AppArmor

AppArmor 2.9.5

AppArmor 2.9.5 Release

Milestone information

Project:: AppArmor

Series:: 2.9

Version:: 2.9.5

Released:: 2017-10-19

Registrant:: John Johansen

Release registered:: 2017-10-19

Active:: No. Drivers cannot target bugs and blueprints to this milestone.

Download RDF metadata

Activities

Assigned to you:: No blueprints or bugs assigned to you.

Assignees:: No users assigned to blueprints and bugs.

Blueprints:: No blueprints are targeted to this milestone.

Bugs:: 5 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File	Description	Downloads
apparmor-2.9.5.tar.gz (md5, sig)	AppArmor 2.9.5	83 last downloaded 18 weeks ago
Total downloads:		83

Release notes

AppArmor 2.9.5 is an incremental bug fix release over AppArmor 2.9.4 that is focused on fixing issues in the userspace code.

It includes the changes in the 2.9 branch between r3045 (AppArmor 2.9.4) and r3068.

Policy Compiler (a.k.a apparmor_parser)

Fix af_unix downgrade of network rules
parser Fix delete after new[]

Init

Preserve unknown profiles when restarting apparmor init/job/unit. CVE-2017-6507 lp#1668892

Utils

    aa-logprof - Ignore change_hat events with error=-1 and "unconfined can not change_hat"
    aa-unconfined - fix netstat invocation regression
    Add aa-remove-unknown utility to unload unknown profiles lp#1668892
    Remove re.LOCALE flag lp#1661766

Policy

    abstractions
        base - update for glibc use of /proc/*/auxv and /proc/*/status
        apache2 - updates for proper signal handling, optional saslauth, and OCSP stapling
        freedesktop.org: support /usr/local/applications; support subdirs of applications folder
        Adjust python abstraction for python3.6
    dovecot
        Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles
        add the attach_disconnected flag
        change Px to mrPx for /usr/lib/dovecot/*
        Add several permissions to the dovecot profiles that are needed on ubuntu lp#1512131
        dovecot-lda needs lp#1650827
    traceroute updates https://bugzilla.opensuse.org/show_bug.cgi?id=1057900
    Samba profile updates for ActiveDirectory / Kerberos
    Postfix

** change abstractions/postfix-common to allow /etc/postfix/*.db k
** add several permissions to postfix/error, postfix/lmtp and postfix/pipe
** remove superfluous abstractions/kerberosclient from all postfix

Documentation

aa-status: update man page for updated podchecker lp#1707614
utils: Add --no-reload option to manpage

Tests

    libapparmor/tests
        remove test_multi unconfined-change_hat.profile
    regression/tests
        fix environ fail case

Changelog

This release does not have a changelog.

0 blueprints and 5 bugs targeted

Bug report			Importance	Status
1512131	#1512131	Apparmor complains about multiple /run/dovecot file access	1 Undecided	10 Fix Released
1650827	#1650827	/usr/lib/dovecot/dovecot-lda: "Failed name lookup - disconnected path"	1 Undecided	10 Fix Released
1658238	#1658238	apache2 abstraction incomplete	1 Undecided	10 Fix Released
1658239	#1658239	base abstraction missing glibc /proc/$pid/ things	1 Undecided	10 Fix Released
1668892	#1668892	CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles	1 Undecided	10 Fix Released

Related milestones and releases

This milestone contains Public information

Everyone can see this information.