ReleaseNotes 2 9 5

From AppArmor
Revision as of 05:51, 19 October 2017 by Jj (Talk | contribs) (Policy)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

AppArmor 2.9.5 Release Notes

AppArmor 2.9.5 is an incremental bug fix release over AppArmor 2.9.4 that is focused on fixing issues in the userspace code.

It includes the changes in the 2.9 branch between r3045 (AppArmor 2.9.4) and r3068.

Policy Compiler (a.k.a apparmor_parser)

  • Fix af_unix downgrade of network rules
  • parser Fix delete after new[]


  • Preserve unknown profiles when restarting apparmor init/job/unit. CVE-2017-6507 lp#1668892


  • aa-logprof - Ignore change_hat events with error=-1 and "unconfined can not change_hat"
  • aa-unconfined - fix netstat invocation regression
  • Add aa-remove-unknown utility to unload unknown profiles lp#1668892
  • Remove re.LOCALE flag lp#1661766


  • abstractions
    • base - update for glibc use of /proc/*/auxv and /proc/*/status
    • apache2 - updates for proper signal handling, optional saslauth, and OCSP stapling
    • support /usr/local/applications; support subdirs of applications folder
    • Adjust python abstraction for python3.6
  • dovecot
    • Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles
    • add the attach_disconnected flag
    • change Px to mrPx for /usr/lib/dovecot/*
    • Add several permissions to the dovecot profiles that are needed on ubuntu lp#1512131
    • dovecot-lda needs lp#1650827
  • traceroute updates
  • Samba profile updates for ActiveDirectory / Kerberos
  • Postfix
 ** change abstractions/postfix-common to allow /etc/postfix/*.db k
 ** add several permissions to postfix/error, postfix/lmtp and postfix/pipe
 ** remove superfluous abstractions/kerberosclient from all postfix


  • aa-status: update man page for updated podchecker lp#1707614
  • utils: Add --no-reload option to manpage


  • libapparmor/tests
    • remove test_multi unconfined-change_hat.profile
  • regression/tests
    • fix environ fail case