Описание
Security update for apparmor
This update for apparmor fixes the following issues:
These security issues were fixed:
- CVE-2017-6507: Preserve unknown profiles when reloading apparmor.service (lp#1668892, boo#1029696)
- boo#1017260: Migration to apparmor.service accidently disable AppArmor. Note: This will re-enable AppArmor if it was disabled by the last update. You'll need to 'rcapparmor reload' to actually load the profiles, and then check aa-status for programs that need to be restarted to apply the profiles.
These non-security issues were fixed:
- Fixed crash in aa-logprof on specific change_hat events
- boo#1016259: Added var.mount dependeny to apparmor.service
The aa-remove-unknown utility was added to unload unknown profiles (lp#1668892)
Список пакетов
openSUSE Leap 42.1
openSUSE Leap 42.2
Ссылки
- E-Mail link for openSUSE-SU-2017:0969-1
- SUSE Security Ratings
Описание
An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as /etc/apparmor.d/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic.
Затронутые продукты
Ссылки
- CVE-2017-6507
- SUSE Bug 1029696