Bug 46134 – systemd: multiple issues (4.2)

Bug 46134 - systemd: multiple issues (4.2)


Summary:	systemd: multiple issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-3-errata
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:	http://metadata.ftp-master.debian.org...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-01-24 17:52 CET by Philipp Hahn
Modified:	2018-05-08 14:56 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	6.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2018-01-24 17:52:22 CET

systemd (215-17+deb8u6) stable; urgency=medium

CVE-2016-7796 systemd: freeze when PID 1 receives a zero-length message over notify socket

Comment 1 Philipp Hahn

2018-01-24 18:35:03 CET

r17986 | Bug #46134: systemd-215-17+deb8u6 FTBFS

Package: systemd
Version: 215-17+deb8u7A~4.2.3.201801211553
Branch: ucs_4.2-0
Scope: errata4.2-3

Comment 2 Philipp Hahn

2018-01-25 10:59:29 CET

Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf

Comment 3 Quality Assurance

2018-05-04 16:55:39 CEST

--- mirror/ftp/4.2/unmaintained/4.2-0/source/systemd_215-17+deb8u5A~4.2.0.201701111554.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/systemd_215-17+deb8u7A~4.2.3.201801211553.dsc
@@ -1,7 +1,64 @@
-215-17+deb8u5A~4.2.0.201701111554 [Wed, 11 Jan 2017 15:54:12 +0100] Univention builddaemon <buildd@univention.de>:
+215-17+deb8u7A~4.2.3.201801211553 [Wed, 24 Jan 2018 17:55:06 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     10-ignore-ucs-divered
+    15-fix-mtd_probe-h
+
+215-17+deb8u7 [Fri, 10 Mar 2017 06:02:49 +0100] Michael Biebl <biebl@debian.org>:
+
+  * bus: Fix bus_print_property() to use "int" for booleans.
+    This fixes the problem that on big endian architectures, like mips or
+    powerpc, boolean properties that were retrieved via sd-bus were always
+    set to 0 (no). (Closes: #774430)
+  * systemctl: Add is-enabled support for SysV init scripts.
+    The update-rc.d utility does not provide is-enabled, so implement it
+    ourselves in systemctl using the same logic as systemd-sysv-install from
+    Stretch. (Closes: #809405)
+  * core: If the start command vanishes during runtime don't hit an assert.
+    This can happen when the configuration is changed and reloaded while we
+    are executing a service. Let's not hit an assert in this case.
+    (Closes: #856985)
+  * automount: If an automount unit is masked, don't react to activation
+    anymore.
+    Otherwise we'll hit an assert sooner or later. (Closes: #856035)
+
+215-17+deb8u6 [Wed, 21 Dec 2016 21:33:51 +0100] Michael Biebl <biebl@debian.org>:
+
+  [ Michael Biebl ]
+  * Don't return any error in manager_dispatch_notify_fd().
+    If manager_dispatch_notify_fd() fails and returns an error then the
+    handling of service notifications will be disabled entirely leading to a
+    compromised system.
+    For example pid1 won't be able to receive the WATCHDOG messages anymore
+    and will kill all services supposed to send such messages. (CVE-2016-7796)
+    (Closes: #839607)
+  * core: Rework logic to determine when we decide to add automatic deps for
+    mounts.
+    This adds a concept of "extrinsic" mounts. If mounts are extrinsic we
+    consider them managed by something else and do not add automatic ordering
+    against umount.target, local-fs.target, remote-fs.target.
+    Extrinsic mounts include API mounts such as everything below /proc, /sys,
+    /dev. This avoids a crash in LXC containers where /dev/urandom is a bind
+    mount from the host system and unmounting it leads to an assert in
+    systemd. (Closes: #818978)
+  * Various ordering fixes for ifupdown.
+    Run ifup after all kernel modules have been loaded and all sysctl settings
+    are applied. Update ifup@.service to add missing After= for the device
+    unit we bind to. This ensures that the device unit is active when systemd
+    tries to start the service. (Closes: #819314)
+  * systemctl: Fix argument handling when invoked as shutdown.
+    (Closes: #776997)
+
+  [ Simon McVittie ]
+  * localed: tolerate absence of /etc/default/keyboard.
+    The debian-specific patch to read Debian config files was not tolerating
+    the absence of /etc/default/keyboard. This causes systemd-localed to fail
+    to start on systems where that file isn't populated (like embedded systems
+    without keyboards). (Closes: #833849)
+
+  [ Martin Pitt ]
+  * systemctl, loginctl, etc.: Don't start polkit agent when running as root.
+    (Closes: #774153, LP: #1565617)
 
 215-17+deb8u5 [Sun, 24 Jul 2016 18:55:54 +0200] Michael Biebl <biebl@debian.org>:

Comment 4 Arvid Requate

2018-05-07 12:28:09 CEST

* All UCS specific patches applied during rebuilt
* New patch 4.2-0-0-ucs/215-17+deb8u7-errata4.2-3/15-fix-mtd_probe-h.quilt
  just adding stdint.h include
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok

Comment 5 Arvid Requate

2018-05-08 14:56:43 CEST

<http://errata.software-univention.de/ucs/4.2/404.html>