Hi, (Replying from a d-i point of view.)
Michael Biebl <bi...@debian.org> (2019-03-10): > I'd like to make a stable upload for systemd, fixing 5 separate issues. > Two of them have a CVE. > > The changelog is > > systemd (232-25+deb9u10) stretch; urgency=medium > > * journald: fix assertion failure on journal_file_link_data (Closes: > #916880) > > https://salsa.debian.org/systemd-team/systemd/commit/67a3135d9c9b66b64544dd96a6741a86058ba7a8 > > * tmpfiles: fix "e" to support shell style globs (Closes: #918400) > > https://salsa.debian.org/systemd-team/systemd/commit/a1f9aa01624edc01bbbf50203fd35dd261d7480f > > * mount-util: accept that name_to_handle_at() might fail with EPERM. > Container managers frequently block name_to_handle_at(), returning > EACCES or EPERM when this is issued. Accept that, and simply fall back > to fdinfo-based checks. (Closes: #917122) > > https://salsa.debian.org/systemd-team/systemd/commit/169eb2b486b832ef88746e9d25c4b181cabac5c2 > > * automount: ack automount requests even when already mounted. > Fixes a race condition in systemd which could result in automount requests > not being serviced and processes using them to hang, causing denial of > service. (CVE-2018-1049) > > https://salsa.debian.org/systemd-team/systemd/commit/2cae426a3e753f74ec8e829217dc9090abcfcf4d > > * core: when deserializing state always use read_line(…, LONG_LINE_MAX, …) > Fixes improper serialization on upgrade which can influence systemd > execution environment and lead to root privilege escalation. > (CVE-2018-15686, Closes: #912005) > > https://salsa.debian.org/systemd-team/systemd/commit/82a114295a4ef123925d02081255fe88bec4867c As usual, thanks for the detailed changelog and pointers! > The fix for CVE-2018-15686/#912005 is the most invasive one. I based > it partially on what was uploaded to old-stable by the debian-lts > team. With this patch applied, the demo exploit from [1] no longer > causes systemctl stop to hang. That said, I would appreciate a second > pair of eyes to look over the patch. > > As usual, KiBi is in CC as we build a udeb. Though the code changes > above should not affect udev. Right, I don't see how anything could affect d-i in any way. Release team, please considered this ACKed for d-i. I'll have to perform some runtime tests when the newer kernel gets considered anyway, so I'll have some opportunity to spot a potential systemd regression… Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
