Control: found -1 2.7.103-4 Control: notfound -1 2.9.0-3 Here's some more information about that security issue that I could gleam from testing and other sources.
To reproduce this in wheezy, you first need to install apparmor: apt-get install apparmor apparmor-profiles sed -i -e 's/GRUB_CMDLINE_LINUX_DEFAULT="/&security=apparmor /' /etc/default/grub update-grub reboot # check that apparmor is running sudo service apparmor status then you can use the reproducer provided here: https://bugs.launchpad.net/apparmor/+bug/1668892/comments/12 which is, basically: $ echo "profile test {}" | sudo apparmor_parser -qr $ sudo grep "test (enforce)" /sys/kernel/security/apparmor/profiles test (enforce) $ sudo service apparmor restart $ sudo grep "test (enforce)" /sys/kernel/security/apparmor/profiles The above is an edited quote from a wheezy system, which shows wheezy is vulnerable. Jessie, on the other hand, does not seem to be vulnerable: root@jessie:/home/vagrant# echo "profile test {}" | sudo apparmor_parser -qr root@jessie:/home/vagrant# grep "test (enforce)" /sys/kernel/security/apparmor/profiles test (enforce) root@jessie:/home/vagrant# service apparmor restart root@jessie:/home/vagrant# grep "test (enforce)" /sys/kernel/security/apparmor/profiles test (enforce) root@jessie:/home/vagrant# It is unclear why wheezy is affected and not jessie. This issue, however, takes effect only when Apparmor is actually in use by third-party, non-default rules. This is the case for dynamic rules loaded by Docker and LXC, for example. I am not sure Docker is really supported in Debian. The Docker.io package is badly out of shape and is not in testing anymore. It has 7 opened RC bugs there. It's not in stable and the backport is out of date, so the impact for docker is limited. Besides, if anyone is trusting Docker to contain execution, they are probably mistaken anyways. LXC, however, is in Debian, all the way back into Wheezy, so it's more of a concern. The impact here is that people running VMs under LXC would lose any sort of isolation as soon as apparmor is restarted, either through a package upgrade or an operator manipulation. However, according to Wikipedia, kernels before 3.8 do not allow for proper isolation, and a root user in a LXC could escape into the host, as root: https://en.wikipedia.org/wiki/LXC#Security This makes the impact of this issue somewhat limited on wheezy, as there are already other more nasty ways to escape those old and insecure LXC restrictions. I would be ready to assume that no one runs LXC under wheezy and assume proper isolation. Jessie, however, does ship with a kernel newer than 3.8 (3.16) and a 1.0 LXC which is supposed to offer good isolation protection, although it's not clear to me that the Debian configuration actually does offer this. I will therefore mark the issue as <no-dsa> (Experimental/unsupported feature) in wheezy, and recommend to mark the issue as "<not-affected> (?)" in jessie once my tests are confirmed by a third-party. A.
signature.asc
Description: PGP signature
