AppArmor 2.10.3

AppArmor 2.10.3 Release

Milestone information

Project:
AppArmor
Series:
2.10
Version:
2.10.3
Released:
2017-10-19  
Registrant:
John Johansen
Release registered:
2017-10-19
Active:
No. Drivers cannot target bugs and blueprints to this milestone.  

Download RDF metadata

Activities

Assigned to you:
No blueprints or bugs assigned to you.
Assignees:
No users assigned to blueprints and bugs.
Blueprints:
No blueprints are targeted to this milestone.
Bugs:
5 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon apparmor-2.10.3.tar.gz (md5, sig) AppArmor 2.10.3 92
last downloaded 10 weeks ago
Total downloads: 92

Release notes 

AppArmor 2.10.3 is an incremental bug fix release over AppArmor 2.10.2 that is focused on fixing issues in the userspace code.

This release includes the 2.10 branch changes between r3379 (= 2.10.2) and r3407.
Policy Compiler (a.k.a. apparmor_parser)

    Fix af_unix downgrade of network rules
    Fix delete after new[]

Init

    Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507 lp#1668892

Library

    libapparmor: fix swig test_apparmor.py for zero length ptrace records

Utils

    aa-unconfined - fix netstat invocation regression
    aa-logprof - Ignore change_hat events with error=-1 and "unconfined can not change_hat"
    Add aa-remove-unknown utility to unload unknown profiles lp#1668892
    Remove re.LOCALE flag lp#1661766

Policy

    Abstractions
        freedesktop.org - support /usr/local/applications; support subdirs of applications folder
        python - update for python3.6
        perl - adjust the multiarch alternation rule for modern Debian and Ubuntu systems
        base - glibc uses /proc/*/auxv and /proc/*/status files, too
        apache2 - updates for proper signal handling, optional saslauth, and OCSP stapling

    dovecot
        Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles
        add the attach_disconnected flag
        change Px to mrPx for /usr/lib/dovecot/*
        dovecot-lda needs
        Add several permissions to the dovecot profiles that are needed on ubuntu
            the attach_disconnected flags
            read access to /usr/share/dovecot/protocols.d/
            rw for /run/dovecot/auth-userdb
    traceroute - support TCP SYN for probes, quite net_admin request
    Samba - updates for ActiveDirectory / Kerberos
    postfix
        change abstractions/postfix-common to allow /etc/postfix/*.db k
        add several permissions to postfix/error, postfix/lmtp and postfix/pipe
        remove superfluous abstractions/kerberosclient from all postfix profiles - it's included via abstractions/nameservice

Documentation

    apparmor.d manpage - Add network 'smc' keyword in NetworkRule
    aa-status manpage updated for updated podchecker
    Add --no-reload to various utils manpages

Tests

    libapparmor - remove test_multi unconfined-change_hat.profile
    regression tests: fix environ fail case

Changelog 

This release does not have a changelog.

0 blueprints and 5 bugs targeted

Bug report Importance Assignee Status
1512131 #1512131 Apparmor complains about multiple /run/dovecot file access 1 Undecided   10 Fix Released
1650827 #1650827 /usr/lib/dovecot/dovecot-lda: "Failed name lookup - disconnected path" 1 Undecided   10 Fix Released
1658238 #1658238 apache2 abstraction incomplete 1 Undecided   10 Fix Released
1658239 #1658239 base abstraction missing glibc /proc/$pid/ things 1 Undecided   10 Fix Released
1668892 #1668892 CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles 1 Undecided   10 Fix Released
This milestone contains Public information
Everyone can see this information.