ELSA-2020-1794

ELSA-2020-1794 - systemd security, bug fix, and enhancement update

Type:SECURITY
Severity:MODERATE
Release Date:2020-05-05

Description


[239-29.0.1.el8]
- fix to enable systemd-pstore.service [Orabug: 30951066]
- journal: change support URL shown in the catalog entries [Orabug: 30853009]
- fix to generate systemd-pstore.service file [Orabug: 30230056]
- fix _netdev is missing for iscsi entry in /etc/fstab (tony.l.lam@oracle.com) [Orabug: 25897792]
- set 'RemoveIPC=no' in logind.conf as default for OL7.2 [Orabug: 22224874]
- allow dm remove ioctl to co-operate with UEK3 (Vaughan Cao) [Orabug: 18467469]
- add hv dynamic memory support (Jerry Snitselaar) [Orabug: 18621475]
- Backport upstream patches for the new systemd-pstore tool (Eric DeVolder) [OraBug: 30230056]

[239-29]
- cryptsetup: Treat key file errors as a failed password attempt (#1763155)

[239-28]
- pid1: fix DefaultTasksMax initialization (#1809037)
- cgroup: make sure that cpuset is supported on cgroup v2 and disabled with v1 (#1808940)
- test: introduce TEST-36-NUMAPOLICY (#1808940)
- test: replace tail -f with journal cursor which should be more reliable (#1808940)
- test: support MPOL_LOCAL matching in unpatched strace versions (#1808940)
- test: make sure the strace process is indeed dead (#1808940)
- test: skip the test on systems without NUMA support (#1808940)
- test: give strace some time to initialize (#1808940)
- test: add a simple sanity check for systems without NUMA support (#1808940)
- test: drop the missed || exit 1 expression (#1808940)
- test: replace cursor file with a plain cursor (#1808940)

[239-27]
- cgroup: introduce support for cgroup v2 CPUSET controller (#1724617)

[239-26]
- seccomp: introduce seccomp_restrict_suid_sgid() for blocking chmod() for suid/sgid files (#1687512)
- test: add test case for restrict_suid_sgid() (#1687512)
- core: expose SUID/SGID restriction as new unit setting RestrictSUIDSGID= (#1687512)
- analyze: check for RestrictSUIDSGID= in 'systemd-analyze security' (#1687512)
- man: document the new RestrictSUIDSGID= setting (#1687512)
- units: turn on RestrictSUIDSGID= in most of our long-running daemons (#1687512)
- core: imply NNP and SUID/SGID restriction for DynamicUser=yes service (#1687512)

[239-25]
- sd-bus: use 'queue' message references for managing r/w message queues in connection objects (CVE-2020-1712)
- pid1: make sure to restore correct default values for some rlimits (#1789930)
- main: introduce a define HIGH_RLIMIT_MEMLOCK similar to HIGH_RLIMIT_NOFILE (#1789930)

[239-24]
- rules: reintroduce 60-alias-kmsg.rules (#1739353)
- sd-bus: make rqueue/wqueue sizes of type size_t (CVE-2020-1712)
- sd-bus: reorder bus ref and bus message ref handling (CVE-2020-1712)
- sd-bus: make sure dispatch_rqueue() initializes return parameter on all types of success (CVE-2020-1712)
- sd-bus: drop two inappropriate empty lines (CVE-2020-1712)
- sd-bus: initialize mutex after we allocated the wqueue (CVE-2020-1712)
- sd-bus: always go through sd_bus_unref() to free messages (CVE-2020-1712)
- bus-message: introduce two kinds of references to bus messages (CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages (CVE-2020-1712)
- sd-event: add sd_event_source_disable_unref() helper (CVE-2020-1712)
- polkit: when authorizing via PK lets re-resolve callback/userdata instead of caching it (CVE-2020-1712)
- sysctl: lets by default increase the numeric PID range from 2^16 to 2^22 (#1744214)
- journal: do not trigger assertion when journal_file_close() get NULL (#1788085)
- journal: use cleanup attribute at one more place (#1788085)

[239-23]
- catalog: fix name of variable (#1677768)
- cryptsetup: add keyfile-timeout to allow a keydev timeout and allow to fallback to a password if it fails. (#1763155)
- cryptsetup: add documentation for keyfile-timeout (#1763155)
- cryptsetup: use unabbrieviated variable names (#1763155)
- cryptsetup: dont assert on variable which is optional (#1763155)
- cryptsetup-generator: guess whether the keyfile argument is two items or one (#1763155)
- crypt-util: Translate libcryptsetup log level instead of using log_debug() (#1776408)
- cryptsetup: add some commenting about EAGAIN generation (#1776408)
- cryptsetup: downgrade a log message we ignore (#1776408)
- cryptsetup: rework how we log about activation failures (#1776408)

[239-22]
- spec: dont ship /var/log/README
- spec: provide systemd-rpm-macros

[239-21]
- test-cpu-set-util: fix comparison for allocation size (#1734787)
- test-cpu-set-util: fix allocation size check on i386 (#1734787)

[239-20]
- journal: rely on _cleanup_free_ to free a temporary string used in client_context_read_cgroup (#1764560)
- basic/user-util: allow dots in user names (#1717603)
- sd-bus: bump message queue size again (#1770189)
- tests: put fuzz_journald_processing_function in a .c file (#1764560)
- tests: add a fuzzer for dev_kmsg_record (#1764560)
- basic: remove an assertion from cunescape_one (#1764560)
- journal: fix an off-by-one error in dev_kmsg_record (#1764560)
- tests: add a reproducer for a memory leak fixed in 30eddcd51b8a472e05d3b8d1 in August (#1764560)
- tests: add a reproducer for a heap-buffer-overflow fixed in 937b1171378bc1000a (#1764560)
- test: initialize syslog_fd in fuzz-journald-kmsg too (#1764560)
- tests: add a fuzzer for process_audit_string (#1764560)
- journald: check whether sscanf has changed the value corresponding to %n (#1764560)
- tests: introduce dummy_server_init and use it in all journald fuzzers (#1764560)
- tests: add a fuzzer for journald streams (#1764560)
- tests: add a fuzzer for server_process_native_file (#1764560)
- fuzz-journal-stream: avoid assertion failure on samples which dont fit in pipe (#1764560)
- journald: take leading spaces into account in syslog_parse_identifier (#1764560)
- Add a warning about the difference in permissions between existing directories and unit settings. (#1778384)
- execute: remove one redundant comparison check (#1778384)
- core: change ownership/mode of the execution directories also for static users (#1778384)
- core/dbus-execute: remove unnecessary initialization (#1734787)
- shared/cpu-set-util: move the part to print cpu-set into a separate function (#1734787)
- shared/cpu-set-util: remove now-unused CPU_SIZE_TO_NUM() (#1734787)
- Rework cpu affinity parsing (#1734787)
- Move cpus_in_affinity_mask() to cpu-set-util.[ch] (#1734787)
- test-cpu-set-util: add simple test for cpus_in_affinity_mask() (#1734787)
- test-cpu-set-util: add a smoke test for test_parse_cpu_set_extend() (#1734787)
- pid1: parse CPUAffinity= in incremental fashion (#1734787)
- pid1: dont reset setting from /proc/cmdline upon restart (#1734787)
- pid1: when reloading configuration, forget old settings (#1734787)
- test-execute: use CPUSet too (#1734787)
- shared/cpu-set-util: drop now-unused cleanup function (#1734787)
- shared/cpu-set-util: make transfer of cpu_set_t over bus endian safe (#1734787)
- test-cpu-set-util: add test for dbus conversions (#1734787)
- shared/cpu-set-util: introduce cpu_set_to_range() (#1734787)
- systemctl: present CPUAffinity mask as a list of CPU index ranges (#1734787)
- shared/cpu-set-util: only force range printing one time (#1734787)
- execute: dump CPUAffinity as a range string instead of a list of CPUs (#1734787)
- cpu-set-util: use %d-%d format in cpu_set_to_range_string() only for actual ranges (#1734787)
- core: introduce NUMAPolicy and NUMAMask options (#1734787)
- core: disable CPUAccounting by default (#1734787)
- set kptr_restrict=1 (#1689346)
- cryptsetup: reduce the chance that we will be OOM killed (#1696602)
- core, job: fix breakage of ordering dependencies by systemctl reload command (#1766417)
- debug-generator: enable custom systemd.debug_shell tty (#1723722)

[239-19]
- core: never propagate reload failure to service result (#1735787)
- man: document systemd-analyze security (#1750343)
- man: reorder and add examples to systemd-analyze(1) (#1750343)
- travis: move to CentOS 8 docker images (#1761519)
- travis: drop SCL remains (#1761519)
- syslog: fix segfault in syslog_parse_priority() (#1761519)
- sd-bus: make strict asan shut up (#1761519)
- travis: dont run slow tests under ASan/UBSan (#1761519)
- kernel-install: do not require non-empty kernel cmdline (#1701454)
- ask-password: prevent buffer overrow when reading from keyring (#1752050)
- core: try to reopen /dev/kmsg again right after mounting /dev (#1749212)
- buildsys: dont garbage collect sections while linking (#1748258)
- udev: introduce CONST key name (#1762679)
- Call getgroups() to know size of supplementary groups array to allocate (#1743230256 KB
- Consider smb3 as remote filesystem (#1757257)
- process-util: introduce pid_is_my_child() helper (#1744972)
- core: reduce the number of stalled PIDs from the watched processes list when possible (#1744972)
- core: only watch processes when its really necessary (#1744972)
- core: implement per unit journal rate limiting (#1719577)
- path: stop watching path specs once we triggered the target unit (#1763161)
- journald: fixed assertion failure when system journal rotation fails (#9893) (#1763619)
- test: use PBKDF2 instead of Argon2 in cryptsetup... (#1761519)
- test: mask several unnecessary services (#1761519)
- test: bump the second partitions size to 50M (#1761519)
- shared/sleep-config: exclude zram devices from hibernation candidates (#1763617)
- selinux: dont log SELINUX_INFO and SELINUX_WARNING messages to audit (#1763612)
- sd-device: introduce log_device_*() macros (#1753369)
- udev: Add id program and rule for FIDO security tokens (#1753369)
- shared/but-util: drop trusted annotation from bus_open_system_watch_bind_with_description() (#1746857)
- sd-bus: adjust indentation of comments (#1746857)
- resolved: do not run loop twice (#1746857)
- resolved: allow access to Set*Link and Revert methods through polkit (#1746857)
- resolved: query polkit only after parsing the data (#1746857)


Related CVEs


CVE-2019-3843
CVE-2019-3844

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 8 (aarch64) systemd-239-29.0.1.el8.src.rpmd8d3d1c1ddd2c80cce6f4a37b31450e3-
systemd-239-29.0.1.el8.aarch64.rpm8eb05b26c66b06b3b4ce84a860b51f0b-
systemd-container-239-29.0.1.el8.aarch64.rpmff5bdccedb6f789732129ff948912ae1-
systemd-devel-239-29.0.1.el8.aarch64.rpm366904258072c2ef13fa268d831afcdb-
systemd-journal-remote-239-29.0.1.el8.aarch64.rpm909f3b8777f5d3c0523d9deb14589837-
systemd-libs-239-29.0.1.el8.aarch64.rpm5fe6eacb2fd4a0650bdb1bbb6494dec6-
systemd-pam-239-29.0.1.el8.aarch64.rpm82e16a9e12989bd5e0ad86c43fb25076-
systemd-tests-239-29.0.1.el8.aarch64.rpmf7d944a6307b20f911b369a36f301d28-
systemd-udev-239-29.0.1.el8.aarch64.rpmbf8910918afa7ce505019199875acc4e-
Oracle Linux 8 (x86_64) systemd-239-29.0.1.el8.src.rpmd8d3d1c1ddd2c80cce6f4a37b31450e3-
systemd-239-29.0.1.el8.i686.rpma2c4a2db2e734503100f246823b29fdd-
systemd-239-29.0.1.el8.x86_64.rpm4e517027f67e1b6196001ed6a49648f0-
systemd-container-239-29.0.1.el8.i686.rpm008975b8c46ffc0b58ff18e6811a37be-
systemd-container-239-29.0.1.el8.x86_64.rpm7624469e5212385a0442ad55171e2a5d-
systemd-devel-239-29.0.1.el8.i686.rpmf8c580253e7aef8e7e231f77428fc173-
systemd-devel-239-29.0.1.el8.x86_64.rpmb410c3f456ebe882c3381083fd014e2f-
systemd-journal-remote-239-29.0.1.el8.x86_64.rpm711e9a376569441da277b188157fa071-
systemd-libs-239-29.0.1.el8.i686.rpm7eb66ce48d32e0e1f06f7d4146410dd0-
systemd-libs-239-29.0.1.el8.x86_64.rpmb71ddfd02575efb05504affaffa3a305-
systemd-pam-239-29.0.1.el8.x86_64.rpmf0a99e89df4c4795557ce1c2e6ea5f9c-
systemd-tests-239-29.0.1.el8.x86_64.rpmc14bcc8595aa117838fb7406c11d832e-
systemd-udev-239-29.0.1.el8.x86_64.rpm0dc3295d9136d3dd68882e72202c728e-



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete