mount rules grant excessive permissions

Bug #1597017 reported by John Johansen
52
This bug affects 6 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * The mount rules in apparmor grant excessive permissions.
   See Original Report below.

[Test Plan]

 * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
   See comment 26 for context.

[Other Info]

SRU Team; the packages for focal-proposed and jammy-proposed are intended as security updates prepared by the Ubuntu Security team (and have built in a ppa with only the security pockets enabled). However, because the fix makes mount rules in apparmor policy be treated more restrictively than they were prior to this update, we would like these packages to gain more widespread testing.

[Risk of Regression]

The update for this issue causes the apparmor parser, the tool that translates written policy into the enforcement data structures used by the kernel, to generate more strict policy for mount rules, like the example below. They are not common in apparmor policy generally, but can appear in policies written for container managers to restrict containers, and thus can potentially break container startup.

The packages prepared for focal-proposed and jammy-proposed have tested with the versions of snapd, lxc, libvirt, and docker in the ubuntu archive, but container managers outside of the ubuntu archive may run into issues, hence the need for testing and policy adjustments.

Original Report:

The rule
  mount options=(rw,make-slave) -> **,

ends up allowing
  mount -t proc proc /mnt

which it shouldn't as it should be restricted to commands with a make-slave flag

CVE References

Revision history for this message
John Johansen (jjohansen) wrote :

The parser is generating 2 match rules in the dfa off of the one text rule, they are the equivalent of
  mount options=(rw,make-slave) -> **,
  mount options=rw,

this is due to how the parser is trying to share rule generation for generic rules that don't specify a flag, and rules that specify them. When flags aren't specified multiple rule sets may need to be generated but only one matching the flags should when the flags are specified.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This was assigned CVE-2016-1585

Christian Boltz (cboltz)
tags: added: aa-parser
Revision history for this message
Christian Boltz (cboltz) wrote :

Now that support for mount rules is on their way to the upstream kernel - any news on this?

(For the records: https://bugzilla.opensuse.org/show_bug.cgi?id=995594 is the openSUSE twin of this bugreport, and was just closed today because the openSUSE kernel doesn't support mount rules.)

Revision history for this message
John Johansen (jjohansen) wrote : Re: [Bug 1597017] Re: mount rules grant excessive permissions

On 07/13/2017 09:39 AM, Christian Boltz wrote:
> Now that support for mount rules is on their way to the upstream kernel
> - any news on this?
>
> (For the records: https://bugzilla.opensuse.org/show_bug.cgi?id=995594
> is the openSUSE twin of this bugreport, and was just closed today
> because the openSUSE kernel doesn't support mount rules.)
>
> ** Bug watch added: bugzilla.opensuse.org/ #995594
> https://bugzilla.opensuse.org/show_bug.cgi?id=995594
>

I have a wip patch, but it hasn't been a priority lately. I do plan
on finishing up with it soon but atm the 4.13 backports for suse
are the current higher priority item blocking completion

Revision history for this message
Markus Koschany (apoleon) wrote :

Hello,

this is an old bug report but due to the assigned CVE it still shows up in Debian's security tracker.

https://security-tracker.debian.org/tracker/CVE-2016-1585

Could someone elaborate on if and when this bug was resolved and point to relevant fixing commits. Any information about the nature of this bug and its impact on current Debian and Ubuntu releases would be appreciated.

Regards,

Markus

Revision history for this message
intrigeri (intrigeri) wrote :

I was asked by a Debian security team member to share how much this is a concern for Debian. I'll do that here, even though this might be irrelevant for other distros, in the hope more knowledgeable folks can correct whatever I got wrong :)

The Debian Stretch kernel does not support mount rules so it's out of scope, except for users running a kernel from backports.

The Debian Buster kernel supports mount rules. AFAIK only two things use mount rules in Debian:

* LXC: not a regression, since we've never confined LXC with AppArmor by default before Buster and Stretch's kernel has no support for mount rules IIRC; worst case, LXC guests on a Buster host are less strictly confined than we would like, which would be nice to fix, but we were very close to disable AppArmor for LXC during the freeze, so well.
* libvirtd: no big deal, this profile is not meant to be a strong security boundary (libvirtd can do so much anyway), but rather as a way to start processes run by libvirtd under their own profile.

Adding to this that John discovered this almost 3y ago and did not prioritize fixing it, I would categorize this issue as unimportant for now in the context of Debian.

Revision history for this message
Simon Déziel (sdeziel) wrote :

I'm coming from https://github.com/lxc/lxd/issues/6799 where daemons inside containers are unable to get proper mount namespace setup due to what seems like an Apparmor bug (this one?).

Starting systemd-networkd inside a container (foo) will generate this:

 apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-foo_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/" pid=2338 comm="(networkd)" flags="ro, remount, noatime, bind"

this causes the entire FS tree as seen by systemd-networkd to remain read-write and visible. This is despite having the following restrictions supposedly applied:

  $ systemctl cat systemd-networkd | grep -E 'Protect(Home|System)'
  ProtectSystem=strict
  ProtectHome=yes

ProtectSystem is supposed to have everything remounted as read-only and ProtectHome is supposed to make /home and /root inaccessible. None of this works and I find it worrying :/

Revision history for this message
Aleksandr Mikhalitsyn (mihalicyn) wrote (last edit ):
Revision history for this message
John Johansen (jjohansen) wrote :

The initial fixed was released in
apparmor 3.1.4
apparmor 3.0.10
apparmor 2.13.8

there were two sets of followup releases to deal with regression issues
apparmor 3.1.5, 3.0.11, 2.13.9

and finally
apparmor 3.1.6 https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.6
apparmor 3.0.12 https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.12
apparmor 2.13.10 https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.10

Changed in apparmor:
status: New → Fix Released
Revision history for this message
Aleksandr Mikhalitsyn (mihalicyn) wrote :

Dear colleagues,

can you clarify when this updated AppArmor version appear in Ubuntu 22.04?
As I can see from https://packages.ubuntu.com/jammy/apparmor version is still AppArmor 3.0.4.

Kind regards,
Alex

Revision history for this message
John Johansen (jjohansen) wrote :

@mihalicyn: Ubuntu does not generally updated to newer package versions during the life of a release. Instead they will backport fixes to the package version in the release. So 22.04 will remain on AppArmor 3.0.4 when the fixes land, but the Ubuntu version will change.

I can not say when the fix will land in Ubuntu 22.04 at this time but the backport and testing work is in progress.

Revision history for this message
Aleksandr Mikhalitsyn (mihalicyn) wrote :

Gentle ping.

JFYI: in the next LXC release 5.0.4 we will get a real security issue because of that, because we have merged a fix to make privileged containers to work (when new systemd is used).

https://github.com/lxc/lxc/pull/4295

Can we fix that in Jammy? We have everything for that we just need to backport the fix to Jammy and issue a new release of the package.

Revision history for this message
Aleksandr Mikhalitsyn (mihalicyn) wrote :
Revision history for this message
John Johansen (jjohansen) wrote :

The mount fixes were backported to Jammy, AFAIK the only thing that was remaining to be done was publish them to the security pocket and publish the USN. I will look into where this is at

Revision history for this message
Aleksandr Mikhalitsyn (mihalicyn) wrote :

Thanks a lot, John!

Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu):
status: New → Fix Released
Changed in apparmor (Ubuntu Focal):
status: New → In Progress
Changed in apparmor (Ubuntu Jammy):
status: New → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

FYI This is now in the jammy and focal upload queues to go to -proposed.

Steve Beattie (sbeattie)
description: updated
Revision history for this message
Achraf Merzouki (achraf-mer) wrote :

Hello,

A gentle ping on this issue, it still shows up on jammy security report and looks like 2ubuntu2.3 here https://changelogs.ubuntu.com/changelogs/pool/main/a/apparmor/apparmor_3.0.4-2ubuntu2.3/changelog doesn't have the fix.

@jjohansen can we please advise on when the fix will be backported to ubuntu 22.04? thanks

Revision history for this message
John Johansen (jjohansen) wrote :

It is in the SRU queue and the current ETA is April 15 to land in the proposed pocket (archive proposed not security proposed ppa), there is a caveat that the recent xz backdoor has caused some "fun" on the archive side and could potentially cause some delays.

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello John, or anyone else affected,

Accepted apparmor into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/3.0.4-2ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
Changed in apparmor (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Changed in apparmor (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello John, or anyone else affected,

Accepted apparmor into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.13.3-7ubuntu5.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-focal
Revision history for this message
Simon Déziel (sdeziel) wrote :

I've been running this update on Jammy since 2024-04-18 with no visible side effect:

$ zgrep -w1 apparmor /var/log/apt/history.log.2.gz
Start-Date: 2024-04-18 12:48:18
Commandline: apt install apparmor/jammy-proposed
Requested-By: sdeziel (1000)
Upgrade: apparmor:amd64 (3.0.4-2ubuntu2.3, 3.0.4-2ubuntu2.4)
End-Date: 2024-04-18 12:48:25

I'll leave it to someone else to decide if that's enough to mark it as `verification-done-jammy`.

Revision history for this message
Wesley Hershberger (whershberger) wrote :

Hi, gentle ping on this; is there an ETA for this to land in 22.04? Let me know if I can help with testing.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 3.0.4-2ubuntu2.3build2

---------------
apparmor (3.0.4-2ubuntu2.3build2) jammy-security; urgency=medium

  * No-change re-build upload for the jammy-security pocket as part
    of the preparation for addressing CVE-2016-1585 (LP: #1597017)

 -- Steve Beattie <email address hidden> Tue, 27 Aug 2024 14:48:42 -0700

Changed in apparmor (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.13.3-7ubuntu5.3build2

---------------
apparmor (2.13.3-7ubuntu5.3build2) focal-security; urgency=medium

  * No-change re-build upload for the focal-security pocket as part
    of the preparation for addressing CVE-2016-1585 (LP: #1597017)

 -- Steve Beattie <email address hidden> Tue, 27 Aug 2024 14:51:30 -0700

Changed in apparmor (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Actual fixed versions for this issue are still sitting in focal-proposed and jammy-proposed. However, we did a no-change rebuild ofthe current versions in the respective updates pockets to the security pocket, so that the version in proposed could be published first in the updates pocket, but leaving people who experience possible issues the opportunity for an easy downgrade path to the prior version (via apt install apparmor/jammy-security or apparmor/focal-security as the case may be).

Changed in apparmor (Ubuntu Focal):
status: Fix Released → Fix Committed
Changed in apparmor (Ubuntu Jammy):
status: Fix Released → Fix Committed
tags: added: verification-done-focal verification-done-jammy
removed: verification-needed-focal verification-needed-jammy
tags: added: verification-done
removed: verification-needed
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

Testing Documentation:

This update was tested following the guidelines available at:
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

In summary, they are:
- AppArmor cache files verification;
- Basic Ubuntu login tests: network, browser, apt;
- LXC, LXD, Docker basic operations and apparmor behavior;
- snapd hello-world confinement testing;
- qa-regression-testing suite for apparmor, libvirt and dbus

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Thanks, Rodrigo!

There are outdated autopkgtests (i.e., ran against reverse-test-deps that now have newer versions in -updates), which I triggered reruns for.

Once that looks good (hopefully during my shift today, or maybe tomorrow), I'll take a look for release.

Details:
---

jammy:
https://ubuntu-archive-team.ubuntu.com/proposed-migration/jammy/update_excuses.html#apparmor

 adsys/0.9.2~22.04.2
 cups/2.4.1op1-1ubuntu4.8
 dovecot/1:2.3.16+dfsg1-3ubuntu2.2
 libreoffice/1:7.3.7-0ubuntu0.22.04.4
 libvirt/8.0.0-1ubuntu7.8
 libvirt/8.0.0-1ubuntu7.9
 php8.1/8.1.2-1ubuntu2.14
 snapd/2.61.3+22.04
 squid/5.7-0ubuntu0.22.04.3

focal:
https://ubuntu-archive-team.ubuntu.com/proposed-migration/focal/update_excuses.html#apparmor

 dovecot/1:2.3.7.2-1ubuntu3.6
 libreoffice/1:6.4.7-0ubuntu0.20.04.9
 libvirt/6.0.0-0ubuntu8.16
 php7.4/7.4.3-4ubuntu2.20
 snapd/2.61.3+20.04
 squid/4.10-1ubuntu1.9

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apparmor/2.13.3-7ubuntu5.4)

All autopkgtests for the newly accepted apparmor (2.13.3-7ubuntu5.4) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

libvirt/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#apparmor

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

description: updated
Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Autopkgtests preventing migration look good now.

All have passed and cleared up in update_excuses
(only libreoffice/jammy/armhf running; expecting
it to pass based on previous history and results
from same package/version in other architectures).

Proceeding with release to Jammy and Focal.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 3.0.4-2ubuntu2.4

---------------
apparmor (3.0.4-2ubuntu2.4) jammy-security; urgency=medium

  * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)
    - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount
      rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h
      and fix multiple test cases in parser/tst/simple_tests/mount/*.
    - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:
      update rule qualifiers in regression tests in
      tests/regression/apparmor/mkprofile.pl and
      tests/regression/apparmor/capabilities.sh.
    - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount
      regression tests in tests/regression/apparmor/mount.c,
      tests/regression/apparmor/mount.sh and
      tests/regression/apparmor/mkprofile.pl.
    - d/p/CVE-2016-1585/Check-for-newer-mount-options-in-regression-test.patch:
      add check for newer mount options in regression tests in
      tests/regression/apparmor/Makefile, tests/regression/apparmor/mount.c
      and tests/regression/apparmor/mount.sh.
    - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:
      add missing kernel mount options flag in parser/apparmor.d.pod,
      parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh
      and parser/tst/simple_tests/mount/*.
    - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update
      test profiles in parser/tst/simple_tests/mount/*.
    - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:
      update gen_policy_change_mount_type() in parser/mount.cc and also
      updated tests on parser/tst/simple_tests/mount/* and
      tests/regression/apparmor/mount.sh.
    - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:
      remove deprecation warning message in parser/mount.cc.
    - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:
      add device checks in gen_flag_rules() in parser/mount.cc and tests
      in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,
      tests/regression/apparmor/mount.sh and
      utils/test/test-parser-simple-tests.py.
    - CVE-2016-1585

 -- Rodrigo Figueiredo Zaiden <email address hidden> Tue, 06 Mar 2024 15:35:00 -0300

Changed in apparmor (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.13.3-7ubuntu5.4

---------------
apparmor (2.13.3-7ubuntu5.4) focal-security; urgency=medium

  * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)
    - d/p/CVE-2016-1585/parser-Fix-expansion-of-variables-in-unix-rules-addr.patch:
      add calls to filter_slashes() in parser/af_unix.cc, make it external
      in parser/parser.h and change it to void in parser/parser_regex.c.
    - d/p/CVE-2016-1585/parser-enable-variable-expansion-for-mount-type-and-.patch:
      add variable expansion with expand_entry_variables() in
      parser/mount.cc.
    - d/p/CVE-2016-1585/parser-call-filter-slashes-for-mount-conditionals.patch:
      add calls to filter_slashes() in parser/mount.cc.
    - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:
      update rule qualifiers in regression tests in
      tests/regression/apparmor/mkprofile.pl and
      tests/regression/apparmor/capabilities.sh.
    - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount
      rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h
      and fix multiple test cases in parser/tst/simple_tests/mount/*.
    - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount
      regression tests in tests/regression/apparmor/Makefile,
      tests/regression/apparmor/mount.c,
      tests/regression/apparmor/mount.sh and
      tests/regression/apparmor/mkprofile.pl.
    - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:
      add missing kernel mount options flag in parser/apparmor.d.pod,
      parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh
      and parser/tst/simple_tests/mount/*.
    - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update
      test profiles in parser/tst/simple_tests/mount/*.
    - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:
      update gen_policy_change_mount_type() in parser/mount.cc and also
      updated tests on parser/tst/simple_tests/mount/* and
      tests/regression/apparmor/mount.sh.
    - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:
      add device checks in gen_flag_rules() in parser/mount.cc and tests
      in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,
      tests/regression/apparmor/mount.sh and
      utils/test/test-parser-simple-tests.py.
    - d/p/CVE-2016-1585/Fix-build-failure-in-df4ed537e-allow-reading-of-etc-.patch:
      remove the WARN_DEPRECATED flag in pwarn call in parser/mount.cc.
    - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:
      remove deprecation warning message in parser/mount.cc.
    - CVE-2016-1585

 -- Rodrigo Figueiredo Zaiden <email address hidden> Tue, 06 Mar 2024 15:40:00 -0300

Changed in apparmor (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Andrew Killen (andrewbkillen) wrote :

I am running Focal Fossa and noticed that AppArmor was vulnerable (CVE-2016-1585). My automatic upgrade attempts were not upgrading from the vulnerable version 2.13.3-7ubuntu5.3build2 to the latest version 2.13.3-7ubuntu5.4. When investigating further it is because my systems are configured to only pull updates out of the security repository, which does not include this update.

I posted a question in the general AppArmor area and it was suggested to bring this up in this specific bug thread. The thought is that the version released around this bug should be included in the security repository, not just the update repository. If this is indeed an issue, the same can be said for the jammy releases as well.

Link to my question: https://answers.launchpad.net/ubuntu/+source/apparmor/+question/818906

Revision history for this message
Simon Déziel (sdeziel) wrote :

@Andrew, I think publishing to -updates first and then to -security was intentional per https://discourse.ubuntu.com/t/upcoming-apparmor-security-update-for-cve-2016-1585/44268/3

Revision history for this message
John Johansen (jjohansen) wrote :

@Andrew: Simon is correct. This update deliberately had an unusual roll-out where it went to updates first so that it could be phased, and we could roll back if the phasing showed a problem.

The security pocket was not updated specifically to provide a users a way to easily revert the update.

As mentioned this state is only going to exist for a week (planned) or two, and then the update will be synced to the security pocket once we are sure the update has not caused significant issues.

Revision history for this message
Andrew Killen (andrewbkillen) wrote :

@Simon, thank you for the link, that also clarifies Steve's comment (https://bugs.launchpad.net/apparmor/+bug/1597017/comments/25) earlier in this thread which I didn't interpret appropriately during first read through. Based on the linked thread the plan was to publish to the security repository last week, but I have my questions answered and will sit tight until that takes place. Appreciate your help!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.