[pkg-apparmor] Apparmor update in Linux Mint 21.3 delayed by 6 months from Ubuntu date

Brad Morrison bradmorrison at sonic.net
Fri Sep 20 18:02:37 BST 2024 

Hi Steve/Rodrigo/pkg-apparmor-team, 

Does it typically take 6 months for a Debian package update that
addresses a CVE to make its way downstream to a machine with Linux Mint
installed? 

That seems very slow to me, but maybe I am misunderstanding the
processes involved... 

I recently learned about the OpenSSF Scorecard project
(https://scorecard.dev/ [2]) from the Open Source Security podcast
(https://opensourcesecurity.io/). It is now on version 5.0 -
https://github.com/ossf/scorecard [3] 

Would that help automate some checks and speed up the testing process? 

---
Thanks, 

Brad - https://www.facebook.com/brad.morrison.12327/ &
https://norcal.social/@BradMorrison 

On 2024-09-19 14:34, Steve Beattie wrote:

> Hi Brad,
> 
> On Tue, Sep 17, 2024 at 03:26:37AM -0700, Brad Morrison wrote: 
> 
>> I am running Linux Mint 21.3 with the Cinnamon desktop environment -
>> https://www.linuxmint.com/edition.php?id=311 
>> 
>> An update to Apparmor came across the Linux Mint 21.3 Update Manager
>> today, updating the package from old version  "3.0.4-2ubuntu2.3build2"
>> to new version "3.0.4-2ubuntu2.4" but the new version was dated "Tue, 06
>> Mar 2024" in the changelog that lists rodrigo.zaiden at canonical.com as
>> the maintainer. 
>> 
>> Here is a screenshot of how that update looks in the Linux Mint 21.3
>> Update Manager - https://paste.opensuse.org/pastes/5b207dca03d3 (expires
>> in 1 week) 
>> 
>> Why would this significant security & package update take 6 months to be
>> pushed through to my machine?
> 
> Linux Mint 21.3 is derived from and based on Ubuntu 22.04 LTS. The
> update to apparmor was just published to that release this week:
> 
> https://launchpad.net/ubuntu/+source/apparmor/3.0.4-2ubuntu2.4
> 
> The specific issue, CVE-2016-1585, being addressed here is that
> the apparmor policy generated around mount rules was in some cases
> less restrictive than intended. The result of fixing this is that
> for users with mount rules in their apparmor policy, the update
> might cause some of their application to fail due to the more tight
> restrictions. Many applications that might be confined by apparmor
> don't need the ability to perform mount operations, but things like
> container managers (docker, k8s, lxd) might, and thus could need
> their policy adjusted after applying the update to not break them.
> 
> Because of this, while the update was originally prepared several
> months ago, in Ubuntu, we published it in a testing pocket (called
> "proposed"[1 [1]] in the Ubuntu ecosystem) to allow people to test the
> update in their environment, and it is only now that we are moving
> it to the updates and security pockets. This is why you haven't seen
> it in Linux Mint until now.
> 
> More information on the update is available from:
> 
> https://discourse.ubuntu.com/t/upcoming-apparmor-security-update-for-cve-2016-1585/
> https://bugs.launchpad.net/apparmor/+bug/1597017
> 
> As an aside, the pkg-apparmor list is a primarily focused on apparmor
> packaging in Debian.
> 
> Thanks!
> 
>> Other resources I browsed while discussing this issue on the Linux Mint
>> IRC - https://manpages.ubuntu.com/manpages/jammy/en/man7/apparmor.7.html
>> & https://packages.ubuntu.com/jammy/apparmor & https://apparmor.net/
> 
> [1] https://wiki.ubuntu.com/Testing/EnableProposed 
> _______________________________________________
> pkg-apparmor-team mailing list
> pkg-apparmor-team at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-apparmor-team
 

Links:
------
[1] https://wiki.ubuntu.com/Testing/EnableProposed
[2] https://scorecard.dev/
[3] https://github.com/ossf/scorecard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20240920/ffd44467/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: e2a37ac5.png
Type: image/png
Size: 32012 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20240920/ffd44467/attachment-0001.png>

More information about the pkg-apparmor-team mailing list