Bug 46134 - systemd: multiple issues (4.2)
systemd: multiple issues (4.2)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
Depends on:
  Show dependency treegraph
Reported: 2018-01-24 17:52 CET by Philipp Hahn
Modified: 2018-05-08 14:56 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)


Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-01-24 17:52:22 CET
systemd (215-17+deb8u6) stable; urgency=medium

CVE-2016-7796 systemd: freeze when PID 1 receives a zero-length message over notify socket
Comment 1 Philipp Hahn univentionstaff 2018-01-24 18:35:03 CET
r17986 | Bug #46134: systemd-215-17+deb8u6 FTBFS

Package: systemd
Version: 215-17+deb8u7A~
Branch: ucs_4.2-0
Scope: errata4.2-3
Comment 2 Philipp Hahn univentionstaff 2018-01-25 10:59:29 CET
Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf
Comment 3 Quality Assurance univentionstaff 2018-05-04 16:55:39 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/systemd_215-17+deb8u5A~
+++ apt/ucs_4.2-0-errata4.2-3/source/systemd_215-17+deb8u7A~
@@ -1,7 +1,64 @@
-215-17+deb8u5A~ [Wed, 11 Jan 2017 15:54:12 +0100] Univention builddaemon <buildd@univention.de>:
+215-17+deb8u7A~ [Wed, 24 Jan 2018 17:55:06 +0100] Univention builddaemon <buildd@univention.de>:
   * UCS auto build. The following patches have been applied to the original source package
+    15-fix-mtd_probe-h
+215-17+deb8u7 [Fri, 10 Mar 2017 06:02:49 +0100] Michael Biebl <biebl@debian.org>:
+  * bus: Fix bus_print_property() to use "int" for booleans.
+    This fixes the problem that on big endian architectures, like mips or
+    powerpc, boolean properties that were retrieved via sd-bus were always
+    set to 0 (no). (Closes: #774430)
+  * systemctl: Add is-enabled support for SysV init scripts.
+    The update-rc.d utility does not provide is-enabled, so implement it
+    ourselves in systemctl using the same logic as systemd-sysv-install from
+    Stretch. (Closes: #809405)
+  * core: If the start command vanishes during runtime don't hit an assert.
+    This can happen when the configuration is changed and reloaded while we
+    are executing a service. Let's not hit an assert in this case.
+    (Closes: #856985)
+  * automount: If an automount unit is masked, don't react to activation
+    anymore.
+    Otherwise we'll hit an assert sooner or later. (Closes: #856035)
+215-17+deb8u6 [Wed, 21 Dec 2016 21:33:51 +0100] Michael Biebl <biebl@debian.org>:
+  [ Michael Biebl ]
+  * Don't return any error in manager_dispatch_notify_fd().
+    If manager_dispatch_notify_fd() fails and returns an error then the
+    handling of service notifications will be disabled entirely leading to a
+    compromised system.
+    For example pid1 won't be able to receive the WATCHDOG messages anymore
+    and will kill all services supposed to send such messages. (CVE-2016-7796)
+    (Closes: #839607)
+  * core: Rework logic to determine when we decide to add automatic deps for
+    mounts.
+    This adds a concept of "extrinsic" mounts. If mounts are extrinsic we
+    consider them managed by something else and do not add automatic ordering
+    against umount.target, local-fs.target, remote-fs.target.
+    Extrinsic mounts include API mounts such as everything below /proc, /sys,
+    /dev. This avoids a crash in LXC containers where /dev/urandom is a bind
+    mount from the host system and unmounting it leads to an assert in
+    systemd. (Closes: #818978)
+  * Various ordering fixes for ifupdown.
+    Run ifup after all kernel modules have been loaded and all sysctl settings
+    are applied. Update ifup@.service to add missing After= for the device
+    unit we bind to. This ensures that the device unit is active when systemd
+    tries to start the service. (Closes: #819314)
+  * systemctl: Fix argument handling when invoked as shutdown.
+    (Closes: #776997)
+  [ Simon McVittie ]
+  * localed: tolerate absence of /etc/default/keyboard.
+    The debian-specific patch to read Debian config files was not tolerating
+    the absence of /etc/default/keyboard. This causes systemd-localed to fail
+    to start on systems where that file isn't populated (like embedded systems
+    without keyboards). (Closes: #833849)
+  [ Martin Pitt ]
+  * systemctl, loginctl, etc.: Don't start polkit agent when running as root.
+    (Closes: #774153, LP: #1565617)
 215-17+deb8u5 [Sun, 24 Jul 2016 18:55:54 +0200] Michael Biebl <biebl@debian.org>:
Comment 4 Arvid Requate univentionstaff 2018-05-07 12:28:09 CEST
* All UCS specific patches applied during rebuilt
* New patch 4.2-0-0-ucs/215-17+deb8u7-errata4.2-3/15-fix-mtd_probe-h.quilt
  just adding stdint.h include
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok
Comment 5 Arvid Requate univentionstaff 2018-05-08 14:56:43 CEST