Package "apparmor-profiles"
Name: |
apparmor-profiles
|
Description: |
profiles for AppArmor Security policies
|
Latest version: |
2.10.95-0ubuntu2.12 |
Release: |
xenial (16.04) |
Level: |
updates |
Repository: |
main |
Head package: |
apparmor |
Homepage: |
http://apparmor.net/ |
Links
Download "apparmor-profiles"
Other versions of "apparmor-profiles" in Xenial
Changelog
apparmor (2.10.95-0ubuntu2.6) xenial-security; urgency=medium
* SECURITY UPDATE: Don't unload unknown profiles during package
configuration or when restarting the apparmor init script or upstart job
as this could leave processes unconfined (LP: #1668892)
- debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
Remove calls to unload_obsolete_profiles()
- debian/patches/utils-add-aa-remove-unknown.patch,
debian/apparmor.install debian/apparmor.manpages: Include a new utility,
aa-remove-unknown, which can be used to unload unknown profiles
- CVE-2017-6507
-- Tyler Hicks <email address hidden> Wed, 15 Mar 2017 22:07:02 +0000
|
Source diff to previous version |
1668892 |
CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles |
CVE-2017-6507 |
An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or syste |
|
apparmor (2.10.95-0ubuntu2.5) xenial; urgency=medium
* debian/lib/apparmor/functions, debian/apparmor.init,
debian/apparmor.service, debian/apparmor.upstart,
debian/lib/apparmor/profile-load: Adjust the checks that previously kept
AppArmor policy from being loaded while booting a container. Now we
attempt to load policy if we're in a LXD or LXC managed container that is
using profile stacking inside of a policy namespace. (LP: #1628285)
* Fix regression tests for stacking so that the kernel SRU process is not
interrupted by failing tests whenever the AppArmor stacking features are
backported from the 16.10 kernel or when the 16.04 LTS Enablement Stack
receives a 4.8 or newer kernel
- debian/patches/r3509-tests-fix-exec_stack-errors-1.patch: Fix the
exec_stack.sh test when running on 4.8 or newer kernels (LP: #1628745)
- debian/patches/r3558-tests-fix-exec_stack-errors-2.patch: Adjust the
exec_stack.sh fix mentioned above to more accurately test kernels older
than 4.8 (LP: #1630069)
- debian/patches/allow-stacking-tests-to-use-system.patch: Apply this
patch earlier in the series, as to match when it was committed upstream,
so that the above two patches can be cherry-picked from lp:apparmor
-- Tyler Hicks <email address hidden> Fri, 07 Oct 2016 05:21:44 +0000
|
Source diff to previous version |
1628285 |
apparmor should be allowed to start in containers |
1628745 |
Change in kernel exec transition behavior causes regression tests to fail |
1630069 |
Regression tests can not detect binfmt_elf mmpa semantic change |
|
apparmor (2.10.95-0ubuntu2.2) xenial; urgency=medium
* r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an
aa-logprof crash by ignoring file events that contains send *and* receive
in the request mask. This is an improvement to the previous fix that only
addressed events that contained send *or* receive.
(LP: #1577051, LP: #1582374)
- debian/rules: Create a new empty file, needed for the test added by this
patch, since quilt is unable to do so.
-- Tyler Hicks <email address hidden> Mon, 01 Aug 2016 18:03:36 -0500
|
1577051 |
aa-logprof fails with unknown mode \ |
1582374 |
Log contains unknown mode senw |
|
About
-
Send Feedback to @ubuntu_updates