[05:55] <blahdeblah> Out of curiosity, how often do old vulns get reevaluated?  Our corporate vuln management tool is complaining about https://ubuntu.com/security/CVE-2021-3864 on my fully-patched jammy system.
[05:55] -ubottu:#ubuntu-security- A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a re... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3864>
[07:02] <amurray> blahdeblah: the ubuntu cve page for this has a note from sbeattie saying there is no official fix from upstream for this as of 2022-01-27 - I am assuming this is still the case
[07:04] <blahdeblah> Yep, saw that; just wondered if it is still true, given that note was the last time the entry appears to have changed.
[09:12] <Apparmortastic> georgiag that's interesting, then my question becomes, has libnss-resolve ever worked on apparmor based systems?
[09:13] <Apparmortastic> because if i understand flags=(attach_disconnected) right, it's a security issue to do so and i would have to add it to all profiles that need internet, which is all of them
[11:29] <georgiag> Apparmortastic: I'm not sure, I'd have to check. I was basing myself only on the "allowed" log you pasted. we are currently working on improving attach_disconnected because it's very permissive, but a lot of applications need it. depending on the version you're running, you can specify the path using flags=(attach_disconnected.path=/foo)
[11:42] <Apparmortastic> georgiag i made a bug report https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2051506 for this
[11:42] -ubottu:#ubuntu-security- Launchpad bug 2051506 in apparmor (Ubuntu) "apparmor blocks libnss-resolve socket" [Undecided, Confirmed]
[11:46] <georgiag> Apparmortastic: thanks!
[17:22] <sbeattie> blahdeblah: we do periodically go back through the cves that don't have an identified upstream fix, though the ones that are older get less focesed attention.
[17:23] <sbeattie> blahdeblah: looking at that specific cve, I'm not seeing a fix that landed upstream for it, and both redhat and suse closed out their associated bug reports with wontfix. :/
[19:05] <blahdeblah> Thanks sbeattie