Hi, Antoine Beaupre: > Jessie, on the other hand, does not seem to be vulnerable:
>From my reading of the code, it seems that Wheezy, Jessie and Stretch are all vulnerable, but only when using sysvinit. I've just fixed this issue in sid, and filed an unblock request for Stretch. But systems running systemd should not be vulnerable, as systemd doesn't use the "restart" action of initscripts: instead, it runs "stop" then "start". And the "stop" action in /etc/init.d/apparmor does not unload profiles (since 2.1+961-0ubuntu2 according to the changelog). I think this explains why Antoine could not reproduce the problem on Jessie. Salvatore: with this in mind, do you think we should fix this problem in Jessie? If yes, with a DSA or jessie-pu? Ola: the minimal fix for Wheezy is to cherry-pick the part of r1624 (in Vcs-Bzr) that removes calls to unload_obsolete_profiles, ignoring the bits about aa-remove-unknown: https://alioth.debian.org/scm/loggerhead/collab-maint/apparmor/revision/1624 Cheers, -- intrigeri
