Bug#924255: stretch-pu: package systemd/232-25+deb9u10
Cyril Brulebois
kibi at debian.org
Sun Mar 10 16:41:32 GMT 2019
Hi,
(Replying from a d-i point of view.)
Michael Biebl <biebl at debian.org> (2019-03-10):
> I'd like to make a stable upload for systemd, fixing 5 separate issues.
> Two of them have a CVE.
>
> The changelog is
>
> systemd (232-25+deb9u10) stretch; urgency=medium
>
> * journald: fix assertion failure on journal_file_link_data (Closes: #916880)
>
> https://salsa.debian.org/systemd-team/systemd/commit/67a3135d9c9b66b64544dd96a6741a86058ba7a8
>
> * tmpfiles: fix "e" to support shell style globs (Closes: #918400)
>
> https://salsa.debian.org/systemd-team/systemd/commit/a1f9aa01624edc01bbbf50203fd35dd261d7480f
>
> * mount-util: accept that name_to_handle_at() might fail with EPERM.
> Container managers frequently block name_to_handle_at(), returning
> EACCES or EPERM when this is issued. Accept that, and simply fall back
> to fdinfo-based checks. (Closes: #917122)
>
> https://salsa.debian.org/systemd-team/systemd/commit/169eb2b486b832ef88746e9d25c4b181cabac5c2
>
> * automount: ack automount requests even when already mounted.
> Fixes a race condition in systemd which could result in automount requests
> not being serviced and processes using them to hang, causing denial of
> service. (CVE-2018-1049)
>
> https://salsa.debian.org/systemd-team/systemd/commit/2cae426a3e753f74ec8e829217dc9090abcfcf4d
>
> * core: when deserializing state always use read_line(…, LONG_LINE_MAX, …)
> Fixes improper serialization on upgrade which can influence systemd
> execution environment and lead to root privilege escalation.
> (CVE-2018-15686, Closes: #912005)
>
> https://salsa.debian.org/systemd-team/systemd/commit/82a114295a4ef123925d02081255fe88bec4867c
As usual, thanks for the detailed changelog and pointers!
> The fix for CVE-2018-15686/#912005 is the most invasive one. I based
> it partially on what was uploaded to old-stable by the debian-lts
> team. With this patch applied, the demo exploit from [1] no longer
> causes systemctl stop to hang. That said, I would appreciate a second
> pair of eyes to look over the patch.
>
> As usual, KiBi is in CC as we build a udeb. Though the code changes
> above should not affect udev.
Right, I don't see how anything could affect d-i in any way. Release
team, please considered this ACKed for d-i. I'll have to perform some
runtime tests when the newer kernel gets considered anyway, so I'll
have some opportunity to spot a potential systemd regression…
Cheers,
--
Cyril Brulebois (kibi at debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20190310/699d7d57/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list