Skip to content
Commit 7790774e authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso
Browse files

Update information on CVE-2016-1585/apparmor 

The issue is still unresolved but the overall imapct in Debian is
limited.

As confirmed by the AppArmor maintainers in Debian, this issue only
affects overall two things (in Debian):

 1. lxc. This is not a regression, since we never confined LXC with
    AppArmor by default before buster (And stretch kernel does not have
    support for mount rules). This means that in worst case buster hosts
    are less strict confined as ideally they would be as mount rules are
    supported.

 2. libvirtd. This is not a big deal, as the profile used for libvirtd
    is not meant to be a strong security boundary (libvirtd can do so
    much anyway), but rather as a way to start processes run by libvirtd
    under their own profile.

For this reasons it can be safely no-dsa (and stronger ignored) for
stretch, probably as well for buster.

The same reason probably can be applied to jessie, as it contains
apparmor >= 2.8.

Thanks: intrigeri
parent b56ec5a8
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment