Univention Bugzilla – Bug 46134
systemd: multiple issues (4.2)
Last modified: 2018-05-08 14:56:43 CEST
systemd (215-17+deb8u6) stable; urgency=medium
CVE-2016-7796 systemd: freeze when PID 1 receives a zero-length message over notify socket
r17986 | Bug #46134: systemd-215-17+deb8u6 FTBFS
Mass-import from Debian-Security:
python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553
@@ -1,7 +1,64 @@
-215-17+deb8u5A~126.96.36.199701111554 [Wed, 11 Jan 2017 15:54:12 +0100] Univention builddaemon <email@example.com>:
+215-17+deb8u7A~188.8.131.52801211553 [Wed, 24 Jan 2018 17:55:06 +0100] Univention builddaemon <firstname.lastname@example.org>:
* UCS auto build. The following patches have been applied to the original source package
+215-17+deb8u7 [Fri, 10 Mar 2017 06:02:49 +0100] Michael Biebl <email@example.com>:
+ * bus: Fix bus_print_property() to use "int" for booleans.
+ This fixes the problem that on big endian architectures, like mips or
+ powerpc, boolean properties that were retrieved via sd-bus were always
+ set to 0 (no). (Closes: #774430)
+ * systemctl: Add is-enabled support for SysV init scripts.
+ The update-rc.d utility does not provide is-enabled, so implement it
+ ourselves in systemctl using the same logic as systemd-sysv-install from
+ Stretch. (Closes: #809405)
+ * core: If the start command vanishes during runtime don't hit an assert.
+ This can happen when the configuration is changed and reloaded while we
+ are executing a service. Let's not hit an assert in this case.
+ (Closes: #856985)
+ * automount: If an automount unit is masked, don't react to activation
+ Otherwise we'll hit an assert sooner or later. (Closes: #856035)
+215-17+deb8u6 [Wed, 21 Dec 2016 21:33:51 +0100] Michael Biebl <firstname.lastname@example.org>:
+ [ Michael Biebl ]
+ * Don't return any error in manager_dispatch_notify_fd().
+ If manager_dispatch_notify_fd() fails and returns an error then the
+ handling of service notifications will be disabled entirely leading to a
+ compromised system.
+ For example pid1 won't be able to receive the WATCHDOG messages anymore
+ and will kill all services supposed to send such messages. (CVE-2016-7796)
+ (Closes: #839607)
+ * core: Rework logic to determine when we decide to add automatic deps for
+ This adds a concept of "extrinsic" mounts. If mounts are extrinsic we
+ consider them managed by something else and do not add automatic ordering
+ against umount.target, local-fs.target, remote-fs.target.
+ Extrinsic mounts include API mounts such as everything below /proc, /sys,
+ /dev. This avoids a crash in LXC containers where /dev/urandom is a bind
+ mount from the host system and unmounting it leads to an assert in
+ systemd. (Closes: #818978)
+ * Various ordering fixes for ifupdown.
+ Run ifup after all kernel modules have been loaded and all sysctl settings
+ are applied. Update ifup@.service to add missing After= for the device
+ unit we bind to. This ensures that the device unit is active when systemd
+ tries to start the service. (Closes: #819314)
+ * systemctl: Fix argument handling when invoked as shutdown.
+ (Closes: #776997)
+ [ Simon McVittie ]
+ * localed: tolerate absence of /etc/default/keyboard.
+ The debian-specific patch to read Debian config files was not tolerating
+ the absence of /etc/default/keyboard. This causes systemd-localed to fail
+ to start on systems where that file isn't populated (like embedded systems
+ without keyboards). (Closes: #833849)
+ [ Martin Pitt ]
+ * systemctl, loginctl, etc.: Don't start polkit agent when running as root.
+ (Closes: #774153, LP: #1565617)
215-17+deb8u5 [Sun, 24 Jul 2016 18:55:54 +0200] Michael Biebl <email@example.com>:
* All UCS specific patches applied during rebuilt
* New patch 4.2-0-0-ucs/215-17+deb8u7-errata4.2-3/15-fix-mtd_probe-h.quilt
just adding stdint.h include
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok