Ubuntu
apparmor package

Latest Security Release Not Included In Security Repo?

Asked by Andrew Killen

I am running Focal Fossa and noticed that AppArmor was vulnerable (CVE-2016-1585). My automatic upgrade attempts were not upgrading from the vulnerable version 2.13.3-7ubuntu5.3build2 to the latest version 2.13.3-7ubuntu5.4. When investigating further it is because my systems are configured to only pull updates out of the security repository, which does not include this update.

My thought is that there is potentially some sort of lag between releasing to Updates and then Security, but I haven't found any confirmation of this. Will this update eventually be included in the Security repository? If so, is there documentation on how those decision are made (for my own edification)? If not, why not?

Thank you,
Andrew

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu apparmor Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said : 		#1

Try: sudo apt update && sudo apt upgrade

Revision history for this message
Best Manfred Hampl (m-hampl) said (last edit ): 		#2

As far as I can see from https://launchpad.net/ubuntu/+source/apparmor the new version has only been published to -updates, but not to -security, although being marked as fixing a security-related bug.
This is not in line with https://help.ubuntu.com/community/Repositories/Ubuntu#Install_updates_from%3A

The same is valid also for Ubuntu jammy.

I suggest that you create a comment on the bug report linked above,

Revision history for this message
Andrew Killen (andrewbkillen) said : 		#3

Bernard, yes that does complete the upgrade since I have non-security repositories configured on these systems. The reason for my question though was that we have systems that have automated patching configured that only pulls from the security repository to reduce the volume of changes while also staying up to date with security patching.

Manfred, I appreciate the link and suggestion to comment on the bug I linked in this question. I wasn't sure of my understanding on what belongs in the security repository, but your documentation reinforces that something is not right here. I will mark this as problem solved here and follow up in the bug thread.

Thank you both!

Revision history for this message
Andrew Killen (andrewbkillen) said : 		#4

Thanks Manfred Hampl, that solved my question.