Changelog
apparmor (2.11.0-3) unstable; urgency=medium
* Fix CVE-2017-6507: don't unload unknown profiles during package
configuration or when restarting the apparmor init script, upstart job, or
systemd unit as this could leave processes unconfined (Closes: #858768).
Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
- debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
Remove calls to unload_obsolete_profiles()
- debian/patches/utils-add-aa-remove-unknown.patch,
debian/apparmor.install debian/apparmor.manpages: Include a new utility,
aa-remove-unknown, which can be used to unload unknown profiles. Based
on an upstream patch but adjusted to source the /lib/apparmor/functions
shipped in Debian/Ubuntu.
-- intrigeri <email address hidden> Tue, 28 Mar 2017 10:29:15 +0000