[pkg-apparmor] Apparmor update in Linux Mint 21.3 delayed by 6 months from Ubuntu date

Steve Beattie steve.beattie at canonical.com
Thu Sep 19 22:34:36 BST 2024 

Hi Brad,

On Tue, Sep 17, 2024 at 03:26:37AM -0700, Brad Morrison wrote:
> I am running Linux Mint 21.3 with the Cinnamon desktop environment -
> https://www.linuxmint.com/edition.php?id=311 
> 
> An update to Apparmor came across the Linux Mint 21.3 Update Manager
> today, updating the package from old version  "3.0.4-2ubuntu2.3build2"
> to new version "3.0.4-2ubuntu2.4" but the new version was dated "Tue, 06
> Mar 2024" in the changelog that lists rodrigo.zaiden at canonical.com as
> the maintainer. 
> 
> Here is a screenshot of how that update looks in the Linux Mint 21.3
> Update Manager - https://paste.opensuse.org/pastes/5b207dca03d3 (expires
> in 1 week) 
> 
> Why would this significant security & package update take 6 months to be
> pushed through to my machine? 

Linux Mint 21.3 is derived from and based on Ubuntu 22.04 LTS. The
update to apparmor was just published to that release this week:

  https://launchpad.net/ubuntu/+source/apparmor/3.0.4-2ubuntu2.4

The specific issue, CVE-2016-1585, being addressed here is that
the apparmor policy generated around mount rules was in some cases
less restrictive than intended. The result of fixing this is that
for users with mount rules in their apparmor policy, the update
might cause some of their application to fail due to the more tight
restrictions. Many applications that might be confined by apparmor
don't need the ability to perform mount operations, but things like
container managers (docker, k8s, lxd) might, and thus could need
their policy adjusted after applying the update to not break them.

Because of this, while the update was originally prepared several
months ago, in Ubuntu, we published it in a testing pocket (called
"proposed"[1] in the Ubuntu ecosystem) to allow people to test the
update in their environment, and it is only now that we are moving
it to the updates and security pockets. This is why you haven't seen
it in Linux Mint until now.

More information on the update is available from:

  https://discourse.ubuntu.com/t/upcoming-apparmor-security-update-for-cve-2016-1585/
  https://bugs.launchpad.net/apparmor/+bug/1597017

As an aside, the pkg-apparmor list is a primarily focused on apparmor
packaging in Debian.

Thanks!

> Other resources I browsed while discussing this issue on the Linux Mint
> IRC - https://manpages.ubuntu.com/manpages/jammy/en/man7/apparmor.7.html
> & https://packages.ubuntu.com/jammy/apparmor & https://apparmor.net/ 

[1] https://wiki.ubuntu.com/Testing/EnableProposed

-- 
Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20240919/feaca5af/attachment.sig>

More information about the pkg-apparmor-team mailing list