-
lxc (1.1.0~alpha2-0ubuntu3.3) utopic-security; urgency=medium
* SECURITY UPDATE: Arbitrary file creation via unintentional symlink
following when accessing an LXC lock file (LP: #1470842)
- debian/patches/0009-CVE-2015-1331.patch: Use /run/lxc/lock, rather than
/run/lock/lxc, as /run and /run/lxc is only writable by root. Based on
patch from upstream.
- CVE-2015-1131
* SECURITY UPDATE: Container AppArmor/SELinux confinement breakout via
lxc-attach using a potentially malicious container proc filesystem to
initialize confinement (LP: #1475050)
- debian/patches/0010-CVE-2015-1334.patch: Use the host's proc filesystem
to set up AppArmor profile and SELinux domain transitions during
lxc-attach. Based on patch from upstream.
- CVE-2015-1334
-- Tyler Hicks <email address hidden> Fri, 17 Jul 2015 10:57:56 -0500
-
lxc (1.1.0~alpha2-0ubuntu3.2) utopic; urgency=medium
* Cherrypick 0007-apparmor-check-for-mount-feature-at-a-better-time.patch
from upstream to fix startup failure with certain setups (LP: #1386840)
-- Felipe Reyes <email address hidden> Thu, 05 Feb 2015 14:20:59 -0600
-
lxc (1.1.0~alpha2-0ubuntu3.1) utopic; urgency=medium
* install lxc-restore-net to /usr/share so that it doesn't get overmounted by
the rootfs in preparation for restore. (LP: #1384751)
-- Tycho Andersen <email address hidden> Wed, 12 Nov 2014 09:57:39 -0600
-
lxc (1.1.0~alpha2-0ubuntu3) utopic; urgency=medium
* fix usernic and apparmor-mounts tests to not clear out the host's
/etc/lxc/lxc-usernet
* fix unprivileged containers when user's cgroup paths are not all
equivalent, and add a testcase for that.
* fix broken behavior when configuration has 'lxc.mount.auto ='
(LP: #1379030)
-- Serge Hallyn <email address hidden> Thu, 09 Oct 2014 12:25:16 -0500
-
lxc (1.1.0~alpha2-0ubuntu2) utopic; urgency=medium
* Cherry-pick usptream bugfix for lxc-usernic test.
-- Stephane Graber <email address hidden> Thu, 02 Oct 2014 15:01:56 -0400
-
lxc (1.1.0~alpha2-0ubuntu1) utopic; urgency=medium
* New upstream release (1.1.0~alpha2) (LP: #1376437)
- Fixes systemd support of lxc-net. (LP: #1312532)
- Introduces support for Openvswitch bridges
- Fixes running unprivilged containers on recent kernels
- Various other bugfixes (LP: #1349918, LP: #1353734, LP: #1354375,
LP: #1307215, LP: #1346815, LP: #1271000,
LP: #1372878)
* WARNING: This release changes the default behavior of lxc-start to
daemonized. If you do need it to stick to the foreground, please pass it
-F or --foreground. The new -F option has also been pushed to the
stable 1.0 branch so that scripts can be made to work regardless of
default behavior.
-- Stephane Graber <email address hidden> Wed, 01 Oct 2014 17:55:02 -0400
-
lxc (1.1.0~alpha1-0ubuntu5) utopic; urgency=medium
* d/p/0003-apparmor-also-deny-silent-remount.patch: update to also patch
container-base.in
* d/p/0004-apparmor-signal-ptrace-unix-mediation.patch: refine signal and
ptrace rules and add unix rules for container enforcement (LP: #1373555)
* debian/rules:
- don't delete the dbus, ptrace and signal lines, but instead comment them
out. This is more consistent with the comment in the policy and lets
people see what the policy would be
- adjust for unix rules
- adjust versioned depends
-- Jamie Strandboge <email address hidden> Fri, 26 Sep 2014 10:59:21 -0500
-
lxc (1.1.0~alpha1-0ubuntu4) utopic; urgency=medium
* d/p/0003-apparmor-also-deny-silent-remount.patch: newer lxc uses 'silent'
when remounting on shutdown. Silence that denial too
-- Jamie Strandboge <email address hidden> Thu, 04 Sep 2014 15:24:15 -0500
-
lxc (1.1.0~alpha1-0ubuntu3) utopic; urgency=medium
* No-change rebuild to get dbgsyms for all binaries onto
ddebs.ubuntu.com
-- Steve Langasek <email address hidden> Thu, 24 Jul 2014 12:20:43 -0700
-
lxc (1.1.0~alpha1-0ubuntu2) utopic; urgency=medium
* d/p/0001-lxc-test-unpriv-usernic.in-make-sure-to-chgrp-as-wel.patch:
Fix test failures in jenkins.
* d/p/0002-Remove-mention-of-mountcgroups-in-ubuntu.common-conf.patch:
Fix the comment in the ubuntu common config about how to support nesting.
(LP: #1342960)
-- Serge Hallyn <email address hidden> Thu, 17 Jul 2014 16:42:46 -0500
-
lxc (1.1.0~alpha1-0ubuntu1) utopic; urgency=medium
* New upstream release (1.1.0~alpha1)
* Enable ppc64el adt as we now have ppc64el images available for download.
-- Stephane Graber <email address hidden> Mon, 07 Jul 2014 15:44:27 -0400
-
lxc (1.0.4-0ubuntu2) utopic; urgency=medium
* Cherry-pick upstream commits to fix testsuite under adt:
- tests: Avoid the download template when possible
- tests: Don't fail when HOME isn't defined
- tests: apparmor: Always end with a newline
-- Stephane Graber <email address hidden> Sat, 14 Jun 2014 16:07:18 -0400
-
lxc (1.0.4-0ubuntu1) utopic; urgency=medium
* New upstream bugfix release.
- Drop all existing patches (all applied upstream).
* Depend on either cgmanager or cgroup-lite and recommend cgmanager.
This should ensure systems get cgmanager by default even if cgroup-lite
is already installed, yet makes it possible for the user to remove
cgmanager if they really want to.
* Remove hardcoded dependency on apparmor, instead generate it from
rules so that the source package can be backported without changes (the
right apparmor version will be picked up based on the release number).
-- Stephane Graber <email address hidden> Fri, 13 Jun 2014 15:09:04 -0400
-
lxc (1.0.3-0ubuntu5build1) utopic; urgency=medium
* no-change rebuild to pick up /etc/init.d/ files.
-- Serge Hallyn <email address hidden> Thu, 29 May 2014 11:59:18 -0500
-
lxc (1.0.3-0ubuntu5) utopic; urgency=medium
* Cherry-pick upstream commit to fix lxc-attach on 3.15 kernels.
-- Stephane Graber <email address hidden> Mon, 26 May 2014 07:51:29 +0200
-
lxc (1.0.3-0ubuntu4) utopic; urgency=medium
* Do not start lxc-instance in postinst without any instance specified,
as that is an invalid request.
-- Dimitri John Ledkov <email address hidden> Thu, 15 May 2014 15:18:33 +0100
-
lxc (1.0.3-0ubuntu3) trusty; urgency=medium
* Add a dependency on the new apparmor to make sure we have the new
parser around before we attempt to load a profile requiring the new
stanza support. (LP: #1304167)
-- Stephane Graber <email address hidden> Mon, 14 Apr 2014 10:10:40 -0400