Package: unbound Version: 1.8.1-1 Severity: important Tags: security
The unbound package runs dh_apparmor too late, causing the generated postinst to have dh_enable_systemd parts run first, which enable and start the service. Because the process is already running the parts added by dh_apparmor to load the apparmor files have no effect until a manual service restart. This means that, directly after install, unbound is not protected by apparmor; a restart of the machine or service is required first. As this has security implications, I chose the important severity. The system info below is from Ubuntu, but I verified it on a Debian system. -- System Information: Debian Release: buster/sid APT prefers disco APT policy: (500, 'disco'), (500, 'cosmic-security') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-13-generic (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unbound depends on: ii adduser 3.117ubuntu1 ii dns-root-data 2018091102 ii libc6 2.28-0ubuntu1 ii libevent-2.1-6 2.1.8-stable-4build1 ii libfstrm0 0.4.0-1 ii libprotobuf-c1 1.3.1-1build1 ii libpython3.7 3.7.2~rc1-1 ii libssl1.1 1.1.1a-1ubuntu2 ii libsystemd0 239-7ubuntu15 ii lsb-base 9.20170808ubuntu1 ii openssl 1.1.1a-1ubuntu2 ii unbound-anchor 1.8.1-1 unbound recommends no packages. Versions of packages unbound suggests: ii apparmor 2.12-4ubuntu10 -- no debconf information -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en