- core-initrd: add group referenced in udev rules
- core-initrd: add libbpf dependency to initramfs
- core-initrd: add missing libbpf dependency in 24.04 packaging
- core-initrd: ensure audio is a system group
- core-initrd: fix /boot/uboot mount with u-boot env in dedicated
partition
- core-initrd: increase mount burst from 5 to 128 for faster boot
- core-initrd: sync partition udev rules with the ones in core-base
- core-initrd: sync with latest upload to snappy-dev PPA
- core-initrd: synchronize changelogs with latest PPA upload
- core-initrd: update changelog with latest PPA upload
- LP: #2150773 core-initrd: add nfnetlink module to fix nf netlink
socket speed regression (Ubuntu Core only)
- cross-distro: allow snapd to manipulate systemd unit files in
SELinux policy
- cross-distro: FIPS bootstrap and dispatch via snap-fips-dispatch
- desktop: fix common ID selection with multiple desktop plugs
- FDE: allow user mode on core in secboot TPM handling
- FDE: bump go-efilib dependency
- FDE: bump secboot to rev cdcb64992e54 for FDE fixes
- FDE: deprecate check-pin/passphrase API endpoints
- LP: #2147606 FDE: give inactive state on classic
- FDE: improve tracing for OP-TEE probing
- FDE: move auto-repair logic to overlord/fdestate and provide state
- FDE: update secboot for TPM/FDE bug fixes including Intel HAP and
recovery key parsing
- FDE: use any primary key matching digest when adding a keyslot
- FDE: use ignore action for preinstall check in VM
- interfaces: bluez | drop explicit deny send_destination in D-Bus
configuration
- interfaces: conditionally deny /proc/self/mountinfo to suppress Go
1.25+ denials
- interfaces: custom-device | fix for-device validation panic on
non-string value
- interfaces: disallow auto-connect to parallel installs
- interfaces: docker | make plug implicit on classic systems
- interfaces: ignore errors in disconnect hooks during explicit snap
disconnect
- interfaces: mediatek-accel | add plug interface base declaration
- interfaces: microceph-support | suppress noisy sudo denial audit
logs
- interfaces: podman | add new interface for podman socket access
- interfaces: pulseaudio | fix security tag syntax inconsistency
- interfaces: raw-usb | allow USB device enumeration on Fairphone 5
with NexDock
- interfaces: restore auto-connections on failed refresh undo
- LP: #2148544 interfaces: bool-file | support deep SoC sysfs paths
for LED brightness
- LP: #2139213 packaging: make Ubuntu 16.04 packaging dep17
compliant
- packaging: add cross-distro build script and instructions
- packaging: add openSUSE 16.0 spread support
- packaging: Debian build improvements
- packaging: default openSUSE to /var/lib/snapd/snap and sync from
downstream
- packaging: drop transitional packages only for Ubuntu 26.04
(Resolute)
- packaging: fix Launchpad FIPS build detection for snapd-fips job
- packaging: refactor and clean up snapd.mk, standardize test-data
directories
- packaging: switch to golang-github-chai2010-gettext-go-dev
- packaging: update bundled AppArmor 4.1.7 (snapd snap only)
- prompting: escape paths in prompt constraints
- prompting: improve API error handling and validation
- prompting: improve error message when no handler service is
present
- prompting: re-enable the prompting notice backend
- prompting: respond with full user-allowed permission set
- prompting: validate permissions while unmarshalling
- remote device management: implement dispatch-mgmt-messages task
with sequencing support
- LP: #2125344 snap: avoid empty channel forwarding message
- LP: #2150683 snap: clarify snap install help text for --classic
and --devmode
- LP: #2152908 snap: print complex attributes in snap interface
--attrs output
- snap: add run-inhibit hint and inhibit info when a snap is
disabled
- snap: allow removing a snap and its base at the same time
- snap: display detailed component information in snap info
- snap: extend AlreadyInstalledError to multiple snaps and
components
- snap: extend set-quota command options description with accepted
value formats
- snap: implement snap delta command for computing snap deltas
- snap: improve consistency for snap install when some snaps are
already installed
- snap: show hint in snap list that a snap has components
- snap-confine: allow inheriting unix sockets from snaps
- snap-confine: allow linking to libm in AppArmor profile
- snap-confine: fix out-of-bounds read in mountinfo parser for
partial escape sequences
- snap-confine: harden bpffs mount with nosuid, nodev, noexec flags
- snap-confine: remove experimental persistent per-user mount
namespace feature
- snap-confine: set FD_CLOEXEC on file descriptors returned by BPF
helpers
- snap-confine: support transparent_hugepage in AppArmor profile
- snap-confine: use strchr after NUL-terminating in infofile parser
- snap-update-ns: switch to a multi-pass process for constructing
and updating mount namespaces
- RemoveMountUnitFile now unmounts even if mount unit file is
missing
- Add explicit mount phase during single-reboot refresh to fix undo
of kernel refreshes
- Add security audit logging subsystem
- Add base prioritized AppArmmor snippets for strictly confined or
jailed snaps
- Allow openshell snap to use experimental daemon-scope: user
- Allow configuring mount unit options based on filesystem type
- Allow equals signs in uevent values in netlink parser
- Also bind-mount directories modified by kmod backend during
preseed
- Clean up potentially corrupted files during snap download undo
- Complete the bootloader environment implementation
- Copy integrity data files during snap install
- Create hook for seed refresh mode
- Create removal tasks for old seed-refresh seeds
- Dispatch systemctl commands asynchronously when calling Stop()
- Ensure /tmp/.X11-unix created inside mount namespace has correct
permissions
- Ensure exclusive changes conflict with refresh/revert
- Ensure existing snap confinement flags are not dropped when
installing or removing components
- Export ubuntu-boot-state filename constant from bootloader package
- Fix duplicate removal of apps under /bin
- Fix integration between prerequisites task and seed-refresh mode
- Fix split-refresh overwriting provided lane
- Fix use of umask in GetListener for socket activation
- Ignore net.ErrClosed during daemon shutdown
- Implement ResolveValidationSetsEnforcementError in terms of one
call
- Improve snapctl install consistency when components are already
installed
- Inject seed creation tasks into snap refresh flow
- Introduce system options for custom certificates on Ubuntu Core
- Keep idle services with activation units stopped on reload
- List snap components in snap-debug-info via debug-tools
- Look at gadget.yaml instead of marker file to determine ubootpart
usage
- LP: #1966067 Skip redundant xdg-settings confirmation prompt when
setting is already correct
- LP: #2110368 Fix component installation for private snaps via
snapctl
- LP: #2110368 Fix download of private snap components by setting
UserID
- LP: #2144666 Fix mount namespace updates with synthetic bind
mounts on same target paths
- LP: #2146337 Improve handling of failed downloads and retain
partial files for resume
- LP: #2147207 Fix snap enable/disable cycle forgetting components
- Make run-inhibit hint for kill-snap-apps task based on kill reason
- Merge content-provider prerequisite updates into seed-refresh
- Move SortServices into Backend.StartServices
- Move state to client change conversion to ctlcmd package
- Omit misleading 'try to refresh snapd' suggestion for ISA-related
errors
- Only create link-component tasks when needed during refresh to
existing revision
- Reconfigure piboot bootloader on gadget refreshes to preserve
os_prefix
- Reduce the number of AppArmor profile regenerations during snap
operations
- Refactor seed-refresh ownership to devicestate
- Regenerate certificate database on remodels
- Remove obsolete FIXME comment in VersionCompare
- Remove unused GenerateDmVerityData helper from snap/integrity
- Rename and document error type for ISA assumes flags
- Restart snapd from daemon.Stop to improve restart reliability
- Restart stopped services on error in stopSnapServices for
transactionality
- Simplify certificate-db updates on model-base refresh/installs
- Support racing Loop and Stop correctly in overlord
- Support sending file descriptors to systemd via sd_notify
- Unroll CPU-heavy recursive function in snap state handlers
- Update seccomp syscalls list for kernel 7.1.0
- Use change ID to prevent nested seed-refresh spawned by
prerequisites
- Validate content interface plug target directories exist for
core26+ snaps
- Validate layout paths exist in snap tree for snaps using bare or
core26+
* Fri Apr 17 2026 Katie May
- New upstream release 2.75.2
See NEWS file for details.
[2.74.1-2]
- Add cap_setgid and cap_setuid to snap-confine to restore support for
cgroup-v1 systems.
[2.74.1-1]
- Fix missing cap_sys_resource on snap-confine
* Fri Mar 13 2026 Ernest Lotter
- New upstream release 2.74.1
- FDE: measure DeployedMode and AuditMode variables if they appear
as disabled in the event log to avoid a potential reseal-failure
boot loop
- LP: #2139611 FDE: fix db updates by allowing multiple payloads
- LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising
memory lock limit when required
- LP: #2139099 snap-confine: bump the max element count of the BPF
map used to store IDs of allowed/matched devices to 1000
- Interfaces: Added pidfd_open and memfd_secret to seccomp template
- Interfaces: camera | add locking permission for /dev/video
[2.72-4]
- Default to vendored Go dependencies in Fedora
[2.72-3]
- Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26
[2.72-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Thu Nov 13 2025 Ernest Lotter
- New upstream release 2.72
- FDE: support replacing TPM protected keys at runtime via the
/v2/system-volumes endpoint
- FDE: support secboot preinstall check fix actions for 25.10+
hybrid installs via the /v2/system/{label} endpoint
- FDE: tweak polkit message to remove jargon
- FDE: ensure proper sealing with kernel command line defaults
- FDE: provide generic reseal function
- FDE: support using OPTEE for protecting keys, as an alternative to
existing fde-setup hooks (Ubuntu Core only)
- Confdb: 'snapctl get --view' supports passing default values
- Confdb: content sub-rules in confdb-schemas inherit their parent
rule's 'access'
- Confdb: make confdb error kinds used in API more generic
- Confdb: fully support lists and indexed paths (including unset)
- Prompting: add notice backend for prompting types (unused for now)
- Prompting: include request cgroup in prompt
- Prompting: handle unsupported xattrs
- Prompting: add permission mapping for the camera interface
- Notices: read notices from state without state lock
- Notices: add methods to get notice fields and create, reoccur, and
deepcopy notice
- Notices: add notice manager to coordinate separate notice backends
- Notices: support draining notices from state when notice backend
registered as producer of a particular notice type
- Notices: query notice manager from daemon instead of querying
state for notices directly
- Packaging: Ubuntu | ignore .git directory
- Packaging: FIPS | bump deb Go FIPS to 1.23
- Packaging: snap | bump FIPS toolchain to 1.23
- Packaging: debian | sync most upstream changes
- Packaging: debian-sid | depends on libcap2-bin for postint
- Packaging: Fedora | drop fakeroot
- Packaging: snap | modify snapd.mk to pass build tags when running
unit tests
- Packaging: snap | modify snapd.mk to pass nooptee build tag
- Packaging: modify Makefile.am to fix snap-confine install profile
with 'make hack'
- Packaging: modify Makefile.am to fix out-of-tree use of 'make
hack'
- LP: #2122054 Snap installation: skip snap icon download when
running in a cloud or using a proxy store
- Snap installation: add timeout to http client when downloading
snap icon
- Snap installation: use http(s) proxy for icon downloads
- LP: #2117558 snap-confine: fix error message with /root/snap not
accessible
- snap-confine: fix non-suid limitation by switching to root:root to
operate v1 freezer
- core-initrd: do not use writable-paths when not available
- core-initrd: remove debian folder
- LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev
interface now with the more robust gpio-aggregator configfs kernel
interface
- Interfaces: gpio-chardev | exclusive snap connections, raise a
conflict when both gpio-chardev and gpio are connected
- Interfaces: gpio-chardev | fix gpio-aggregator module load order
- Interfaces: ros-snapd-support | grant access to /v2/changes
- Interfaces: uda-driver-libs, egl-driver-libs, gbm-driver-libs,
opengl-driver-libs, opengles-driver-libs | new interfaces to
support nvidia driver components
- Interfaces: microstack-support | allow DPDK (hugepage related
permissions)
- Interfaces: system-observe | allow reading additional files in
/proc, needed by node-exporter
- Interfaces: u2f | add Cano Key, Thesis FIDO2 BioFP+ Security Key
and Kensington VeriMark DT Fingerprint Key to device list
- Interfaces: snap-interfaces-requests-control | allow shell API
control
- Interfaces: fwupd | allow access to Intel CVS sysfs
- Interfaces: hardware-observe | allow read access to Kernel
Samepage Merging (KSM)
- Interfaces: xilinx-dma | support Multi Queue DMA (QDMA) IP
- Interfaces: spi | relax sysfs permission rules to allow access to
SPI device node attributes
- Interfaces: content | introduce compatibility label
- LP: #2121238 Interfaces: do not expose Kerberos tickets for
classic snaps
- Interfaces: ssh-public-keys | allow ro access to public host keys
with ssh-key
- Interfaces: Modify AppArmor template to allow listing systemd
credentials and invoking systemd-creds
- Interfaces: modify AppArmor template with workarounds for Go 1.35
cgroup aware GOMAXPROCS
- Interfaces: modify seccomp template to allow landlock_*
- Prevent snap hooks from running while relevant snaps are unlinked
- Make refreshes wait before unlinking snaps if running hooks can be
affected
- Fix systemd unit generation by moving 'WantedBy=' from section
'unit' to 'install'
- Add opt-in logging support for snap-update-ns
- Unhide 'snap help' sign and export-key under Development category
- LP: #2117121 Cleanly support socket activation for classic snap
- Add architecture to 'snap version' output
- Add 'snap debug api' option to disable authentication through
auth.json
- Show grade in notes for 'snap info --verbose'
- Fix preseeding failure due to scan-disk issue on RPi
- Support 'snap debug api' queries to user session agents
- LP: #2112626 Improve progress reporting for snap install/refresh
- Drop legacy BAMF_DESKTOP_FILE_HINT in desktop files
- Fix /v2/apps error for root user when user services are present
- LP: #2114704 Extend output to indicate when snap data snapshot was
created during remove
- Improve how we handle emmc volumes
- Improve handling of system-user extra assertions
[2.71-1]
- rebuild
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
| Oracle Linux 8 (aarch64) | snapd-2.76-0.el8.src.rpm | cd5ff601f0ee3987c85ecdcbf4f24846d30ef4719370361b0d56514ff9eb0ac7 | - | ol8_aarch64_developer_EPEL |
| snap-confine-2.76-0.el8.aarch64.rpm | c6565e4aa97ac603932aa025ebcbd30f1f60d322d6422daab8d7a76be2306962 | - | ol8_aarch64_developer_EPEL | |
| snapd-2.76-0.el8.aarch64.rpm | f14fcfe3f9e7a87cddd687f3ed574973b96196c0436aa3744672cf7477cfd0bb | - | ol8_aarch64_developer_EPEL | |
| snapd-devel-2.76-0.el8.noarch.rpm | 223fb514a9e8b5c9078a364c097199208e6f205fbf10fbf01b00b9ff8aaeb459 | - | ol8_aarch64_developer_EPEL | |
| snapd-selinux-2.76-0.el8.noarch.rpm | d55535c866efe6f1239b623fc8b238ace534cb856a6dd17fc0396f75e1374d2a | - | ol8_aarch64_developer_EPEL | |
| Oracle Linux 8 (x86_64) | snapd-2.76-0.el8.src.rpm | cd5ff601f0ee3987c85ecdcbf4f24846d30ef4719370361b0d56514ff9eb0ac7 | - | ol8_x86_64_developer_EPEL |
| snap-confine-2.76-0.el8.x86_64.rpm | 9b7c6c0df423beec017da73aa2f66717b6bc09941d10fad3d3988ce431a3d97b | - | ol8_x86_64_developer_EPEL | |
| snapd-2.76-0.el8.x86_64.rpm | 30ed3a3f2b575b5876dbfe8a81b3ae11cb3c177cd6ba3c3cf59dbdb010cd759e | - | ol8_x86_64_developer_EPEL | |
| snapd-devel-2.76-0.el8.noarch.rpm | 223fb514a9e8b5c9078a364c097199208e6f205fbf10fbf01b00b9ff8aaeb459 | - | ol8_x86_64_developer_EPEL | |
| snapd-selinux-2.76-0.el8.noarch.rpm | d55535c866efe6f1239b623fc8b238ace534cb856a6dd17fc0396f75e1374d2a | - | ol8_x86_64_developer_EPEL | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
