ELSA-2020-1794
- ULN >
- Oracle Linux Errata repository >
- ELSA-2020-1794
ELSA-2020-1794 - systemd security, bug fix, and enhancement update
| Type: | SECURITY |
| Impact: | MODERATE |
| Release Date: | 2020-05-05 |
Description
[239-29.0.1.el8]
- fix to enable systemd-pstore.service [Orabug: 30951066]
- journal: change support URL shown in the catalog entries [Orabug: 30853009]
- fix to generate systemd-pstore.service file [Orabug: 30230056]
- fix _netdev is missing for iscsi entry in /etc/fstab (tony.l.lam@oracle.com) [Orabug: 25897792]
- set 'RemoveIPC=no' in logind.conf as default for OL7.2 [Orabug: 22224874]
- allow dm remove ioctl to co-operate with UEK3 (Vaughan Cao) [Orabug: 18467469]
- add hv dynamic memory support (Jerry Snitselaar) [Orabug: 18621475]
- Backport upstream patches for the new systemd-pstore tool (Eric DeVolder) [OraBug: 30230056]
[239-29]
- cryptsetup: Treat key file errors as a failed password attempt (#1763155)
[239-28]
- pid1: fix DefaultTasksMax initialization (#1809037)
- cgroup: make sure that cpuset is supported on cgroup v2 and disabled with v1 (#1808940)
- test: introduce TEST-36-NUMAPOLICY (#1808940)
- test: replace tail -f with journal cursor which should be more reliable (#1808940)
- test: support MPOL_LOCAL matching in unpatched strace versions (#1808940)
- test: make sure the strace process is indeed dead (#1808940)
- test: skip the test on systems without NUMA support (#1808940)
- test: give strace some time to initialize (#1808940)
- test: add a simple sanity check for systems without NUMA support (#1808940)
- test: drop the missed || exit 1 expression (#1808940)
- test: replace cursor file with a plain cursor (#1808940)
[239-27]
- cgroup: introduce support for cgroup v2 CPUSET controller (#1724617)
[239-26]
- seccomp: introduce seccomp_restrict_suid_sgid() for blocking chmod() for suid/sgid files (#1687512)
- test: add test case for restrict_suid_sgid() (#1687512)
- core: expose SUID/SGID restriction as new unit setting RestrictSUIDSGID= (#1687512)
- analyze: check for RestrictSUIDSGID= in 'systemd-analyze security' (#1687512)
- man: document the new RestrictSUIDSGID= setting (#1687512)
- units: turn on RestrictSUIDSGID= in most of our long-running daemons (#1687512)
- core: imply NNP and SUID/SGID restriction for DynamicUser=yes service (#1687512)
[239-25]
- sd-bus: use 'queue' message references for managing r/w message queues in connection objects (CVE-2020-1712)
- pid1: make sure to restore correct default values for some rlimits (#1789930)
- main: introduce a define HIGH_RLIMIT_MEMLOCK similar to HIGH_RLIMIT_NOFILE (#1789930)
[239-24]
- rules: reintroduce 60-alias-kmsg.rules (#1739353)
- sd-bus: make rqueue/wqueue sizes of type size_t (CVE-2020-1712)
- sd-bus: reorder bus ref and bus message ref handling (CVE-2020-1712)
- sd-bus: make sure dispatch_rqueue() initializes return parameter on all types of success (CVE-2020-1712)
- sd-bus: drop two inappropriate empty lines (CVE-2020-1712)
- sd-bus: initialize mutex after we allocated the wqueue (CVE-2020-1712)
- sd-bus: always go through sd_bus_unref() to free messages (CVE-2020-1712)
- bus-message: introduce two kinds of references to bus messages (CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages (CVE-2020-1712)
- sd-event: add sd_event_source_disable_unref() helper (CVE-2020-1712)
- polkit: when authorizing via PK lets re-resolve callback/userdata instead of caching it (CVE-2020-1712)
- sysctl: lets by default increase the numeric PID range from 2^16 to 2^22 (#1744214)
- journal: do not trigger assertion when journal_file_close() get NULL (#1788085)
- journal: use cleanup attribute at one more place (#1788085)
[239-23]
- catalog: fix name of variable (#1677768)
- cryptsetup: add keyfile-timeout to allow a keydev timeout and allow to fallback to a password if it fails. (#1763155)
- cryptsetup: add documentation for keyfile-timeout (#1763155)
- cryptsetup: use unabbrieviated variable names (#1763155)
- cryptsetup: dont assert on variable which is optional (#1763155)
- cryptsetup-generator: guess whether the keyfile argument is two items or one (#1763155)
- crypt-util: Translate libcryptsetup log level instead of using log_debug() (#1776408)
- cryptsetup: add some commenting about EAGAIN generation (#1776408)
- cryptsetup: downgrade a log message we ignore (#1776408)
- cryptsetup: rework how we log about activation failures (#1776408)
[239-22]
- spec: dont ship /var/log/README
- spec: provide systemd-rpm-macros
[239-21]
- test-cpu-set-util: fix comparison for allocation size (#1734787)
- test-cpu-set-util: fix allocation size check on i386 (#1734787)
[239-20]
- journal: rely on _cleanup_free_ to free a temporary string used in client_context_read_cgroup (#1764560)
- basic/user-util: allow dots in user names (#1717603)
- sd-bus: bump message queue size again (#1770189)
- tests: put fuzz_journald_processing_function in a .c file (#1764560)
- tests: add a fuzzer for dev_kmsg_record (#1764560)
- basic: remove an assertion from cunescape_one (#1764560)
- journal: fix an off-by-one error in dev_kmsg_record (#1764560)
- tests: add a reproducer for a memory leak fixed in 30eddcd51b8a472e05d3b8d1 in August (#1764560)
- tests: add a reproducer for a heap-buffer-overflow fixed in 937b1171378bc1000a (#1764560)
- test: initialize syslog_fd in fuzz-journald-kmsg too (#1764560)
- tests: add a fuzzer for process_audit_string (#1764560)
- journald: check whether sscanf has changed the value corresponding to %n (#1764560)
- tests: introduce dummy_server_init and use it in all journald fuzzers (#1764560)
- tests: add a fuzzer for journald streams (#1764560)
- tests: add a fuzzer for server_process_native_file (#1764560)
- fuzz-journal-stream: avoid assertion failure on samples which dont fit in pipe (#1764560)
- journald: take leading spaces into account in syslog_parse_identifier (#1764560)
- Add a warning about the difference in permissions between existing directories and unit settings. (#1778384)
- execute: remove one redundant comparison check (#1778384)
- core: change ownership/mode of the execution directories also for static users (#1778384)
- core/dbus-execute: remove unnecessary initialization (#1734787)
- shared/cpu-set-util: move the part to print cpu-set into a separate function (#1734787)
- shared/cpu-set-util: remove now-unused CPU_SIZE_TO_NUM() (#1734787)
- Rework cpu affinity parsing (#1734787)
- Move cpus_in_affinity_mask() to cpu-set-util.[ch] (#1734787)
- test-cpu-set-util: add simple test for cpus_in_affinity_mask() (#1734787)
- test-cpu-set-util: add a smoke test for test_parse_cpu_set_extend() (#1734787)
- pid1: parse CPUAffinity= in incremental fashion (#1734787)
- pid1: dont reset setting from /proc/cmdline upon restart (#1734787)
- pid1: when reloading configuration, forget old settings (#1734787)
- test-execute: use CPUSet too (#1734787)
- shared/cpu-set-util: drop now-unused cleanup function (#1734787)
- shared/cpu-set-util: make transfer of cpu_set_t over bus endian safe (#1734787)
- test-cpu-set-util: add test for dbus conversions (#1734787)
- shared/cpu-set-util: introduce cpu_set_to_range() (#1734787)
- systemctl: present CPUAffinity mask as a list of CPU index ranges (#1734787)
- shared/cpu-set-util: only force range printing one time (#1734787)
- execute: dump CPUAffinity as a range string instead of a list of CPUs (#1734787)
- cpu-set-util: use %d-%d format in cpu_set_to_range_string() only for actual ranges (#1734787)
- core: introduce NUMAPolicy and NUMAMask options (#1734787)
- core: disable CPUAccounting by default (#1734787)
- set kptr_restrict=1 (#1689346)
- cryptsetup: reduce the chance that we will be OOM killed (#1696602)
- core, job: fix breakage of ordering dependencies by systemctl reload command (#1766417)
- debug-generator: enable custom systemd.debug_shell tty (#1723722)
[239-19]
- core: never propagate reload failure to service result (#1735787)
- man: document systemd-analyze security (#1750343)
- man: reorder and add examples to systemd-analyze(1) (#1750343)
- travis: move to CentOS 8 docker images (#1761519)
- travis: drop SCL remains (#1761519)
- syslog: fix segfault in syslog_parse_priority() (#1761519)
- sd-bus: make strict asan shut up (#1761519)
- travis: dont run slow tests under ASan/UBSan (#1761519)
- kernel-install: do not require non-empty kernel cmdline (#1701454)
- ask-password: prevent buffer overrow when reading from keyring (#1752050)
- core: try to reopen /dev/kmsg again right after mounting /dev (#1749212)
- buildsys: dont garbage collect sections while linking (#1748258)
- udev: introduce CONST key name (#1762679)
- Call getgroups() to know size of supplementary groups array to allocate (#1743230256 KB
- Consider smb3 as remote filesystem (#1757257)
- process-util: introduce pid_is_my_child() helper (#1744972)
- core: reduce the number of stalled PIDs from the watched processes list when possible (#1744972)
- core: only watch processes when its really necessary (#1744972)
- core: implement per unit journal rate limiting (#1719577)
- path: stop watching path specs once we triggered the target unit (#1763161)
- journald: fixed assertion failure when system journal rotation fails (#9893) (#1763619)
- test: use PBKDF2 instead of Argon2 in cryptsetup... (#1761519)
- test: mask several unnecessary services (#1761519)
- test: bump the second partitions size to 50M (#1761519)
- shared/sleep-config: exclude zram devices from hibernation candidates (#1763617)
- selinux: dont log SELINUX_INFO and SELINUX_WARNING messages to audit (#1763612)
- sd-device: introduce log_device_*() macros (#1753369)
- udev: Add id program and rule for FIDO security tokens (#1753369)
- shared/but-util: drop trusted annotation from bus_open_system_watch_bind_with_description() (#1746857)
- sd-bus: adjust indentation of comments (#1746857)
- resolved: do not run loop twice (#1746857)
- resolved: allow access to Set*Link and Revert methods through polkit (#1746857)
- resolved: query polkit only after parsing the data (#1746857)
Related CVEs
| CVE-2019-3844 |
| CVE-2019-3843 |
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
| Oracle Linux 8 (aarch64) | systemd-239-29.0.1.el8.src.rpm | 7de9327d00025ab98ea79b6cac2c54979c89b42ab8ec6a46adb3f91206729489 | - | ol8_aarch64_baseos_latest |
| systemd-239-29.0.1.el8.src.rpm | 7de9327d00025ab98ea79b6cac2c54979c89b42ab8ec6a46adb3f91206729489 | - | ol8_aarch64_u2_baseos_base | |
| systemd-239-29.0.1.el8.aarch64.rpm | 2b1860c8ec7c8751c227eacb7fa1b7c0e2669160f2624320cae2528c9583b9e9 | - | ol8_aarch64_baseos_latest | |
| systemd-239-29.0.1.el8.aarch64.rpm | 2b1860c8ec7c8751c227eacb7fa1b7c0e2669160f2624320cae2528c9583b9e9 | - | ol8_aarch64_u2_baseos_base | |
| systemd-container-239-29.0.1.el8.aarch64.rpm | 2c2a1161e88702844e39f6ac65808c955fe51eaea18297280f4369c19e60d85f | - | ol8_aarch64_baseos_latest | |
| systemd-container-239-29.0.1.el8.aarch64.rpm | 2c2a1161e88702844e39f6ac65808c955fe51eaea18297280f4369c19e60d85f | - | ol8_aarch64_u2_baseos_base | |
| systemd-devel-239-29.0.1.el8.aarch64.rpm | 3e6160c3e42ce41c09b0525f9f978b29d43c5a5c05f111f515db7cd52ad2f8c0 | - | ol8_aarch64_baseos_latest | |
| systemd-devel-239-29.0.1.el8.aarch64.rpm | 3e6160c3e42ce41c09b0525f9f978b29d43c5a5c05f111f515db7cd52ad2f8c0 | - | ol8_aarch64_u2_baseos_base | |
| systemd-journal-remote-239-29.0.1.el8.aarch64.rpm | 3f1322f12c8c9d627d811e4880cacce5b200d05cdb1bc7e70001c829ca43396a | - | ol8_aarch64_baseos_latest | |
| systemd-journal-remote-239-29.0.1.el8.aarch64.rpm | 3f1322f12c8c9d627d811e4880cacce5b200d05cdb1bc7e70001c829ca43396a | - | ol8_aarch64_u2_baseos_base | |
| systemd-libs-239-29.0.1.el8.aarch64.rpm | 5f839a6c49c081f573efec5b686c1488d635fec9b261544a89264beab6333d30 | - | ol8_aarch64_baseos_latest | |
| systemd-libs-239-29.0.1.el8.aarch64.rpm | 5f839a6c49c081f573efec5b686c1488d635fec9b261544a89264beab6333d30 | - | ol8_aarch64_u2_baseos_base | |
| systemd-pam-239-29.0.1.el8.aarch64.rpm | f60d5f0bf83eaa90dc8f76678d4eb3bf82ac3e73571a1f2c11f0e0dbce2a5db4 | - | ol8_aarch64_baseos_latest | |
| systemd-pam-239-29.0.1.el8.aarch64.rpm | f60d5f0bf83eaa90dc8f76678d4eb3bf82ac3e73571a1f2c11f0e0dbce2a5db4 | - | ol8_aarch64_u2_baseos_base | |
| systemd-tests-239-29.0.1.el8.aarch64.rpm | 6eb2528e2fd4896da26342a8f57e5537cfc460b10b8aa1a5a4f75e1e5bfa0ce4 | - | ol8_aarch64_baseos_latest | |
| systemd-tests-239-29.0.1.el8.aarch64.rpm | 6eb2528e2fd4896da26342a8f57e5537cfc460b10b8aa1a5a4f75e1e5bfa0ce4 | - | ol8_aarch64_u2_baseos_base | |
| systemd-udev-239-29.0.1.el8.aarch64.rpm | c33b505d5db4ffdf1f20a1c502521f0f02cea967a4d6cab144bd2b877ea293be | - | ol8_aarch64_baseos_latest | |
| systemd-udev-239-29.0.1.el8.aarch64.rpm | c33b505d5db4ffdf1f20a1c502521f0f02cea967a4d6cab144bd2b877ea293be | - | ol8_aarch64_u2_baseos_base | |
| Oracle Linux 8 (x86_64) | systemd-239-29.0.1.el8.src.rpm | 7de9327d00025ab98ea79b6cac2c54979c89b42ab8ec6a46adb3f91206729489 | - | ol8_x86_64_baseos_latest |
| systemd-239-29.0.1.el8.src.rpm | 7de9327d00025ab98ea79b6cac2c54979c89b42ab8ec6a46adb3f91206729489 | - | ol8_x86_64_u2_baseos_base | |
| systemd-239-29.0.1.el8.i686.rpm | 034a0be0a07559c76eda8ff32c09f31ce2464648e2ad7525c428eebc21b3fd14 | - | ol8_x86_64_baseos_latest | |
| systemd-239-29.0.1.el8.i686.rpm | 034a0be0a07559c76eda8ff32c09f31ce2464648e2ad7525c428eebc21b3fd14 | - | ol8_x86_64_u2_baseos_base | |
| systemd-239-29.0.1.el8.x86_64.rpm | ab68cc71cb945351ef5010f40b63ed130d1a704e2629de8d693f6a5cb90b938d | - | ol8_x86_64_baseos_latest | |
| systemd-239-29.0.1.el8.x86_64.rpm | ab68cc71cb945351ef5010f40b63ed130d1a704e2629de8d693f6a5cb90b938d | - | ol8_x86_64_u2_baseos_base | |
| systemd-container-239-29.0.1.el8.i686.rpm | 5a4d41ac9c4719efee1950763fe5cbf7c91a97599ff61bb3211758372c5f9520 | - | ol8_x86_64_baseos_latest | |
| systemd-container-239-29.0.1.el8.i686.rpm | 5a4d41ac9c4719efee1950763fe5cbf7c91a97599ff61bb3211758372c5f9520 | - | ol8_x86_64_u2_baseos_base | |
| systemd-container-239-29.0.1.el8.x86_64.rpm | 3119a5b72cb06a29b04402c8447d308cfa12467aa9b9b3e3906cc0084cbdba7f | - | ol8_x86_64_baseos_latest | |
| systemd-container-239-29.0.1.el8.x86_64.rpm | 3119a5b72cb06a29b04402c8447d308cfa12467aa9b9b3e3906cc0084cbdba7f | - | ol8_x86_64_u2_baseos_base | |
| systemd-devel-239-29.0.1.el8.i686.rpm | 61331294e6adc5a620dbd5b725b0155b8ff94dde51dbba381bf0d434f30bd0d2 | - | ol8_x86_64_baseos_latest | |
| systemd-devel-239-29.0.1.el8.i686.rpm | 61331294e6adc5a620dbd5b725b0155b8ff94dde51dbba381bf0d434f30bd0d2 | - | ol8_x86_64_u2_baseos_base | |
| systemd-devel-239-29.0.1.el8.x86_64.rpm | 55d9e6c574e962877f5224165bc71fdd68cc2a75178fb53353330d8276ce7243 | - | ol8_x86_64_baseos_latest | |
| systemd-devel-239-29.0.1.el8.x86_64.rpm | 55d9e6c574e962877f5224165bc71fdd68cc2a75178fb53353330d8276ce7243 | - | ol8_x86_64_u2_baseos_base | |
| systemd-journal-remote-239-29.0.1.el8.x86_64.rpm | 4cfb4a8ce62126cc00f13add80f027f50ce920ed0dc81ebb454070c01fa1da12 | - | ol8_x86_64_baseos_latest | |
| systemd-journal-remote-239-29.0.1.el8.x86_64.rpm | 4cfb4a8ce62126cc00f13add80f027f50ce920ed0dc81ebb454070c01fa1da12 | - | ol8_x86_64_u2_baseos_base | |
| systemd-libs-239-29.0.1.el8.i686.rpm | 23539f1180043789ffafe2f84f13374442f8187d02a3f073af630d7e6d5f6752 | - | ol8_x86_64_baseos_latest | |
| systemd-libs-239-29.0.1.el8.i686.rpm | 23539f1180043789ffafe2f84f13374442f8187d02a3f073af630d7e6d5f6752 | - | ol8_x86_64_u2_baseos_base | |
| systemd-libs-239-29.0.1.el8.x86_64.rpm | 03e8a1ec0011579e276a8d14b0095f8987080e5cabdda374a61509a3fbeedf1d | - | ol8_x86_64_baseos_latest | |
| systemd-libs-239-29.0.1.el8.x86_64.rpm | 03e8a1ec0011579e276a8d14b0095f8987080e5cabdda374a61509a3fbeedf1d | - | ol8_x86_64_u2_baseos_base | |
| systemd-pam-239-29.0.1.el8.x86_64.rpm | c0f1f727976ee3e417fb4da6cf18f93b72bbaf4b82da52b59e9df3300dc04193 | - | ol8_x86_64_baseos_latest | |
| systemd-pam-239-29.0.1.el8.x86_64.rpm | c0f1f727976ee3e417fb4da6cf18f93b72bbaf4b82da52b59e9df3300dc04193 | - | ol8_x86_64_u2_baseos_base | |
| systemd-tests-239-29.0.1.el8.x86_64.rpm | c3f3ff1608baed2ff7f2a902c5ed7710f148e64b7f7561c278a82682f41e5e5d | - | ol8_x86_64_baseos_latest | |
| systemd-tests-239-29.0.1.el8.x86_64.rpm | c3f3ff1608baed2ff7f2a902c5ed7710f148e64b7f7561c278a82682f41e5e5d | - | ol8_x86_64_u2_baseos_base | |
| systemd-udev-239-29.0.1.el8.x86_64.rpm | c86ed1873184bbdfef17c5245b97ce6f93dc4e973f0e3fc1824102c58326e54e | - | ol8_x86_64_baseos_latest | |
| systemd-udev-239-29.0.1.el8.x86_64.rpm | c86ed1873184bbdfef17c5245b97ce6f93dc4e973f0e3fc1824102c58326e54e | - | ol8_x86_64_u2_baseos_base | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
