AppArmor

AppArmor 2.10.3

AppArmor 2.10.3 Release

Milestone information

Project:: AppArmor

Series:: 2.10

Version:: 2.10.3

Released:: 2017-10-19

Registrant:: John Johansen

Release registered:: 2017-10-19

Active:: No. Drivers cannot target bugs and blueprints to this milestone.

Download RDF metadata

Activities

Assigned to you:: No blueprints or bugs assigned to you.

Assignees:: No users assigned to blueprints and bugs.

Blueprints:: No blueprints are targeted to this milestone.

Bugs:: 5 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File	Description	Downloads
apparmor-2.10.3.tar.gz (md5, sig)	AppArmor 2.10.3	127 last downloaded 60 weeks ago
Total downloads:		127

Release notes

AppArmor 2.10.3 is an incremental bug fix release over AppArmor 2.10.2 that is focused on fixing issues in the userspace code.

This release includes the 2.10 branch changes between r3379 (= 2.10.2) and r3407.
Policy Compiler (a.k.a. apparmor_parser)

Fix af_unix downgrade of network rules
Fix delete after new[]

Init

Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507 lp#1668892

Library

libapparmor: fix swig test_apparmor.py for zero length ptrace records

Utils

    aa-unconfined - fix netstat invocation regression
    aa-logprof - Ignore change_hat events with error=-1 and "unconfined can not change_hat"
    Add aa-remove-unknown utility to unload unknown profiles lp#1668892
    Remove re.LOCALE flag lp#1661766

Policy

    Abstractions
        freedesktop.org - support /usr/local/applications; support subdirs of applications folder
        python - update for python3.6
        perl - adjust the multiarch alternation rule for modern Debian and Ubuntu systems
        base - glibc uses /proc/*/auxv and /proc/*/status files, too
        apache2 - updates for proper signal handling, optional saslauth, and OCSP stapling

    dovecot
        Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles
        add the attach_disconnected flag
        change Px to mrPx for /usr/lib/dovecot/*
        dovecot-lda needs
        Add several permissions to the dovecot profiles that are needed on ubuntu
            the attach_disconnected flags
            read access to /usr/share/dovecot/protocols.d/
            rw for /run/dovecot/auth-userdb
    traceroute - support TCP SYN for probes, quite net_admin request
    Samba - updates for ActiveDirectory / Kerberos
    postfix
        change abstractions/postfix-common to allow /etc/postfix/*.db k
        add several permissions to postfix/error, postfix/lmtp and postfix/pipe
        remove superfluous abstractions/kerberosclient from all postfix profiles - it's included via abstractions/nameservice

Documentation

    apparmor.d manpage - Add network 'smc' keyword in NetworkRule
    aa-status manpage updated for updated podchecker
    Add --no-reload to various utils manpages

Tests

libapparmor - remove test_multi unconfined-change_hat.profile
regression tests: fix environ fail case

Changelog

This release does not have a changelog.

0 blueprints and 5 bugs targeted

Bug report			Importance	Status
1512131	#1512131	Apparmor complains about multiple /run/dovecot file access	1 Undecided	10 Fix Released
1650827	#1650827	/usr/lib/dovecot/dovecot-lda: "Failed name lookup - disconnected path"	1 Undecided	10 Fix Released
1658238	#1658238	apache2 abstraction incomplete	1 Undecided	10 Fix Released
1658239	#1658239	base abstraction missing glibc /proc/$pid/ things	1 Undecided	10 Fix Released
1668892	#1668892	CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles	1 Undecided	10 Fix Released

Related milestones and releases

This milestone contains Public information

Everyone can see this information.