Bug#919002: marked as done (CVE's for systemd vulnerabilities CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866)

Debian Bug Tracking System Tue, 29 Jan 2019 05:06:42 -0800

Your message dated Tue, 29 Jan 2019 13:02:18 +0000
with message-id <e1got1u-000azs...@fasolo.debian.org>
and subject line Bug#918841: fixed in systemd 232-25+deb9u7
has caused the Debian Bug report #918841,
regarding CVE's for systemd vulnerabilities CVE-2018-16864, CVE-2018-16865 and 
CVE-2018-16866
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
918841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918841
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: systemd
Version: 240-3
Severity: normal

Dear all,
Saw this on zdnet today -

https://www.zdnet.com/article/new-linux-systemd-security-holes-uncovered/

I did the cursory thing of seeing maybe if the CVE's had been
mentioned in the changelog -

/usr/share/doc/systemd$ zless changelog.Debian.gz | grep CVE
    (CVE-2018-15686, Closes: #912005)
    (CVE-2018-15688, LP: #1795921, Closes: #912008)
    (CVE-2018-15687, LP: #1796692, Closes: #912007)
      non-terminal path components. (CVE-2018-6954, Closes: #890779)
    (CVE-2017-15908, Closes: #880026, LP: #1725351)
    CVE-2017-9445 (Closes: #866147, LP: #1695546)
    Fixes: CVE-2017-9217 (Closes: #863277)
    by avoiding a race condition in scraping /proc (CVE-2013-4327).
      Fixes CVE-2012-1174, closes: #664364
    - Fixes local DoS (CVE-2012-1101).  Closes: #662029

I did also look at systemd --version if GCC's -fstack-clash-protection
is mentioned therein in the version command but couldn't find it.

It is very much possible that you may be working on it, in any case,
look forward to the fixes.

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500,
'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd depends on:
ii  adduser          3.118
ii  libacl1          2.2.52-3+b1
ii  libapparmor1     2.13.2-3
ii  libaudit1        1:2.8.4-2
ii  libblkid1        2.33-0.2
ii  libc6            2.28-2
ii  libcap2          1:2.25-1.2
ii  libcryptsetup12  2:2.0.6-1
ii  libgcrypt20      1.8.4-4
ii  libgnutls30      3.6.5-2
ii  libgpg-error0    1.33-3
ii  libidn11         1.33-2.2
ii  libip4tc0        1.8.2-3
ii  libkmod2         25-2
ii  liblz4-1         1.8.3-1
ii  liblzma5         5.2.2-1.3
ii  libmount1        2.33-0.2
ii  libpam0g         1.1.8-3.8
ii  libseccomp2      2.3.3-3
ii  libselinux1      2.8-1+b1
ii  libsystemd0      240-3
ii  mount            2.33-0.2
ii  util-linux       2.33-0.2

Versions of packages systemd recommends:
ii  dbus            1.12.12-1
ii  libpam-systemd  240-3

Versions of packages systemd suggests:
ii  policykit-1        0.105-23
pn  systemd-container  <none>

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.132
ii  udev             240-2

-- no debconf information


-- 
          Regards,
          Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8

--- End Message ---

--- Begin Message ---

Source: systemd
Source-Version: 232-25+deb9u7

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Jan 2019 09:38:38 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote 
systemd-coredump libpam-systemd libnss-myhostname libnss-mymachines 
libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 
libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 232-25+deb9u7
Distribution: stretch-security
Urgency: high
Maintainer: Debian systemd Maintainers 
<pkg-systemd-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 918841 918848
Description: 
 libnss-myhostname - nss module providing fallback resolution for the current 
hostname
 libnss-mymachines - nss module to resolve hostnames for local container 
instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Changes:
 systemd (232-25+deb9u7) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * journald: do not store the iovec entry for process commandline on stack
     (CVE-2018-16864) (Closes: #918841)
   * journald: set a limit on the number of fields (1k) (CVE-2018-16865)
     (Closes: #918848)
   * journal-remote: set a limit on the number of fields in a message
     (CVE-2018-16865) (Closes: #918848)
   * journal: fix syslog_parse_identifier() (CVE-2018-16866)
   * journal: do not remove multiple spaces after identifier in syslog message
     (CVE-2018-16866)
Package-Type: udeb
Checksums-Sha1: 
 b4ca041a73cb8775c90bbcc92c080cd7ac58dfe4 4952 systemd_232-25+deb9u7.dsc
 74178b96d631058236cf79f5b0cc3953382f12b5 4529048 systemd_232.orig.tar.gz
 4b7fbdd4005aa0340dca1cc37603cbd520343e31 214680 
systemd_232-25+deb9u7.debian.tar.xz
Checksums-Sha256: 
 1dea5088456636c50c3135ae5cd00f92ee8559360c907a22e1ed05a3e0016646 4952 
systemd_232-25+deb9u7.dsc
 1172c7c7d5d72fbded53186e7599d5272231f04cc8b72f9a0fb2c5c20dfc4880 4529048 
systemd_232.orig.tar.gz
 653cf8bb0b33b01c08484a3a3c8de4de1bb875b56f869ef389b17760442a8e7f 214680 
systemd_232-25+deb9u7.debian.tar.xz
Files: 
 45cf746f8e5721bffbdbd80e2c38c4e8 4952 admin optional systemd_232-25+deb9u7.dsc
 3e3a0b14050eff62e68be72142181730 4529048 admin optional systemd_232.orig.tar.gz
 6a58324e6574cf198db06db655f29f6e 214680 admin optional 
systemd_232-25+deb9u7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw6SrZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ERJAP/jeXZ/yRfhlQ5wB1c0qS0pskC5Wxn5ge
OR4i0rodEFi8HVoPzEqYgO9NbiReKWDfkWfaecgIZyrtnTFSj6jVlZs9zzb0ulSx
GI0reZ8gbWaHkMWb2G3wRBMsa6VL9+zZ71GvHBciryx1ms0qGpQ2F7YwxcD/KdEW
PGnn1ohFykxDXcjpo/Q2SqdXVszDbC5yTJw3pxW5ZJa6oHpFDpirTiruj5QatSNJ
WwMcI2gQye+UJ/krXxs+12Bx/Cg83GwbIe4ABsxnqjfDsU1TMuiyUBAED+CdIRB0
+wPR4PqSkYiRjh4/tZRr5v6NGbyxaAnUx/JPJ3qFhZ2Gf2kuU3tdPy0lmHnCp2UB
EcO/+D06uRozRKxFFUHr3OwJi3+ug3aVIupErtzv/UwB1Oc/EroEk/pHk8sPNTnG
Xk7Pa6363epscGbWgtwEDr2YuI6mv7M64F9UM0Wxlu+kX66fbO17/noJD1tuylm9
nJzsj3I9q+vOUMND1ykZMJkCbWfRtv6zAk7VY9PmpIGULD7djMEOFfh3dswBPXg2
eJGM+HBhzuFvP2cNoEKKc2bKwjCaZgJIxkM/3M8ldYVsOBaVmIP7OHL1hfacGE0N
nNrSL05x1/SF+O/VSaYUY7Am7T/m9VCCbQ3PjKXNMEuESL3nkuocvtKTCZYosC0U
TLRx4R8nlEkb
=g+xr
-----END PGP SIGNATURE-----

--- End Message ---

Bug#919002: marked as done (CVE's for systemd vulnerabilities CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866)

Reply via email to