Bugzilla – Bug 1029696
VUL-0: CVE-2017-6507: apparmor: "rcapparmor reload" unloads all LXD profiles
Last modified: 2018-11-12 23:14:31 UTC
Just as an early information - there will be a security update for AppArmor soon. The problem is that "rcapparmor reload" unloads profiles that are not in /etc/apparmor.d/. This behaviour was fine in the past. However, with containers, virtualization etc. it became problematic because they often auto-generate profiles and store them elsewhere - which results in unloading the profile on "rcapparmor reload" and leaving that container etc. unconfined. The upstream fix will be: - no longer unload "unknown" profiles on "rcapparmor reload" - provide a new tool for admins who explicitely want to unload unknown profiles References: CVE 2017-6507 https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1668892 Note that this bug is not public yet. If needed, I can provide you with a copy of the bug details on launchpad. BTW: I'd like to fix the regression from bug 1017260 with the same update, so it would be good to get some feedback there soon ;-)
(In reply to Christian Boltz from comment #0) > Note that this bug is not public yet. If needed, I can provide you with a > copy of the bug details on launchpad. Please do.
Created attachment 717776 [details] PDF dump of the bugreport on launchpad Thinking about it - do you have a launchpad account? If so, which username? I should be able to CC you on the bugreport ;-)
In the meantime, the bug was made public on launchpad (so feel free to make this bug also public), and patches were commited to upstream bzr. I'll commit updated packages over the weekend.
This is an autogenerated message for OBS integration: This bug (1029696) was mentioned in https://build.opensuse.org/request/show/482776 Factory / apparmor
This is an autogenerated message for OBS integration: This bug (1029696) was mentioned in https://build.opensuse.org/request/show/483290 42.1+42.2 / apparmor
openSUSE-SU-2017:0969-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1016259,1017260,1029696 CVE References: CVE-2017-6507 Sources used: openSUSE Leap 42.2 (src): apparmor-2.10.2-12.3.1 openSUSE Leap 42.1 (src): apparmor-2.10.2-12.1
SUSE-SU-2017:1151-1: An update that solves one vulnerability and has four fixes is now available. Category: security (moderate) Bug References: 1000201,1016259,1022610,1029696,1031529 CVE References: CVE-2017-6507 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): apparmor-2.8.2-54.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): apparmor-2.8.2-54.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): apparmor-2.8.2-54.1 SUSE Linux Enterprise Server 12-SP2 (src): apparmor-2.8.2-54.1 SUSE Linux Enterprise Server 12-SP1 (src): apparmor-2.8.2-54.1 SUSE Linux Enterprise Desktop 12-SP2 (src): apparmor-2.8.2-54.1 SUSE Linux Enterprise Desktop 12-SP1 (src): apparmor-2.8.2-54.1 OpenStack Cloud Magnum Orchestration 7 (src): apparmor-2.8.2-54.1
Closing as FIXED
SUSE-RU-2018:3738-1: An update that has 68 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1010391,1017726,1017728,1017731,1017737,1017753,1020271,1023815,1029132,1029696,1043305,1046514,1047010,1050754,1051190,1051369,1058042,1058076,1058365,1061131,1061906,1062209,1063706,1064156,1066537,1066566,1067789,1068181,1068426,1070674,1070759,1071210,1071958,1073377,1074026,1074713,1074844,1075949,1075996,1076430,1077112,1077734,1080616,1080879,1081377,1081409,1084275,1085797,1086896,1088500,1088985,1089361,1091022,1092434,1094404,1094593,1098836,1099326,1101458,1101631,1102514,1103082,1104266,1107305,1107314,1108068,1110744,710788 CVE References: Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): sled-manuals_en-12.3-6.3.3 SUSE Linux Enterprise Server 12-SP3 (src): sles-manuals_en-12.3-6.3.3 SUSE Linux Enterprise Desktop 12-SP3 (src): sled-manuals_en-12.3-6.3.3, sles-manuals_en-12.3-6.3.3