apparmor package outdated
apparmor (2.12-3ubuntu1~test.3) bionic; urgency=medium
* Merge with Debian. Remaining Ubuntu changes:
- debian/control: Update maintainer to be Ubuntu Developers
- debian/gbp.conf: Use ubuntu/master as the debian-branch
- debian/apparmor.init: Call handle_system_policy_package_updates as
we need it for Click, snappy, and system-images. Note that this
prevents using a remote /var.
- debian/patches/series: Apply the following Ubuntu-specific patches:
+ parser-include-usr-share-apparmor.patch
+ profiles-grant-access-to-systemd-resolved.patch
+ add-chromium-browser.patch
- debian/apparmor-profiles.install,
debian/apparmor-profiles.postinst: Install chromium-browser
profile and abstraction
* debian/apparmor-profiles.install, debian/apparmor-profiles.postinst:
Install chromium-browser profile and abstraction into the
/usr/share/apparmor/extra-profiles/ directory to match upstream and
Debian
* debian/patches/series, debian/apparmor.install,
debian/apparmor.maintscript: Feature pinning is not used in Ubuntu
* upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
Properly identify empty ouid/fsuid fields in logs to fix log parsing bug
on 32 bit platforms
* upstream-commit-130958a-allow-shell-helper-read-locale.patch: Allow the
shell helper regression test program read the locale
* Dropped patches that weren't merged upstream:
- ubuntu-manpage-updates.patch: The changes were out of date because
they only addressed upstart based systems
- utils-keep-shebang.patch: A different solution was merged upstream
so that the shebang lines aren't rewritten
* Dropped patches that were merged upstream:
- utils-add-aa-remove-unknown.patch
- pass-compiler-flags.patch
- raise-test-timeout.patch
- r3615-profiles-sshd-drop-local-include.patch
- r3631-apparmor-utils-python3.6-LOCALE.patch
- r3645-profiles-update-nvidia-abstraction.patch
- wayland-cursor.patch
- utils-fix-failing-tests-in-aa-py.patch
- utils-allow-unordered-dbus-attribs.patch
- aa-notify-urgency-normal.patch
- base-journald-updates.patch
- utils-logprof-python3.6.patch
- adjust-python-for-3.6.patch
- fix-aa-status-pod.patch
- nameservice-add-stub-resolv.patch
- 0001-Allow-seven-digit-pid.patch
apparmor (2.12-3) unstable; urgency=medium
* dnsmasq-profile-allow-chown-capability.patch: new patch (Closes: #889806)
* Update-base-abstraction-for-ld.so.conf-and-friends.patch: new patch,
cherry-picked from upstream (solves a minor part of #887973).
* libapparmor-perl: install example program.
apparmor (2.12-2) unstable; urgency=medium
* This release is dedicated to the memory of Ursula K. Le Guin.
* Install the "extra" profiles to the default upstream directory
(Closes: #832984).
* Cherry-pick policy improvements from upstream Git (Closes: #887591).
* Stop recommending the apparmor-profile package to the general public:
- apparmor: drop "Suggests: apparmor-profile".
- apparmor-profile: make it clear in the package description that
these profiles cannot be expected to work out-of-the-box.
* Bump debhelper compatibility level to 10.
- This reintroduces --parallel building, which was fixed upstream
since we disabled it.
- Don't manually enable the systemd debhelper sequence: now done
by default.
- Drop now useless build-dependency on autotools-dev.
* Declare compliance with Standards-Version 4.1.3 (no change required).
* debian/control: add Rules-Requires-Root: no.
- Cherry-pick upstream fix to pam_apparmor's Makefile.
* Packaging cleanup:
- Remove Kees Cook <email address hidden> from the Uploaders control field.
Thanks a lot for the inspiring work you've done on this package
in the past!
- Remove obsolete calls to rm_conffile.
- debian/copyright: use canonical URL to copyright-format/1.0.
- debian/copyright: sort licenses in lexical order.
- Use canonical URL to Debian bug in patch header.
- debian/*.install: remove duplicates.
- Stop versioning dependencies that are satisfied on Debian Wheezy
and Ubuntu Trusty.
- Reformat debian/* with 'cme fix dpkg' + wrap-and-sort.
apparmor (2.12-1) unstable; urgency=medium
* New upstream release (Closes: #885522, #882043, #884014, #886732,
#875892, #882070, #874665, #884280, #881936, #882135).
- Drop obsolete patches.
* dh-apparmor postinst snippet: create empty files in
/etc/apparmor.d/local/ instead of repeating boilerlate.
* dh-apparmor postinst snippet: simplify local overrides directory
creation code.
* Migrate to Git:
- Configure gbp for DEP-14
- Configure gbp-pq to avoid prefixing patches with numbers
- README.source: adjust to Git
- Update Vcs-* control fields: migrate to Git
* Move libpam to Section: admin
apparmor (2.11.1-4) unstable; urgency=medium
* Bump pinned feature set to linux-image-4.14.0-1's, version 4.14.2-1
- Pinning a feature set without "mount", as we did before this change,
breaks mount operations due to a bug in the kernel (Closes: #883703).
Thanks to Fabian Grünbichler and Felix Geyer for reporting this.
- AppArmor maintainers in Debian have been testing 4.14 without pinning
for a while and all the known issues were fixed; it's time to enable
4.14's features so we can learn what parts of our policy still need
updates (Closes: #880078, #877581).
* Move features file to /usr/share/apparmor-features (Closes: #883682).
Thanks to Fabian Grünbichler <email address hidden> for the patch.
* Document in apparmor/README.Debian where online documentation wrt. AppArmor
on Debian lives (Closes: #845232). Thanks to Wouter Verhelst and Jean-Michel
Vourgère for the suggestion.
* Improve usability of apparmor-notify:
- notify.conf: unset use_group.
aa-notify checks that it can read the selected log file — and aborts
if it can't — before it checks group membership vs. use_group, so in
practice setting use_group is only useful for users who are allowed
to read logs but don't want to see notifications. This seems to be
a corner case, easily addressed per-user (~/.apparmor/notify.conf)
or system-wide (by deinstalling apparmor-notify).
So let's instead optimize for a more common use case, i.e. users who can
read logs and want to see the notifications. This change does not
impact the most common use case, i.e. desktop users who are not allowed
to read logs (Closes: #880859).
- Document in apparmor-notify/README.Debian that one must be in the "adm"
group to use aa-notify.
Thanks to Lisandro Damián Nicanor Pérez Meyer and Salvatore Bonaccorso
whose combined bug reports lead to this solution.
* /lib/apparmor/functions: don't delete /etc/apparmor.d/cache/CACHEDIR.TAG
ourselves (necessary, but not sufficient, to fix #883584).
* Declare compliance with Standards-Version 4.1.2.
apparmor (2.11.1-3) unstable; urgency=medium
* upstream-commit-92752f5-support-Google-Chrome-beta.patch:
new patch, backported from upstream (Closes: #880923).
apparmor (2.11.1-2) unstable; urgency=medium
* apparmor: drop obsolete dependency on libapparmor-perl.
This dependency was added in 2.8.0-0ubuntu15, when aa-exec (that was
written in Perl back then) got moved to the apparmor package.
Nowadays aa-exec is written in C and AFAICT there's nothing in the
apparmor package that uses libapparmor-perl.
* apparmor-utils: drop obsolete dependency on libapparmor-perl.
All the programs shipped in this package were rewritten in Python.
* Drop obsolete dependencies on python{,3}-pkg-resources.
They were added to "fix autopkgtests in click-apparmor and
apparmor-easyprof-ubuntu". We don't ship these packages in Debian,
and I'm told they're going away in Ubuntu anyway.
apparmor (2.11.1-1) unstable; urgency=medium
* Import upstream 2.11.1 release.
Drop obsolete patches and refresh remaining ones as need.
* pin-feature-set.patch: new patch, that pins the AppArmor feature set
to Linux 4.13.4-2's (Closes: #879584).
The AppArmor policy we ship is not fully ready for Linux 4.14 yet.
Once our policy has been updated (#877581) we can bump the pinned
feature set to Linux 4.14's.
Note, however, that this is not fully effective in the specific case
of 4.14-rcN up to 4.14-rc6 due to a kernel bug with pinned older
feature sets, that will likely be fixed in Linux 4.14-rc7.
For example, with Linux 4.14-rc5 some network (e.g. unix, inet, inet6)
operations are denied despite the fact this pinned feature does not
enable network mediation support. For details, see:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278
* Disable parser-include-usr-share-apparmor.patch: it's not used on Debian
and would be made fuzzy by pin-feature-set.patch, thus causing useless
maintenance busywork.
* Improve phrasing of long packages description, based on a patch
by Vincas Dargis <email address hidden> (Closes: #795431).
* Replace build-dependency on dh-systemd with a versioned one
on debhelper, that now ships dh_systemd_*.
* Set priority to "optional": "extra" is deprecated.
* Bump Standards-Version to 4.1.1.
* Drop "Testsuite: autopkgtest" control field: it is automatically added
by dpkg-source(1) since dpkg 1.17.1 when a debian/tests/control file exists,
which is the case here.
* Move libapache2-mod-apparmor to Section "httpd", as suggested by Lintian.
apparmor (2.11.0-11) unstable; urgency=medium
* Only use systemd-detect-virt when it's installed (Closes: #871953).
* dh_apparmor: include the version of the package, so that one can find
packages that were built with a particular version of dh_apparmor.
(Closes: #872167).
* Import patch submitted upstream to support Flatpak exports
(Closes: #865206).
* Revert "Build with GCC-6 on mips64el to workaround Debian#871538":
that gcc-7 bug was fixed in 7.2.0-3 on 2017-09-02, presumably all buildd's
chroot should have it by now.
* Merge from Ubuntu citrain up to revision 1627, aka. 2.11.0-2ubuntu17.
Applied all changes (filtering from that list what had already been
done in Debian):
- Remove apparmor system upstart job on upgrades.
- r3631-apparmor-utils-python3.6-LOCALE.patch: fix utils to avoid
breakage with python 3.6 (LP: #1661766).
- nameservice-add-stub-resolv.patch: allow read access to systemd stub
resolver configuration
apparmor (2.11.0-10) unstable; urgency=medium
* Build with GCC-6 on mips64el to workaround #871538.
apparmor (2.11.0-9) unstable; urgency=medium
* debian-chromium-paths.patch: new patch, fixes e.g. opening links
(e.g. from Thunderbird) when Chromium is the default web browser
(reported in #858911).
apparmor (2.11.0-8) unstable; urgency=medium
* firefox-non-esr.patch: new patch, fixes e.g. opening links from
Thunderbird when Firefox non-ESR is the default web browser
(Closes: #858911).
* Adjust metadata for wayland-cursor.patch: applied upstream.
apparmor (2.11.0-7) unstable; urgency=medium
* compare_and_save_debsums(): fix quieting of diff on initial installation
(Closes: #870696).
* Don't explicitly pass runlevel nor sequence number to update-rc.d
via dh_installinit (Closes: #870695).
Thanks to Michael Biebl for the hint!
* wayland-cursor.patch: new patch, to allow wayland-cursor-shared-*
(Closes: #870807).
* Merge from Ubuntu citrain up to revision 1620, i.e. 2.11.0-2ubuntu11.
Applied all changes:
- fix-aa-status-pod.patch: updates aa-status for newer podchecker
(LP: #1707614)
- adjust-python-for-3.6.patch: update python abstraction for 3.6
- adjust-nameservice-for-systemd-resolved.patch: grant access to
systemd-resolved in the nameservice abstraction (LP: #1598759).
… and then disabled adjust-nameservice-for-systemd-resolved.patch
that's dangerous without fine-grained AppArmor mediation of
D-Bus traffic.
* Remove upstart configuration: Upstart was removed in Debian Stretch
so this file is no longer useful.
* Drop ubuntu-manpage-updates.patch, that was only relevant with Upstart.
apparmor (2.11.0-6) unstable; urgency=medium
* libapparmor-dev: stop installing /lib/*/libapparmor.la (Closes: #866636).
apparmor (2.11.0-5) unstable; urgency=medium
* pass-compiler-flags-binutils.patch: new patch, fixes missing
hardening flags in aa-enabled and aa-exec.
* Merge from Ubuntu citrain up to revision 1617, i.e. 2.11.0-2ubuntu8.
apparmor (2.11.0-4) unstable; urgency=medium
* Run parts of the upstream test suite as autopkgtests.
* Declare compliance with Standards-Version 4.0.0 (no change required).
* Add mentions-deprecated-usr-lib-perl5-directory to Lintian overrides,
since usr-lib-perl5-mentioned has been renamed.
* libapparmor1.symbols: require 2.8.94 instead of 2.8.94-0ubuntu1.
* debian/rules: use variables provided by dpkg/pkg-info.mk instead
of parsing the output of dpkg-parsechangelog.
* Override mistaken apache2-module-depends-on-real-apache2-package
Lintian check.
* Merge from Ubuntu citrain up to revision 1616, i.e. 2.11.0-2ubuntu5
(more recent changes, up to 2.11.0-2ubuntu8, have not been pushed
to the citrain repo yet; they don't seen critical though).
apparmor (2.11.0-3) unstable; urgency=medium
* Fix CVE-2017-6507: don't unload unknown profiles during package
configuration or when restarting the apparmor init script, upstart job, or
systemd unit as this could leave processes unconfined (Closes: #858768).
Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
- debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
Remove calls to unload_obsolete_profiles()
- debian/patches/utils-add-aa-remove-unknown.patch,
debian/apparmor.install debian/apparmor.manpages: Include a new utility,
aa-remove-unknown, which can be used to unload unknown profiles. Based
on an upstream patch but adjusted to source the /lib/apparmor/functions
shipped in Debian/Ubuntu.
-- Tyler Hicks <email address hidden> Mon, 05 Mar 2018 12:50:46 +0000