| blahdeblah | amurray: Around? Just wondering if you (or sbeattie, but y'know - time zones) could shed some light on the situation with https://ubuntu.com/security/CVE-2016-1585. | 05:19 |
|---|---|---|
| -ubottu:#ubuntu-security- In all versions of AppArmor mount rules are accidentally widened when compiled. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1585> | 05:19 | |
| blahdeblah | We're getting alerts about it from our vulnerability management system, and it seems weird that it's a CVSS 9.8 but it was considered medium and isn't fixed in the LTS versions. | 05:20 |
| sbeattie | blahdeblah: https://discourse.ubuntu.com/t/upcoming-apparmor-security-update-for-cve-2016-1585/44268 fix is available in the proposed pockets | 05:33 |
| -ubottu:#ubuntu-security- In all versions of AppArmor mount rules are accidentally widened when compiled. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1585> | 05:33 | |
| sbeattie | blahdeblah: it's only an issue for you if you have apparmor policies with mount rules in them. | 05:34 |
| sbeattie | (and specifically some kinds of mount rules) | 05:34 |
| blahdeblah | sbeattie: So it's not in any default configurations? | 05:51 |
| sarnold | blahdeblah: "default configuration" is a bit hard to pin down -- depending upon the apparmor profiles that are installed by applications you've installed, you may or may not be affected. you'd have to inspect the apparmor policy on your systems and try to think through how bad it would be for each application to have the ability to skip mount flags that were specified as mandatory in the apparmor | 18:38 |
| sarnold | policy | 18:38 |
| sarnold | omg that's my second message today that blew past the irc line length limits | 18:38 |
| sarnold | is it going to be like this all day? | 18:39 |
| sarnold | blahdeblah: and, of course, if any of your applications are doing mount operations that are allowed by the incorrectly compiled policy, you may have regressions when the fix is installed, because the policy might need amending to intentionally allow what was previously accidentally allowed | 18:40 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!