[ubuntu/bionic-proposed] apparmor 2.12-3ubuntu1 (Accepted)
Tyler Hicks
tyhicks at canonical.com
Thu Mar 15 16:11:22 UTC 2018
apparmor (2.12-3ubuntu1) bionic; urgency=medium
* New upstream bug fix release. Bugs fixed:
- abstraction/nameservice should include allow access to
/var/lib/sss/mc/initgroups (LP: #1751402)
- Cannot Add Request Hat or Use Default Hat in aa-logprof and mod_apparmor
(LP: #1752365)
- python tools do not understand 'non-magic' include rules (LP: #1733700)
- "Unable to open external link" in Evince when google-chrome-unstable is
the default browser (LP: #1730536)
- apparmor_parser is missing fix for rule down grades (LP: #1728120)
- base abstraction missing glibc /proc/$pid/ things (LP: #1658239)
- logparser.py parse_event_for_tree() doesn't care about owner vs. all in
file events(LP: #1538340)
- aa-decode can't decode the audit log which contains the proctitle string
(LP: #1736841)
- aa-logprof asks for "a" rule even if "deny w" is present (LP: #1385474)
* Merge from Debian. Remaining Ubuntu changes:
- debian/gbp.conf: Use ubuntu/master as the debian-branch
- Update package maintainer to be Ubuntu Developers in the control file
- Call handle_system_policy_package_updates in apparmor.init.
This is needed for snappy and system-images. Note that this prevents
using a remove /var.
- Apply Ubuntu-specific patches
+ parser-include-usr-share-apparmor.patch
+ profiles-grant-access-to-systemd-resolved.patch
+ add-chromium-browser.patch
- Install Ubuntu chromium-browser profile and abstraction
* Dropped patches that were not merged upstream:
- ubuntu-manpage-updates.patch: The changes were out of date because
they only addressed upstart based systems
- utils-keep-shebang.patch: A different solution was merged upstream
so that the shebang lines aren't rewritten
* Feature pinning is not used in Ubuntu
* Properly identify empty ouid/fsuid fields in logs
* Allow the shell helper regression test program read the locale
apparmor (2.12-3) unstable; urgency=medium
* dnsmasq-profile-allow-chown-capability.patch: new patch (Closes: #889806)
* Update-base-abstraction-for-ld.so.conf-and-friends.patch: new patch,
cherry-picked from upstream (solves a minor part of #887973).
* libapparmor-perl: install example program.
apparmor (2.12-2) unstable; urgency=medium
* This release is dedicated to the memory of Ursula K. Le Guin.
* Install the "extra" profiles to the default upstream directory
(Closes: #832984).
* Cherry-pick policy improvements from upstream Git (Closes: #887591).
* Stop recommending the apparmor-profile package to the general public:
- apparmor: drop "Suggests: apparmor-profile".
- apparmor-profile: make it clear in the package description that
these profiles cannot be expected to work out-of-the-box.
* Bump debhelper compatibility level to 10.
- This reintroduces --parallel building, which was fixed upstream
since we disabled it.
- Don't manually enable the systemd debhelper sequence: now done
by default.
- Drop now useless build-dependency on autotools-dev.
* Declare compliance with Standards-Version 4.1.3 (no change required).
* debian/control: add Rules-Requires-Root: no.
- Cherry-pick upstream fix to pam_apparmor's Makefile.
* Packaging cleanup:
- Remove Kees Cook <kees at debian.org> from the Uploaders control field.
Thanks a lot for the inspiring work you've done on this package
in the past!
- Remove obsolete calls to rm_conffile.
- debian/copyright: use canonical URL to copyright-format/1.0.
- debian/copyright: sort licenses in lexical order.
- Use canonical URL to Debian bug in patch header.
- debian/*.install: remove duplicates.
- Stop versioning dependencies that are satisfied on Debian Wheezy
and Ubuntu Trusty.
- Reformat debian/* with 'cme fix dpkg' + wrap-and-sort.
apparmor (2.12-1) unstable; urgency=medium
* New upstream release (Closes: #885522, #882043, #884014, #886732,
#875892, #882070, #874665, #884280, #881936, #882135).
- Drop obsolete patches.
* dh-apparmor postinst snippet: create empty files in
/etc/apparmor.d/local/ instead of repeating boilerlate.
* dh-apparmor postinst snippet: simplify local overrides directory
creation code.
* Migrate to Git:
- Configure gbp for DEP-14
- Configure gbp-pq to avoid prefixing patches with numbers
- README.source: adjust to Git
- Update Vcs-* control fields: migrate to Git
* Move libpam to Section: admin
apparmor (2.11.1-4) unstable; urgency=medium
* Bump pinned feature set to linux-image-4.14.0-1's, version 4.14.2-1
- Pinning a feature set without "mount", as we did before this change,
breaks mount operations due to a bug in the kernel (Closes: #883703).
Thanks to Fabian Grünbichler and Felix Geyer for reporting this.
- AppArmor maintainers in Debian have been testing 4.14 without pinning
for a while and all the known issues were fixed; it's time to enable
4.14's features so we can learn what parts of our policy still need
updates (Closes: #880078, #877581).
* Move features file to /usr/share/apparmor-features (Closes: #883682).
Thanks to Fabian Grünbichler <f.gruenbichler at proxmox.com> for the patch.
* Document in apparmor/README.Debian where online documentation wrt. AppArmor
on Debian lives (Closes: #845232). Thanks to Wouter Verhelst and Jean-Michel
Vourgère for the suggestion.
* Improve usability of apparmor-notify:
- notify.conf: unset use_group.
aa-notify checks that it can read the selected log file — and aborts
if it can't — before it checks group membership vs. use_group, so in
practice setting use_group is only useful for users who are allowed
to read logs but don't want to see notifications. This seems to be
a corner case, easily addressed per-user (~/.apparmor/notify.conf)
or system-wide (by deinstalling apparmor-notify).
So let's instead optimize for a more common use case, i.e. users who can
read logs and want to see the notifications. This change does not
impact the most common use case, i.e. desktop users who are not allowed
to read logs (Closes: #880859).
- Document in apparmor-notify/README.Debian that one must be in the "adm"
group to use aa-notify.
Thanks to Lisandro Damián Nicanor Pérez Meyer and Salvatore Bonaccorso
whose combined bug reports lead to this solution.
* /lib/apparmor/functions: don't delete /etc/apparmor.d/cache/CACHEDIR.TAG
ourselves (necessary, but not sufficient, to fix #883584).
* Declare compliance with Standards-Version 4.1.2.
apparmor (2.11.1-3) unstable; urgency=medium
* upstream-commit-92752f5-support-Google-Chrome-beta.patch:
new patch, backported from upstream (Closes: #880923).
apparmor (2.11.1-2) unstable; urgency=medium
* apparmor: drop obsolete dependency on libapparmor-perl.
This dependency was added in 2.8.0-0ubuntu15, when aa-exec (that was
written in Perl back then) got moved to the apparmor package.
Nowadays aa-exec is written in C and AFAICT there's nothing in the
apparmor package that uses libapparmor-perl.
* apparmor-utils: drop obsolete dependency on libapparmor-perl.
All the programs shipped in this package were rewritten in Python.
* Drop obsolete dependencies on python{,3}-pkg-resources.
They were added to "fix autopkgtests in click-apparmor and
apparmor-easyprof-ubuntu". We don't ship these packages in Debian,
and I'm told they're going away in Ubuntu anyway.
apparmor (2.11.1-1) unstable; urgency=medium
* Import upstream 2.11.1 release.
Drop obsolete patches and refresh remaining ones as need.
* pin-feature-set.patch: new patch, that pins the AppArmor feature set
to Linux 4.13.4-2's (Closes: #879584).
The AppArmor policy we ship is not fully ready for Linux 4.14 yet.
Once our policy has been updated (#877581) we can bump the pinned
feature set to Linux 4.14's.
Note, however, that this is not fully effective in the specific case
of 4.14-rcN up to 4.14-rc6 due to a kernel bug with pinned older
feature sets, that will likely be fixed in Linux 4.14-rc7.
For example, with Linux 4.14-rc5 some network (e.g. unix, inet, inet6)
operations are denied despite the fact this pinned feature does not
enable network mediation support. For details, see:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278
* Disable parser-include-usr-share-apparmor.patch: it's not used on Debian
and would be made fuzzy by pin-feature-set.patch, thus causing useless
maintenance busywork.
* Improve phrasing of long packages description, based on a patch
by Vincas Dargis <vindrg at gmail.com> (Closes: #795431).
* Replace build-dependency on dh-systemd with a versioned one
on debhelper, that now ships dh_systemd_*.
* Set priority to "optional": "extra" is deprecated.
* Bump Standards-Version to 4.1.1.
* Drop "Testsuite: autopkgtest" control field: it is automatically added
by dpkg-source(1) since dpkg 1.17.1 when a debian/tests/control file exists,
which is the case here.
* Move libapache2-mod-apparmor to Section "httpd", as suggested by Lintian.
apparmor (2.11.0-11) unstable; urgency=medium
* Only use systemd-detect-virt when it's installed (Closes: #871953).
* dh_apparmor: include the version of the package, so that one can find
packages that were built with a particular version of dh_apparmor.
(Closes: #872167).
* Import patch submitted upstream to support Flatpak exports
(Closes: #865206).
* Revert "Build with GCC-6 on mips64el to workaround Debian#871538":
that gcc-7 bug was fixed in 7.2.0-3 on 2017-09-02, presumably all buildd's
chroot should have it by now.
* Merge from Ubuntu citrain up to revision 1627, aka. 2.11.0-2ubuntu17.
Applied all changes (filtering from that list what had already been
done in Debian):
- Remove apparmor system upstart job on upgrades.
- r3631-apparmor-utils-python3.6-LOCALE.patch: fix utils to avoid
breakage with python 3.6 (LP: #1661766).
- nameservice-add-stub-resolv.patch: allow read access to systemd stub
resolver configuration
apparmor (2.11.0-10) unstable; urgency=medium
* Build with GCC-6 on mips64el to workaround #871538.
apparmor (2.11.0-9) unstable; urgency=medium
* debian-chromium-paths.patch: new patch, fixes e.g. opening links
(e.g. from Thunderbird) when Chromium is the default web browser
(reported in #858911).
apparmor (2.11.0-8) unstable; urgency=medium
* firefox-non-esr.patch: new patch, fixes e.g. opening links from
Thunderbird when Firefox non-ESR is the default web browser
(Closes: #858911).
* Adjust metadata for wayland-cursor.patch: applied upstream.
apparmor (2.11.0-7) unstable; urgency=medium
* compare_and_save_debsums(): fix quieting of diff on initial installation
(Closes: #870696).
* Don't explicitly pass runlevel nor sequence number to update-rc.d
via dh_installinit (Closes: #870695).
Thanks to Michael Biebl for the hint!
* wayland-cursor.patch: new patch, to allow wayland-cursor-shared-*
(Closes: #870807).
* Merge from Ubuntu citrain up to revision 1620, i.e. 2.11.0-2ubuntu11.
Applied all changes:
- fix-aa-status-pod.patch: updates aa-status for newer podchecker
(LP: #1707614)
- adjust-python-for-3.6.patch: update python abstraction for 3.6
- adjust-nameservice-for-systemd-resolved.patch: grant access to
systemd-resolved in the nameservice abstraction (LP: #1598759).
… and then disabled adjust-nameservice-for-systemd-resolved.patch
that's dangerous without fine-grained AppArmor mediation of
D-Bus traffic.
* Remove upstart configuration: Upstart was removed in Debian Stretch
so this file is no longer useful.
* Drop ubuntu-manpage-updates.patch, that was only relevant with Upstart.
apparmor (2.11.0-6) unstable; urgency=medium
* libapparmor-dev: stop installing /lib/*/libapparmor.la (Closes: #866636).
apparmor (2.11.0-5) unstable; urgency=medium
* pass-compiler-flags-binutils.patch: new patch, fixes missing
hardening flags in aa-enabled and aa-exec.
* Merge from Ubuntu citrain up to revision 1617, i.e. 2.11.0-2ubuntu8.
apparmor (2.11.0-4) unstable; urgency=medium
* Run parts of the upstream test suite as autopkgtests.
* Declare compliance with Standards-Version 4.0.0 (no change required).
* Add mentions-deprecated-usr-lib-perl5-directory to Lintian overrides,
since usr-lib-perl5-mentioned has been renamed.
* libapparmor1.symbols: require 2.8.94 instead of 2.8.94-0ubuntu1.
* debian/rules: use variables provided by dpkg/pkg-info.mk instead
of parsing the output of dpkg-parsechangelog.
* Override mistaken apache2-module-depends-on-real-apache2-package
Lintian check.
* Merge from Ubuntu citrain up to revision 1616, i.e. 2.11.0-2ubuntu5
(more recent changes, up to 2.11.0-2ubuntu8, have not been pushed
to the citrain repo yet; they don't seen critical though).
apparmor (2.11.0-3) unstable; urgency=medium
* Fix CVE-2017-6507: don't unload unknown profiles during package
configuration or when restarting the apparmor init script, upstart job, or
systemd unit as this could leave processes unconfined (Closes: #858768).
Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
- debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
Remove calls to unload_obsolete_profiles()
- debian/patches/utils-add-aa-remove-unknown.patch,
debian/apparmor.install debian/apparmor.manpages: Include a new utility,
aa-remove-unknown, which can be used to unload unknown profiles. Based
on an upstream patch but adjusted to source the /lib/apparmor/functions
shipped in Debian/Ubuntu.
Date: Thu, 15 Mar 2018 15:39:10 +0000
Changed-By: Tyler Hicks <tyhicks at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apparmor/2.12-3ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 15 Mar 2018 15:39:10 +0000
Source: apparmor
Binary: apparmor apparmor-utils apparmor-profiles libapparmor-dev libapparmor1 libapparmor-perl libapache2-mod-apparmor libpam-apparmor apparmor-notify python-libapparmor python3-libapparmor python-apparmor python3-apparmor dh-apparmor apparmor-easyprof
Architecture: source
Version: 2.12-3ubuntu1
Distribution: bionic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Tyler Hicks <tyhicks at canonical.com>
Description:
apparmor - user-space parser utility for AppArmor
apparmor-easyprof - AppArmor easyprof profiling tool
apparmor-notify - AppArmor notification system
apparmor-profiles - experimental profiles for AppArmor security policies
apparmor-utils - utilities for controlling AppArmor
dh-apparmor - AppArmor debhelper routines
libapache2-mod-apparmor - changehat AppArmor library as an Apache module
libapparmor-dev - AppArmor development libraries and header files
libapparmor-perl - AppArmor library Perl bindings
libapparmor1 - changehat AppArmor library
libpam-apparmor - changehat AppArmor library as a PAM module
python-apparmor - AppArmor Python utility library
python-libapparmor - AppArmor library Python bindings
python3-apparmor - AppArmor Python3 utility library
python3-libapparmor - AppArmor library Python3 bindings
Closes: 795431 832984 845232 858768 858911 865206 866636 870695 870696 870807 871953 872167 874665 875892 877581 879584 880078 880859 880923 881936 882043 882070 882135 883682 883703 884014 884280 885522 886732 887591 889806
Launchpad-Bugs-Fixed: 1385474 1538340 1598759 1658239 1661766 1707614 1728120 1730536 1733700 1736841 1751402 1752365
Changes:
apparmor (2.12-3ubuntu1) bionic; urgency=medium
.
* New upstream bug fix release. Bugs fixed:
- abstraction/nameservice should include allow access to
/var/lib/sss/mc/initgroups (LP: #1751402)
- Cannot Add Request Hat or Use Default Hat in aa-logprof and mod_apparmor
(LP: #1752365)
- python tools do not understand 'non-magic' include rules (LP: #1733700)
- "Unable to open external link" in Evince when google-chrome-unstable is
the default browser (LP: #1730536)
- apparmor_parser is missing fix for rule down grades (LP: #1728120)
- base abstraction missing glibc /proc/$pid/ things (LP: #1658239)
- logparser.py parse_event_for_tree() doesn't care about owner vs. all in
file events(LP: #1538340)
- aa-decode can't decode the audit log which contains the proctitle string
(LP: #1736841)
- aa-logprof asks for "a" rule even if "deny w" is present (LP: #1385474)
* Merge from Debian. Remaining Ubuntu changes:
- debian/gbp.conf: Use ubuntu/master as the debian-branch
- Update package maintainer to be Ubuntu Developers in the control file
- Call handle_system_policy_package_updates in apparmor.init.
This is needed for snappy and system-images. Note that this prevents
using a remove /var.
- Apply Ubuntu-specific patches
+ parser-include-usr-share-apparmor.patch
+ profiles-grant-access-to-systemd-resolved.patch
+ add-chromium-browser.patch
- Install Ubuntu chromium-browser profile and abstraction
* Dropped patches that were not merged upstream:
- ubuntu-manpage-updates.patch: The changes were out of date because
they only addressed upstart based systems
- utils-keep-shebang.patch: A different solution was merged upstream
so that the shebang lines aren't rewritten
* Feature pinning is not used in Ubuntu
* Properly identify empty ouid/fsuid fields in logs
* Allow the shell helper regression test program read the locale
.
apparmor (2.12-3) unstable; urgency=medium
.
* dnsmasq-profile-allow-chown-capability.patch: new patch (Closes: #889806)
* Update-base-abstraction-for-ld.so.conf-and-friends.patch: new patch,
cherry-picked from upstream (solves a minor part of #887973).
* libapparmor-perl: install example program.
.
apparmor (2.12-2) unstable; urgency=medium
.
* This release is dedicated to the memory of Ursula K. Le Guin.
.
* Install the "extra" profiles to the default upstream directory
(Closes: #832984).
* Cherry-pick policy improvements from upstream Git (Closes: #887591).
* Stop recommending the apparmor-profile package to the general public:
- apparmor: drop "Suggests: apparmor-profile".
- apparmor-profile: make it clear in the package description that
these profiles cannot be expected to work out-of-the-box.
* Bump debhelper compatibility level to 10.
- This reintroduces --parallel building, which was fixed upstream
since we disabled it.
- Don't manually enable the systemd debhelper sequence: now done
by default.
- Drop now useless build-dependency on autotools-dev.
* Declare compliance with Standards-Version 4.1.3 (no change required).
* debian/control: add Rules-Requires-Root: no.
- Cherry-pick upstream fix to pam_apparmor's Makefile.
* Packaging cleanup:
- Remove Kees Cook <kees at debian.org> from the Uploaders control field.
Thanks a lot for the inspiring work you've done on this package
in the past!
- Remove obsolete calls to rm_conffile.
- debian/copyright: use canonical URL to copyright-format/1.0.
- debian/copyright: sort licenses in lexical order.
- Use canonical URL to Debian bug in patch header.
- debian/*.install: remove duplicates.
- Stop versioning dependencies that are satisfied on Debian Wheezy
and Ubuntu Trusty.
- Reformat debian/* with 'cme fix dpkg' + wrap-and-sort.
.
apparmor (2.12-1) unstable; urgency=medium
.
* New upstream release (Closes: #885522, #882043, #884014, #886732,
#875892, #882070, #874665, #884280, #881936, #882135).
- Drop obsolete patches.
* dh-apparmor postinst snippet: create empty files in
/etc/apparmor.d/local/ instead of repeating boilerlate.
* dh-apparmor postinst snippet: simplify local overrides directory
creation code.
* Migrate to Git:
- Configure gbp for DEP-14
- Configure gbp-pq to avoid prefixing patches with numbers
- README.source: adjust to Git
- Update Vcs-* control fields: migrate to Git
* Move libpam to Section: admin
.
apparmor (2.11.1-4) unstable; urgency=medium
.
* Bump pinned feature set to linux-image-4.14.0-1's, version 4.14.2-1
- Pinning a feature set without "mount", as we did before this change,
breaks mount operations due to a bug in the kernel (Closes: #883703).
Thanks to Fabian Grünbichler and Felix Geyer for reporting this.
- AppArmor maintainers in Debian have been testing 4.14 without pinning
for a while and all the known issues were fixed; it's time to enable
4.14's features so we can learn what parts of our policy still need
updates (Closes: #880078, #877581).
* Move features file to /usr/share/apparmor-features (Closes: #883682).
Thanks to Fabian Grünbichler <f.gruenbichler at proxmox.com> for the patch.
* Document in apparmor/README.Debian where online documentation wrt. AppArmor
on Debian lives (Closes: #845232). Thanks to Wouter Verhelst and Jean-Michel
Vourgère for the suggestion.
* Improve usability of apparmor-notify:
- notify.conf: unset use_group.
aa-notify checks that it can read the selected log file — and aborts
if it can't — before it checks group membership vs. use_group, so in
practice setting use_group is only useful for users who are allowed
to read logs but don't want to see notifications. This seems to be
a corner case, easily addressed per-user (~/.apparmor/notify.conf)
or system-wide (by deinstalling apparmor-notify).
So let's instead optimize for a more common use case, i.e. users who can
read logs and want to see the notifications. This change does not
impact the most common use case, i.e. desktop users who are not allowed
to read logs (Closes: #880859).
- Document in apparmor-notify/README.Debian that one must be in the "adm"
group to use aa-notify.
Thanks to Lisandro Damián Nicanor Pérez Meyer and Salvatore Bonaccorso
whose combined bug reports lead to this solution.
* /lib/apparmor/functions: don't delete /etc/apparmor.d/cache/CACHEDIR.TAG
ourselves (necessary, but not sufficient, to fix #883584).
* Declare compliance with Standards-Version 4.1.2.
.
apparmor (2.11.1-3) unstable; urgency=medium
.
* upstream-commit-92752f5-support-Google-Chrome-beta.patch:
new patch, backported from upstream (Closes: #880923).
.
apparmor (2.11.1-2) unstable; urgency=medium
.
* apparmor: drop obsolete dependency on libapparmor-perl.
This dependency was added in 2.8.0-0ubuntu15, when aa-exec (that was
written in Perl back then) got moved to the apparmor package.
Nowadays aa-exec is written in C and AFAICT there's nothing in the
apparmor package that uses libapparmor-perl.
* apparmor-utils: drop obsolete dependency on libapparmor-perl.
All the programs shipped in this package were rewritten in Python.
* Drop obsolete dependencies on python{,3}-pkg-resources.
They were added to "fix autopkgtests in click-apparmor and
apparmor-easyprof-ubuntu". We don't ship these packages in Debian,
and I'm told they're going away in Ubuntu anyway.
.
apparmor (2.11.1-1) unstable; urgency=medium
.
* Import upstream 2.11.1 release.
Drop obsolete patches and refresh remaining ones as need.
* pin-feature-set.patch: new patch, that pins the AppArmor feature set
to Linux 4.13.4-2's (Closes: #879584).
The AppArmor policy we ship is not fully ready for Linux 4.14 yet.
Once our policy has been updated (#877581) we can bump the pinned
feature set to Linux 4.14's.
Note, however, that this is not fully effective in the specific case
of 4.14-rcN up to 4.14-rc6 due to a kernel bug with pinned older
feature sets, that will likely be fixed in Linux 4.14-rc7.
For example, with Linux 4.14-rc5 some network (e.g. unix, inet, inet6)
operations are denied despite the fact this pinned feature does not
enable network mediation support. For details, see:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278
* Disable parser-include-usr-share-apparmor.patch: it's not used on Debian
and would be made fuzzy by pin-feature-set.patch, thus causing useless
maintenance busywork.
* Improve phrasing of long packages description, based on a patch
by Vincas Dargis <vindrg at gmail.com> (Closes: #795431).
* Replace build-dependency on dh-systemd with a versioned one
on debhelper, that now ships dh_systemd_*.
* Set priority to "optional": "extra" is deprecated.
* Bump Standards-Version to 4.1.1.
* Drop "Testsuite: autopkgtest" control field: it is automatically added
by dpkg-source(1) since dpkg 1.17.1 when a debian/tests/control file exists,
which is the case here.
* Move libapache2-mod-apparmor to Section "httpd", as suggested by Lintian.
.
apparmor (2.11.0-11) unstable; urgency=medium
.
* Only use systemd-detect-virt when it's installed (Closes: #871953).
* dh_apparmor: include the version of the package, so that one can find
packages that were built with a particular version of dh_apparmor.
(Closes: #872167).
* Import patch submitted upstream to support Flatpak exports
(Closes: #865206).
* Revert "Build with GCC-6 on mips64el to workaround Debian#871538":
that gcc-7 bug was fixed in 7.2.0-3 on 2017-09-02, presumably all buildd's
chroot should have it by now.
* Merge from Ubuntu citrain up to revision 1627, aka. 2.11.0-2ubuntu17.
Applied all changes (filtering from that list what had already been
done in Debian):
- Remove apparmor system upstart job on upgrades.
- r3631-apparmor-utils-python3.6-LOCALE.patch: fix utils to avoid
breakage with python 3.6 (LP: #1661766).
- nameservice-add-stub-resolv.patch: allow read access to systemd stub
resolver configuration
.
apparmor (2.11.0-10) unstable; urgency=medium
.
* Build with GCC-6 on mips64el to workaround #871538.
.
apparmor (2.11.0-9) unstable; urgency=medium
.
* debian-chromium-paths.patch: new patch, fixes e.g. opening links
(e.g. from Thunderbird) when Chromium is the default web browser
(reported in #858911).
.
apparmor (2.11.0-8) unstable; urgency=medium
.
* firefox-non-esr.patch: new patch, fixes e.g. opening links from
Thunderbird when Firefox non-ESR is the default web browser
(Closes: #858911).
* Adjust metadata for wayland-cursor.patch: applied upstream.
.
apparmor (2.11.0-7) unstable; urgency=medium
.
* compare_and_save_debsums(): fix quieting of diff on initial installation
(Closes: #870696).
* Don't explicitly pass runlevel nor sequence number to update-rc.d
via dh_installinit (Closes: #870695).
Thanks to Michael Biebl for the hint!
* wayland-cursor.patch: new patch, to allow wayland-cursor-shared-*
(Closes: #870807).
* Merge from Ubuntu citrain up to revision 1620, i.e. 2.11.0-2ubuntu11.
Applied all changes:
- fix-aa-status-pod.patch: updates aa-status for newer podchecker
(LP: #1707614)
- adjust-python-for-3.6.patch: update python abstraction for 3.6
- adjust-nameservice-for-systemd-resolved.patch: grant access to
systemd-resolved in the nameservice abstraction (LP: #1598759).
… and then disabled adjust-nameservice-for-systemd-resolved.patch
that's dangerous without fine-grained AppArmor mediation of
D-Bus traffic.
* Remove upstart configuration: Upstart was removed in Debian Stretch
so this file is no longer useful.
* Drop ubuntu-manpage-updates.patch, that was only relevant with Upstart.
.
apparmor (2.11.0-6) unstable; urgency=medium
.
* libapparmor-dev: stop installing /lib/*/libapparmor.la (Closes: #866636).
.
apparmor (2.11.0-5) unstable; urgency=medium
.
* pass-compiler-flags-binutils.patch: new patch, fixes missing
hardening flags in aa-enabled and aa-exec.
* Merge from Ubuntu citrain up to revision 1617, i.e. 2.11.0-2ubuntu8.
.
apparmor (2.11.0-4) unstable; urgency=medium
.
* Run parts of the upstream test suite as autopkgtests.
* Declare compliance with Standards-Version 4.0.0 (no change required).
* Add mentions-deprecated-usr-lib-perl5-directory to Lintian overrides,
since usr-lib-perl5-mentioned has been renamed.
* libapparmor1.symbols: require 2.8.94 instead of 2.8.94-0ubuntu1.
* debian/rules: use variables provided by dpkg/pkg-info.mk instead
of parsing the output of dpkg-parsechangelog.
* Override mistaken apache2-module-depends-on-real-apache2-package
Lintian check.
* Merge from Ubuntu citrain up to revision 1616, i.e. 2.11.0-2ubuntu5
(more recent changes, up to 2.11.0-2ubuntu8, have not been pushed
to the citrain repo yet; they don't seen critical though).
.
apparmor (2.11.0-3) unstable; urgency=medium
.
* Fix CVE-2017-6507: don't unload unknown profiles during package
configuration or when restarting the apparmor init script, upstart job, or
systemd unit as this could leave processes unconfined (Closes: #858768).
Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
- debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
Remove calls to unload_obsolete_profiles()
- debian/patches/utils-add-aa-remove-unknown.patch,
debian/apparmor.install debian/apparmor.manpages: Include a new utility,
aa-remove-unknown, which can be used to unload unknown profiles. Based
on an upstream patch but adjusted to source the /lib/apparmor/functions
shipped in Debian/Ubuntu.
Checksums-Sha1:
9e8421b214b4941b2d376fdcb5f796ac3f826141 3123 apparmor_2.12-3ubuntu1.dsc
18827d38deb0052f22bf87304aaffa235ceb0423 7258450 apparmor_2.12.orig.tar.gz
47b9e09322e9e0ef9dfac22404af147c0a5f73e7 87492 apparmor_2.12-3ubuntu1.debian.tar.xz
a7625af67eafc95b0294a72ecac54ed18572bb66 7700 apparmor_2.12-3ubuntu1_source.buildinfo
Checksums-Sha256:
61ac2aca4e75b904f75f4917b8b0cdd5ca651b8c71a449a12e0a755d28c89719 3123 apparmor_2.12-3ubuntu1.dsc
8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056 7258450 apparmor_2.12.orig.tar.gz
fc9eb8cef07a92ba0f474a792f8c93d008bec911681c6d1bcd207740ba80729f 87492 apparmor_2.12-3ubuntu1.debian.tar.xz
b6577dcbe80224fcf3f1b189727903d45cdc4defcf60aed47a17e934cbcce3c8 7700 apparmor_2.12-3ubuntu1_source.buildinfo
Files:
c77c86329d7b10d42c1935a9ee901347 3123 admin optional apparmor_2.12-3ubuntu1.dsc
49054f58042f8e51ea92cc866575a833 7258450 admin optional apparmor_2.12.orig.tar.gz
a307748a17b05e3dc577b0c0cded929e 87492 admin optional apparmor_2.12-3ubuntu1.debian.tar.xz
d5ad8a21131517500168c647f8f0f644 7700 admin optional apparmor_2.12-3ubuntu1_source.buildinfo
Original-Maintainer: Debian AppArmor Team <pkg-apparmor-team at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJaqpWhAAoJENaSAD2qAscKD0wQALCzzrCWE1v0miCUrdWCe0lJ
2Z0LCZN8LkErTFp7pmqDX/5PxGWOhhLZ/14kJaJz4A4ZDnCWztKhkuYuUrZzQ5qC
chLi0V6YKNAd6rA9aJdR4uJzaarGcoZMAlsh0fV13YICCqG8F9Y5v5u9O6kv2pfk
84q40wzy/ZYWJ6kUaa17EnZ4nYLW0CGVmirXOEDFdyuhuYd47DvduAUQiJhW3RDc
fwKXRXb9EGypQnYR3hDPaTQ9qyW2uq2j5PZAI6tevZJxLqYJBIic1TlCJIw+nj9b
CH6y0lwtadS4rydFzYZay7Y2GwS8FE3r/uHGP5CdkwFYV9WrIb5vweuNE+sndg3d
erkJQLAkm0Rajo6razPwQGZFc7ZQxuUDRi5xScCClwhI6P83UIcEJPZA7GpYkcZQ
jsH+0Q6F2/D+E5ICYDxA3KQPj9JONy3Kqu7bxkIBztpYtlSEMteA6j3BEn+sI6PU
hRv7Q9oAB4wZjVzH4amSRJ4ZQwPEbq6RAYfsnBSlMPB6c7VtYwpDDj7OalgbNZRH
QKcKKNAgyUPPH29yDozekNHSr6WPtgyttCrodQcKqiSSWUxTiX1PBOmGroQ78hDw
q48W2NuX8ja1+jU3haSNdHUl3dQRxTjPndZFjMlJQKnoC61gMXSR/+aB7Gt4IX7H
NgnrfRTcOD0V+6FirKhk
=eW8h
-----END PGP SIGNATURE-----
More information about the Bionic-changes
mailing list