ELSA-2020-4553

ELSA-2020-4553 - systemd security, bug fix, and enhancement update

Type:SECURITY
Severity:LOW
Release Date:2020-11-10

Description


[239-40.0.1]
- backport upstream pstore tmpfiles patch [Orabug: 31420486]
- udev rules: fix memory hot add and remove [Orabug: 31310273]
- fix to enable systemd-pstore.service [Orabug: 30951066]
- journal: change support URL shown in the catalog entries [Orabug: 30853009]
- fix to generate systemd-pstore.service file [Orabug: 30230056]
- fix _netdev is missing for iscsi entry in /etc/fstab (tony.l.lam@oracle.com) [Orabug: 25897792]
- set 'RemoveIPC=no' in logind.conf as default for OL7.2 [Orabug: 22224874]
- allow dm remove ioctl to co-operate with UEK3 (Vaughan Cao) [Orabug: 18467469]
- add hv dynamic memory support (Jerry Snitselaar) [Orabug: 18621475]
- Backport upstream patches for the new systemd-pstore tool (Eric DeVolder) [OraBug: 30230056]

[239-40]
- units: add generic boot-complete.target (#1872243)
- man: document new 'boot-complete.target' unit (#1872243)
- core: make sure to restore the control command id, too (#1829867)

[239-39]
- device: make sure we emit PropertiesChanged signal once we set sysfs (#1793533)
- device: dont emit PropetiesChanged needlessly (#1793533)

[239-38]
- spec: fix rpm verification (#1702300)

[239-37]
- spec: dont package /etc/systemd/system/dbus-org.freedesktop.resolve1.service (#1844465)

[239-36]
- core: dont consider SERVICE_SKIP_CONDITION for abnormal or failure restarts (#1737283)
- selinux: do preprocessor check only in selinux-access.c (#1830861)
- basic/cgroup-util: introduce cg_get_keyed_attribute_full() (#1830861)
- shared: add generic logic for waiting for a unit to enter some state (#1830861)
- shared: fix assert call (#1830861)
- shared: Dont try calling NULL callback in bus_wait_for_units_clear (#1830861)
- shared: add NULL callback check in one more place (#1830861)
- core: introduce support for cgroup freezer (#1830861)
- core/cgroup: fix return value of unit_cgorup_freezer_action() (#1830861)
- core: fix the return value in order to make sure we dont dipatch method return too early (#1830861)
- test: add test for cgroup v2 freezer support (#1830861)
- fix mis-merge (#1848421)
- tests: sleep a bit and give kernel time to perform the action after manual freeze/thaw (#1848421)

[239-35]
- spec: fix rpm verification (#1702300)

[239-34]
- spec: fix rpm verification (#1702300)

[239-33]
- tmpfiles: fix crash with NULL in arg_root and other fixes and tests (#1836024)
- sulogin-shell: Use force if SYSTEMD_SULOGIN_FORCE set (#1625929)
- resolvconf: fixes for the compatibility interface (#1835594)
- mount: dont add Requires for tmp.mount (#1748840)
- core: coldplug possible nop_job (#1829798)
- core: add IODeviceLatencyTargetSec (#1831519)
- time-util: Introduce parse_sec_def_infinity (#1770379)
- cgroup: use structured initialization (#1770379)
- core: add CPUQuotaPeriodSec= (#1770379)
- core: downgrade CPUQuotaPeriodSec= clamping logs to debug (#1770379)
- sd-bus: avoid magic number in SASL length calculation (#1838081)
- sd-bus: fix SASL reply to empty AUTH (#1838081)
- sd-bus: skip sending formatted UIDs via SASL (#1838081)
- core: add MemoryMin (#1763435)
- core: introduce cgroup_add_device_allow() (#1763435)
- test: remove support for suffix in get_testdata_dir() (#1763435)
- cgroup: Implement default propagation of MemoryLow with DefaultMemoryLow (#1763435)
- cgroup: Create UNIT_DEFINE_ANCESTOR_MEMORY_LOOKUP (#1763435)
- unit: Add DefaultMemoryMin (#1763435)
- cgroup: Polish hierarchically aware protection docs a bit (#1763435)
- cgroup: Readd some plumbing for DefaultMemoryMin (#1763435)
- cgroup: Support 0-value for memory protection directives (#1763435)
- cgroup: Test that its possible to set memory protection to 0 again (#1763435)
- cgroup: Check ancestor memory min for unified memory config (#1763435)
- cgroup: Respect DefaultMemoryMin when setting memory.min (#1763435)
- cgroup: Mark memory protections as explicitly set in transient units (#1763435)
- meson: allow setting the version string during configuration (#1804252)

[239-32]
- pid1: fix DefaultTasksMax initialization (#1809037)
- cgroup: make sure that cpuset is supported on cgroup v2 and disabled with v1 (#1808940)
- test: introduce TEST-36-NUMAPOLICY (#1808940)
- test: replace 'tail -f' with journal cursor which should be... (#1808940)
- test: support MPOL_LOCAL matching in unpatched strace versions (#1808940)
- test: make sure the strace process is indeed dead (#1808940)
- test: skip the test on systems without NUMA support (#1808940)
- test: give strace some time to initialize (#1808940)
- test: add a simple sanity check for systems without NUMA support (#1808940)
- test: drop the missed || exit 1 expression (#1808940)
- test: replace cursor file with a plain cursor (#1808940)
- cryptsetup: Treat key file errors as a failed password attempt (#1763155)
- swap: finish the secondary swap units jobs if deactivation of the primary swap unit fails (#1749622)
- resolved: Recover missing PrivateTmp=yes and ProtectSystem=strict (#1810869)
- bus_open leak sd_event_source when udevadm trigger (#1798504)
- core: rework StopWhenUnneeded= logic (#1798046)
- pid1: fix the names of AllowedCPUs= and AllowedMemoryNodes= (#1818054)
- core: fix re-realization of cgroup siblings (#1818054)
- basic: use comma as separator in cpuset cgroup cpu ranges (#1818054)
- core: transition to FINAL_SIGTERM state after ExecStopPost= (#1766479)
- sd-journal: close journal files that were deleted by journald before weve setup inotify watch (#1796128)
- sd-journal: remove the dead code and actually fix #14695 (#1796128)
- udev: downgrade message when we fail to set inotify watch up (#1808051)
- logind: check PolicyKit before allowing VT switch (#1797679)
- test: do not use global variable to pass error (#1823767)
- test: install libraries required by tests (#1823767)
- test: introduce install_zoneinfo() (#1823767)
- test: replace duplicated Makefile by symbolic link (#1823767)
- test: add paths of keymaps in install_keymaps() (#1823767)
- test: make install_keymaps() optionally install more keymaps (#1823767)
- test-fs-util: skip some tests when running in unprivileged container (#1823767)
- test-process-util: skip several verifications when running in unprivileged container (#1823767)
- test-execute: also check python3 is installed or not (#1823767)
- test-execute: skip several tests when running in container (#1823767)
- test: introduce test_is_running_from_builddir() (#1823767)
- test: make test-catalog relocatable (#1823767)
- test: parallelize tasks in TEST-24-UNIT-TESTS (#1823767)
- test: try to determine QEMU_SMP dynamically (#1823767)
- test: store coredumps in journal (#1823767)
- pid1: add new kernel cmdline arg systemd.cpu_affinity= (#1812894)
- udev-rules: make tape-changers also apprear in /dev/tape/by-path/ (#1820112)
- man: be clearer that .timer time expressions need to be reset to override them (#1816908)
- Add support for opening files for appending (#1809175)
- nspawn: move payload to sub-cgroup first, then sync cgroup trees (#1837094)
- core: move unit_status_emit_starting_stopping_reloading() and related calls to job.c (#1737283)
- job: when a job was skipped due to a failed condition, log about it (#1737283)
- core: split out all logic that updates a Job on a units unit_notify() invocation (#1737283)
- core: make log messages about units entering a 'failed' state recognizable (#1737283)
- core: log a recognizable message when a unit succeeds, too (#1737283)
- tests: always use the right vtable wrapper calls (#1737283)
- test-execute: allow filtering test cases by pattern (#1737283)
- test-execute: provide custom failure message (#1737283)
- core: ExecCondition= for services (#1737283)
- Drop support for lz4 < 1.3.0 (#1843871)
- test-compress: add test for short decompress_startswith calls (#1843871)
- journal: adapt for new improved LZ4_decompress_safe_partial() (#1843871)
- fuzz-compress: add fuzzer for compression and decompression (#1843871)
- seccomp: fix __NR__sysctl usage (#1843871)


Related CVEs


CVE-2019-20386

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 8 (aarch64) systemd-239-40.0.1.el8.src.rpmcb479700313f9894e177477b8ca6935b-
systemd-239-40.0.1.el8.aarch64.rpm516aabf189670c4ca0fbe5fb94a7a6aa-
systemd-container-239-40.0.1.el8.aarch64.rpme7d3208e6abc5c81beb390781b329595-
systemd-devel-239-40.0.1.el8.aarch64.rpmae06d28c2843f25b9ce848179991f001-
systemd-journal-remote-239-40.0.1.el8.aarch64.rpmce739d00a8557131abc4cbd1ee0e4fad-
systemd-libs-239-40.0.1.el8.aarch64.rpm1fe1b71d2f5417cb6339af983ae3c4cd-
systemd-pam-239-40.0.1.el8.aarch64.rpm54b104548d3f93a3eafe9998c2d68e9e-
systemd-tests-239-40.0.1.el8.aarch64.rpm6a1be47702c8c323a60e3501f51bde17-
systemd-udev-239-40.0.1.el8.aarch64.rpm423d4fd43df07ee134c9ec72b97fb0ce-
Oracle Linux 8 (x86_64) systemd-239-40.0.1.el8.src.rpmcb479700313f9894e177477b8ca6935b-
systemd-239-40.0.1.el8.i686.rpm4b26cc90722b226288ca1823c96a08d9-
systemd-239-40.0.1.el8.x86_64.rpm9131d6255669d2c324ab64cd877cce4e-
systemd-container-239-40.0.1.el8.i686.rpmfc860e5758c35eb8c03f1f7224414716-
systemd-container-239-40.0.1.el8.x86_64.rpm4deb0c723008f78f11b4c872fa975c89-
systemd-devel-239-40.0.1.el8.i686.rpm95b6c5a330a2b2a69c891e1ef23512f1-
systemd-devel-239-40.0.1.el8.x86_64.rpm76997073617252d0e570193517364135-
systemd-journal-remote-239-40.0.1.el8.x86_64.rpm2b2752edfa9375cfe4f555561634d84b-
systemd-libs-239-40.0.1.el8.i686.rpm4c1de7b81a71ac3c333568c4f479ea5d-
systemd-libs-239-40.0.1.el8.x86_64.rpm83eaa634f9c416ae9661c0519a47f756-
systemd-pam-239-40.0.1.el8.x86_64.rpm7b6829120939fa01db0543f0f9f41896-
systemd-tests-239-40.0.1.el8.x86_64.rpm1070449079783ffb657573fdadf92d51-
systemd-udev-239-40.0.1.el8.x86_64.rpmafe5878b60b3b2e6818bba68e184a1d9-



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete