Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3569.3
SUSE Security Update: Security update for systemd
22 January 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: systemd
Publisher: SUSE
Operating System: SUSE
Impact/Access: Root Compromise -- Remote/Unauthenticated
Modify Permissions -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-16866 CVE-2018-16865 CVE-2018-16864
CVE-2018-15688 CVE-2018-15686 CVE-2018-6954
Reference: ESB-2018.3507
ESB-2018.3466
ESB-2018.3465
Original Bulletin:
http://suse.com/support/update/announcement/2018/suse-su-20183767-1/
https://www.suse.com/support/update/announcement/2019/suse-su-20190137-1/
https://www.suse.com/support/update/announcement/2019/suse-su-20190135-1/
http://suse.com/support/update/announcement/2018/suse-su-20183767-2/
Comment: This bulletin contains four (4) SUSE security advisories.
Revision History: January 22 2019: Added SUSE-SU-2019:0137-1 and SUSE-SU-2019:0135-1
December 11 2018: Added SUSE-SU-2018:3767-2
November 15 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for systemd
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:0137-1
Rating: important
References: #1005023 #1045723 #1076696 #1080919 #1093753
#1101591 #1111498 #1114933 #1117063 #1119971
#1120323
Cross-References: CVE-2018-16864 CVE-2018-16865 CVE-2018-16866
CVE-2018-6954
Affected Products:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
SUSE Linux Enterprise Module for Basesystem 15
______________________________________________________________________________
An update that solves four vulnerabilities and has 7 fixes
is now available.
Description:
This update for systemd provides the following fixes:
Security issues fixed:
- CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through
attacker-controlled alloca()s (bsc#1120323)
- CVE-2018-16866: Fixed an information leak in journald (bsc#1120323)
- CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path
components (bsc#1080919)
- Fixed an issue during system startup in relation to encrypted swap disks
(bsc#1119971)
Non-security issues fixed:
- pam_systemd: Fix 'Cannot create session: Already running in a session'
(bsc#1111498)
- systemd-vconsole-setup: vconsole setup fails, fonts will not be copied
to tty (bsc#1114933)
- systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple
units (bsc#1045723)
- Fixed installation issue with /etc/machine-id during update (bsc#1117063)
- btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753)
- logind: Stop managing VT switches if no sessions are registered on that
VT. (bsc#1101591)
- udev: Downgrade message when settting inotify watch up fails.
(bsc#1005023)
- udev: Ignore the exit code of systemd-detect-virt for memory hot-add.
In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that
uses systemd-detect-virt to detect non-zvm environment. The
systemd-detect-virt returns exit failure code when it detected _none_
state. The exit failure code causes that the hot-add memory block can
not be set to online. (bsc#1076696)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:
zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-137=1
- SUSE Linux Enterprise Module for Basesystem 15:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-137=1
Package List:
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64):
libsystemd0-mini-234-24.20.1
libsystemd0-mini-debuginfo-234-24.20.1
libudev-mini-devel-234-24.20.1
libudev-mini1-234-24.20.1
libudev-mini1-debuginfo-234-24.20.1
nss-myhostname-234-24.20.1
nss-myhostname-debuginfo-234-24.20.1
nss-mymachines-234-24.20.1
nss-mymachines-debuginfo-234-24.20.1
nss-systemd-234-24.20.1
nss-systemd-debuginfo-234-24.20.1
systemd-debuginfo-234-24.20.1
systemd-debugsource-234-24.20.1
systemd-logger-234-24.20.1
systemd-mini-234-24.20.1
systemd-mini-container-mini-234-24.20.1
systemd-mini-container-mini-debuginfo-234-24.20.1
systemd-mini-coredump-mini-234-24.20.1
systemd-mini-coredump-mini-debuginfo-234-24.20.1
systemd-mini-debuginfo-234-24.20.1
systemd-mini-debugsource-234-24.20.1
systemd-mini-devel-234-24.20.1
systemd-mini-sysvinit-234-24.20.1
udev-mini-234-24.20.1
udev-mini-debuginfo-234-24.20.1
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch):
systemd-mini-bash-completion-234-24.20.1
- SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64):
libsystemd0-234-24.20.1
libsystemd0-debuginfo-234-24.20.1
libudev-devel-234-24.20.1
libudev1-234-24.20.1
libudev1-debuginfo-234-24.20.1
systemd-234-24.20.1
systemd-container-234-24.20.1
systemd-container-debuginfo-234-24.20.1
systemd-coredump-234-24.20.1
systemd-coredump-debuginfo-234-24.20.1
systemd-debuginfo-234-24.20.1
systemd-debugsource-234-24.20.1
systemd-devel-234-24.20.1
systemd-sysvinit-234-24.20.1
udev-234-24.20.1
udev-debuginfo-234-24.20.1
- SUSE Linux Enterprise Module for Basesystem 15 (noarch):
systemd-bash-completion-234-24.20.1
- SUSE Linux Enterprise Module for Basesystem 15 (x86_64):
libsystemd0-32bit-234-24.20.1
libsystemd0-32bit-debuginfo-234-24.20.1
libudev1-32bit-234-24.20.1
libudev1-32bit-debuginfo-234-24.20.1
systemd-32bit-234-24.20.1
systemd-32bit-debuginfo-234-24.20.1
References:
https://www.suse.com/security/cve/CVE-2018-16864.html
https://www.suse.com/security/cve/CVE-2018-16865.html
https://www.suse.com/security/cve/CVE-2018-16866.html
https://www.suse.com/security/cve/CVE-2018-6954.html
https://bugzilla.suse.com/1005023
https://bugzilla.suse.com/1045723
https://bugzilla.suse.com/1076696
https://bugzilla.suse.com/1080919
https://bugzilla.suse.com/1093753
https://bugzilla.suse.com/1101591
https://bugzilla.suse.com/1111498
https://bugzilla.suse.com/1114933
https://bugzilla.suse.com/1117063
https://bugzilla.suse.com/1119971
https://bugzilla.suse.com/1120323
- --------------------------------------------------------------------------------
SUSE Security Update: Security update for systemd
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:0135-1
Rating: moderate
References: #1005023 #1076696 #1101591 #1114981 #1115518
#1119971 #1120323
Cross-References: CVE-2018-16864 CVE-2018-16865 CVE-2018-16866
Affected Products:
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Software Development Kit 12-SP4
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Server for SAP 12-SP2
SUSE Linux Enterprise Server 12-SP4
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP2-LTSS
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Linux Enterprise Desktop 12-SP4
SUSE Linux Enterprise Desktop 12-SP3
SUSE Enterprise Storage 4
SUSE CaaS Platform ALL
SUSE CaaS Platform 3.0
OpenStack Cloud Magnum Orchestration 7
______________________________________________________________________________
An update that solves three vulnerabilities and has four
fixes is now available.
Description:
This update for systemd provides the following fixes:
Security issues fixed:
- CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through
attacker-controlled alloca()s (bsc#1120323)
- CVE-2018-16866: Fixed an information leak in journald (bsc#1120323)
- Fixed an issue during system startup in relation to encrypted swap disks
(bsc#1119971)
Non-security issues fixed:
- core: Queue loading transient units after setting their properties.
(bsc#1115518)
- logind: Stop managing VT switches if no sessions are registered on that
VT. (bsc#1101591)
- terminal-util: introduce vt_release() and vt_restore() helpers.
- terminal: Unify code for resetting kbd utf8 mode a bit.
- terminal Reset should honour default_utf8 kernel setting.
- logind: Make session_restore_vt() static.
- udev: Downgrade message when settting inotify watch up fails.
(bsc#1005023)
- log: Never log into foreign fd #2 in PID 1 or its pre-execve() children.
(bsc#1114981)
- udev: Ignore the exit code of systemd-detect-virt for memory hot-add.
In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that
uses systemd-detect-virt to detect non-zvm environment. The
systemd-detect-virt returns exit failure code when it detected _none_
state. The exit failure code causes that the hot-add memory block can
not be set to online. (bsc#1076696)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2019-135=1
- SUSE Linux Enterprise Software Development Kit 12-SP4:
zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-135=1
- SUSE Linux Enterprise Software Development Kit 12-SP3:
zypper in -t patch SUSE-SLE-SDK-12-SP3-2019-135=1
- SUSE Linux Enterprise Server for SAP 12-SP2:
zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-135=1
- SUSE Linux Enterprise Server 12-SP4:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-135=1
- SUSE Linux Enterprise Server 12-SP3:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-135=1
- SUSE Linux Enterprise Server 12-SP2-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-135=1
- SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-135=1
- SUSE Linux Enterprise Desktop 12-SP4:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-135=1
- SUSE Linux Enterprise Desktop 12-SP3:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2019-135=1
- SUSE Enterprise Storage 4:
zypper in -t patch SUSE-Storage-4-2019-135=1
- SUSE CaaS Platform ALL:
To install this update, use the SUSE CaaS Platform Velum dashboard.
It will inform you if it detects new updates and let you then trigger
updating of the complete cluster in a controlled way.
- SUSE CaaS Platform 3.0:
To install this update, use the SUSE CaaS Platform Velum dashboard.
It will inform you if it detects new updates and let you then trigger
updating of the complete cluster in a controlled way.
- OpenStack Cloud Magnum Orchestration 7:
zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2019-135=1
Package List:
- SUSE OpenStack Cloud 7 (s390x x86_64):
libsystemd0-228-150.58.1
libsystemd0-32bit-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libsystemd0-debuginfo-32bit-228-150.58.1
libudev1-228-150.58.1
libudev1-32bit-228-150.58.1
libudev1-debuginfo-228-150.58.1
libudev1-debuginfo-32bit-228-150.58.1
systemd-228-150.58.1
systemd-32bit-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debuginfo-32bit-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE OpenStack Cloud 7 (noarch):
systemd-bash-completion-228-150.58.1
- SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64):
libudev-devel-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-devel-228-150.58.1
- SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):
libudev-devel-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-devel-228-150.58.1
- SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):
libsystemd0-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libudev1-228-150.58.1
libudev1-debuginfo-228-150.58.1
systemd-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64):
libsystemd0-32bit-228-150.58.1
libsystemd0-debuginfo-32bit-228-150.58.1
libudev1-32bit-228-150.58.1
libudev1-debuginfo-32bit-228-150.58.1
systemd-32bit-228-150.58.1
systemd-debuginfo-32bit-228-150.58.1
- SUSE Linux Enterprise Server for SAP 12-SP2 (noarch):
systemd-bash-completion-228-150.58.1
- SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64):
libsystemd0-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libudev1-228-150.58.1
libudev1-debuginfo-228-150.58.1
systemd-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE Linux Enterprise Server 12-SP4 (s390x x86_64):
libsystemd0-32bit-228-150.58.1
libsystemd0-debuginfo-32bit-228-150.58.1
libudev1-32bit-228-150.58.1
libudev1-debuginfo-32bit-228-150.58.1
systemd-32bit-228-150.58.1
systemd-debuginfo-32bit-228-150.58.1
- SUSE Linux Enterprise Server 12-SP4 (noarch):
systemd-bash-completion-228-150.58.1
- SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):
libsystemd0-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libudev1-228-150.58.1
libudev1-debuginfo-228-150.58.1
systemd-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE Linux Enterprise Server 12-SP3 (s390x x86_64):
libsystemd0-32bit-228-150.58.1
libsystemd0-debuginfo-32bit-228-150.58.1
libudev1-32bit-228-150.58.1
libudev1-debuginfo-32bit-228-150.58.1
systemd-32bit-228-150.58.1
systemd-debuginfo-32bit-228-150.58.1
- SUSE Linux Enterprise Server 12-SP3 (noarch):
systemd-bash-completion-228-150.58.1
- SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):
libsystemd0-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libudev1-228-150.58.1
libudev1-debuginfo-228-150.58.1
systemd-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64):
libsystemd0-32bit-228-150.58.1
libsystemd0-debuginfo-32bit-228-150.58.1
libudev1-32bit-228-150.58.1
libudev1-debuginfo-32bit-228-150.58.1
systemd-32bit-228-150.58.1
systemd-debuginfo-32bit-228-150.58.1
- SUSE Linux Enterprise Server 12-SP2-LTSS (noarch):
systemd-bash-completion-228-150.58.1
- SUSE Linux Enterprise Server 12-SP2-BCL (noarch):
systemd-bash-completion-228-150.58.1
- SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
libsystemd0-228-150.58.1
libsystemd0-32bit-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libsystemd0-debuginfo-32bit-228-150.58.1
libudev1-228-150.58.1
libudev1-32bit-228-150.58.1
libudev1-debuginfo-228-150.58.1
libudev1-debuginfo-32bit-228-150.58.1
systemd-228-150.58.1
systemd-32bit-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debuginfo-32bit-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE Linux Enterprise Desktop 12-SP4 (x86_64):
libsystemd0-228-150.58.1
libsystemd0-32bit-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libsystemd0-debuginfo-32bit-228-150.58.1
libudev1-228-150.58.1
libudev1-32bit-228-150.58.1
libudev1-debuginfo-228-150.58.1
libudev1-debuginfo-32bit-228-150.58.1
systemd-228-150.58.1
systemd-32bit-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debuginfo-32bit-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE Linux Enterprise Desktop 12-SP4 (noarch):
systemd-bash-completion-228-150.58.1
- SUSE Linux Enterprise Desktop 12-SP3 (x86_64):
libsystemd0-228-150.58.1
libsystemd0-32bit-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libsystemd0-debuginfo-32bit-228-150.58.1
libudev1-228-150.58.1
libudev1-32bit-228-150.58.1
libudev1-debuginfo-228-150.58.1
libudev1-debuginfo-32bit-228-150.58.1
systemd-228-150.58.1
systemd-32bit-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debuginfo-32bit-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE Linux Enterprise Desktop 12-SP3 (noarch):
systemd-bash-completion-228-150.58.1
- SUSE Enterprise Storage 4 (noarch):
systemd-bash-completion-228-150.58.1
- SUSE Enterprise Storage 4 (x86_64):
libsystemd0-228-150.58.1
libsystemd0-32bit-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libsystemd0-debuginfo-32bit-228-150.58.1
libudev1-228-150.58.1
libudev1-32bit-228-150.58.1
libudev1-debuginfo-228-150.58.1
libudev1-debuginfo-32bit-228-150.58.1
systemd-228-150.58.1
systemd-32bit-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debuginfo-32bit-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE CaaS Platform ALL (x86_64):
libsystemd0-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libudev1-228-150.58.1
libudev1-debuginfo-228-150.58.1
systemd-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- SUSE CaaS Platform 3.0 (x86_64):
libsystemd0-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libudev1-228-150.58.1
libudev1-debuginfo-228-150.58.1
systemd-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
- OpenStack Cloud Magnum Orchestration 7 (x86_64):
libsystemd0-228-150.58.1
libsystemd0-debuginfo-228-150.58.1
libudev1-228-150.58.1
libudev1-debuginfo-228-150.58.1
systemd-228-150.58.1
systemd-debuginfo-228-150.58.1
systemd-debugsource-228-150.58.1
systemd-sysvinit-228-150.58.1
udev-228-150.58.1
udev-debuginfo-228-150.58.1
References:
https://www.suse.com/security/cve/CVE-2018-16864.html
https://www.suse.com/security/cve/CVE-2018-16865.html
https://www.suse.com/security/cve/CVE-2018-16866.html
https://bugzilla.suse.com/1005023
https://bugzilla.suse.com/1076696
https://bugzilla.suse.com/1101591
https://bugzilla.suse.com/1114981
https://bugzilla.suse.com/1115518
https://bugzilla.suse.com/1119971
https://bugzilla.suse.com/1120323
- --------------------------------------------------------------------------------
SUSE Security Update: Security update for systemd
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:3767-1
Rating: important
References: #1106923 #1108835 #1109252 #1110445 #1111278
#1112024 #1113083 #1113632 #1113665
Cross-References: CVE-2018-15686 CVE-2018-15688
Affected Products:
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Server for SAP 12-SP2
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP2-LTSS
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Linux Enterprise Desktop 12-SP3
SUSE Enterprise Storage 4
SUSE CaaS Platform ALL
SUSE CaaS Platform 3.0
OpenStack Cloud Magnum Orchestration 7
______________________________________________________________________________
An update that solves two vulnerabilities and has 7 fixes
is now available.
Description:
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of
systemd allowed a malicious dhcp6 server to overwrite heap memory in
systemd-networkd. (bsc#1113632)
- CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an
attacker to supply arbitrary state across systemd re-execution via
NotifyAccess. This can be used to improperly influence systemd execution
and possibly lead to root privilege escalation. (bsc#1113665)
Non-security issues fixed:
- dhcp6: split assert_return() to be more debuggable when hit
- core: skip unit deserialization and move to the next one when
unit_deserialize() fails
- core: properly handle deserialization of unknown unit types (#6476)
- core: don't create Requires for workdir if "missing ok" (bsc#1113083)
- logind: use manager_get_user_by_pid() where appropriate
- logind: rework manager_get_{user|session}_by_pid() a bit
- login: fix user@.service case, so we don't allow nested sessions (#8051)
(bsc#1112024)
- core: be more defensive if we can't determine per-connection socket peer
(#7329)
- socket-util: introduce port argument in sockaddr_port()
- service: fixup ExecStop for socket-activated shutdown (#4120)
- service: Continue shutdown on socket activated unit on termination
(#4108) (bsc#1106923)
- cryptsetup: build fixes for "add support for sector-size= option"
- udev-rules: IMPORT cmdline does not recognize keys with similar names
(bsc#1111278)
- core: keep the kernel coredump defaults when systemd-coredump is disabled
- core: shorten main() a bit, split out coredump initialization
- core: set RLIMIT_CORE to unlimited by default (bsc#1108835)
- core/mount: fstype may be NULL
- journald: don't ship systemd-journald-audit.socket (bsc#1109252)
- core: make "tmpfs" dependencies on swapfs a "default" dep, not an
"implicit" (bsc#1110445)
- mount: make sure we unmount tmpfs mounts before we deactivate swaps
(#7076)
- tmp.mount.hm4: After swap.target (#3087)
- Ship systemd-sysv-install helper via the main package This script was
part of systemd-sysvinit sub-package but it was wrong since
systemd-sysv-install is a script used to redirect enable/disable
operations to chkconfig when the unit targets are sysv init scripts.
Therefore it's never been a SySV init tool.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2659=1
- SUSE Linux Enterprise Software Development Kit 12-SP3:
zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-2659=1
- SUSE Linux Enterprise Server for SAP 12-SP2:
zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2659=1
- SUSE Linux Enterprise Server 12-SP3:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2659=1
- SUSE Linux Enterprise Server 12-SP2-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2659=1
- SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2018-2659=1
- SUSE Linux Enterprise Desktop 12-SP3:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2659=1
- SUSE Enterprise Storage 4:
zypper in -t patch SUSE-Storage-4-2018-2659=1
- SUSE CaaS Platform ALL:
To install this update, use the SUSE CaaS Platform Velum dashboard.
It will inform you if it detects new updates and let you then trigger
updating of the complete cluster in a controlled way.
- SUSE CaaS Platform 3.0:
To install this update, use the SUSE CaaS Platform Velum dashboard.
It will inform you if it detects new updates and let you then trigger
updating of the complete cluster in a controlled way.
- OpenStack Cloud Magnum Orchestration 7:
zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-2659=1
Package List:
- SUSE OpenStack Cloud 7 (s390x x86_64):
libsystemd0-228-150.53.3
libsystemd0-32bit-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libsystemd0-debuginfo-32bit-228-150.53.3
libudev1-228-150.53.3
libudev1-32bit-228-150.53.3
libudev1-debuginfo-228-150.53.3
libudev1-debuginfo-32bit-228-150.53.3
systemd-228-150.53.3
systemd-32bit-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debuginfo-32bit-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- SUSE OpenStack Cloud 7 (noarch):
systemd-bash-completion-228-150.53.3
- SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):
libudev-devel-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-devel-228-150.53.3
- SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):
libsystemd0-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libudev1-228-150.53.3
libudev1-debuginfo-228-150.53.3
systemd-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- SUSE Linux Enterprise Server for SAP 12-SP2 (noarch):
systemd-bash-completion-228-150.53.3
- SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64):
libsystemd0-32bit-228-150.53.3
libsystemd0-debuginfo-32bit-228-150.53.3
libudev1-32bit-228-150.53.3
libudev1-debuginfo-32bit-228-150.53.3
systemd-32bit-228-150.53.3
systemd-debuginfo-32bit-228-150.53.3
- SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):
libsystemd0-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libudev1-228-150.53.3
libudev1-debuginfo-228-150.53.3
systemd-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- SUSE Linux Enterprise Server 12-SP3 (s390x x86_64):
libsystemd0-32bit-228-150.53.3
libsystemd0-debuginfo-32bit-228-150.53.3
libudev1-32bit-228-150.53.3
libudev1-debuginfo-32bit-228-150.53.3
systemd-32bit-228-150.53.3
systemd-debuginfo-32bit-228-150.53.3
- SUSE Linux Enterprise Server 12-SP3 (noarch):
systemd-bash-completion-228-150.53.3
- SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):
libsystemd0-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libudev1-228-150.53.3
libudev1-debuginfo-228-150.53.3
systemd-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64):
libsystemd0-32bit-228-150.53.3
libsystemd0-debuginfo-32bit-228-150.53.3
libudev1-32bit-228-150.53.3
libudev1-debuginfo-32bit-228-150.53.3
systemd-32bit-228-150.53.3
systemd-debuginfo-32bit-228-150.53.3
- SUSE Linux Enterprise Server 12-SP2-LTSS (noarch):
systemd-bash-completion-228-150.53.3
- SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
libsystemd0-228-150.53.3
libsystemd0-32bit-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libsystemd0-debuginfo-32bit-228-150.53.3
libudev1-228-150.53.3
libudev1-32bit-228-150.53.3
libudev1-debuginfo-228-150.53.3
libudev1-debuginfo-32bit-228-150.53.3
systemd-228-150.53.3
systemd-32bit-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debuginfo-32bit-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- SUSE Linux Enterprise Server 12-SP2-BCL (noarch):
systemd-bash-completion-228-150.53.3
- SUSE Linux Enterprise Desktop 12-SP3 (x86_64):
libsystemd0-228-150.53.3
libsystemd0-32bit-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libsystemd0-debuginfo-32bit-228-150.53.3
libudev1-228-150.53.3
libudev1-32bit-228-150.53.3
libudev1-debuginfo-228-150.53.3
libudev1-debuginfo-32bit-228-150.53.3
systemd-228-150.53.3
systemd-32bit-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debuginfo-32bit-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- SUSE Linux Enterprise Desktop 12-SP3 (noarch):
systemd-bash-completion-228-150.53.3
- SUSE Enterprise Storage 4 (x86_64):
libsystemd0-228-150.53.3
libsystemd0-32bit-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libsystemd0-debuginfo-32bit-228-150.53.3
libudev1-228-150.53.3
libudev1-32bit-228-150.53.3
libudev1-debuginfo-228-150.53.3
libudev1-debuginfo-32bit-228-150.53.3
systemd-228-150.53.3
systemd-32bit-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debuginfo-32bit-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- SUSE Enterprise Storage 4 (noarch):
systemd-bash-completion-228-150.53.3
- SUSE CaaS Platform ALL (x86_64):
libsystemd0-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libudev1-228-150.53.3
libudev1-debuginfo-228-150.53.3
systemd-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- SUSE CaaS Platform 3.0 (x86_64):
libsystemd0-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libudev1-228-150.53.3
libudev1-debuginfo-228-150.53.3
systemd-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- OpenStack Cloud Magnum Orchestration 7 (x86_64):
libsystemd0-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libudev1-228-150.53.3
libudev1-debuginfo-228-150.53.3
systemd-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
References:
https://www.suse.com/security/cve/CVE-2018-15686.html
https://www.suse.com/security/cve/CVE-2018-15688.html
https://bugzilla.suse.com/1106923
https://bugzilla.suse.com/1108835
https://bugzilla.suse.com/1109252
https://bugzilla.suse.com/1110445
https://bugzilla.suse.com/1111278
https://bugzilla.suse.com/1112024
https://bugzilla.suse.com/1113083
https://bugzilla.suse.com/1113632
https://bugzilla.suse.com/1113665
- --------------------------------------------------------------------------------
SUSE Security Update: Security update for systemd
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:3767-2
Rating: important
References: #1106923 #1108835 #1109252 #1110445 #1111278
#1112024 #1113083 #1113632 #1113665
Cross-References: CVE-2018-15686 CVE-2018-15688
Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP4
SUSE Linux Enterprise Server 12-SP4
SUSE Linux Enterprise Desktop 12-SP4
______________________________________________________________________________
An update that solves two vulnerabilities and has 7 fixes
is now available.
Description:
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of
systemd allowed a malicious dhcp6 server to overwrite heap memory in
systemd-networkd. (bsc#1113632)
- CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an
attacker to supply arbitrary state across systemd re-execution via
NotifyAccess. This can be used to improperly influence systemd execution
and possibly lead to root privilege escalation. (bsc#1113665)
Non-security issues fixed:
- dhcp6: split assert_return() to be more debuggable when hit
- core: skip unit deserialization and move to the next one when
unit_deserialize() fails
- core: properly handle deserialization of unknown unit types (#6476)
- core: don't create Requires for workdir if "missing ok" (bsc#1113083)
- logind: use manager_get_user_by_pid() where appropriate
- logind: rework manager_get_{user|session}_by_pid() a bit
- login: fix user@.service case, so we don't allow nested sessions (#8051)
(bsc#1112024)
- core: be more defensive if we can't determine per-connection socket peer
(#7329)
- socket-util: introduce port argument in sockaddr_port()
- service: fixup ExecStop for socket-activated shutdown (#4120)
- service: Continue shutdown on socket activated unit on termination
(#4108) (bsc#1106923)
- cryptsetup: build fixes for "add support for sector-size= option"
- udev-rules: IMPORT cmdline does not recognize keys with similar names
(bsc#1111278)
- core: keep the kernel coredump defaults when systemd-coredump is disabled
- core: shorten main() a bit, split out coredump initialization
- core: set RLIMIT_CORE to unlimited by default (bsc#1108835)
- core/mount: fstype may be NULL
- journald: don't ship systemd-journald-audit.socket (bsc#1109252)
- core: make "tmpfs" dependencies on swapfs a "default" dep, not an
"implicit" (bsc#1110445)
- mount: make sure we unmount tmpfs mounts before we deactivate swaps
(#7076)
- tmp.mount.hm4: After swap.target (#3087)
- Ship systemd-sysv-install helper via the main package This script was
part of systemd-sysvinit sub-package but it was wrong since
systemd-sysv-install is a script used to redirect enable/disable
operations to chkconfig when the unit targets are sysv init scripts.
Therefore it's never been a SySV init tool.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12-SP4:
zypper in -t patch SUSE-SLE-SDK-12-SP4-2018-2659=1
- SUSE Linux Enterprise Server 12-SP4:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-2018-2659=1
- SUSE Linux Enterprise Desktop 12-SP4:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2018-2659=1
Package List:
- SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64):
libudev-devel-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-devel-228-150.53.3
- SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64):
libsystemd0-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libudev1-228-150.53.3
libudev1-debuginfo-228-150.53.3
systemd-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
- SUSE Linux Enterprise Server 12-SP4 (s390x x86_64):
libsystemd0-32bit-228-150.53.3
libsystemd0-debuginfo-32bit-228-150.53.3
libudev1-32bit-228-150.53.3
libudev1-debuginfo-32bit-228-150.53.3
systemd-32bit-228-150.53.3
systemd-debuginfo-32bit-228-150.53.3
- SUSE Linux Enterprise Server 12-SP4 (noarch):
systemd-bash-completion-228-150.53.3
- SUSE Linux Enterprise Desktop 12-SP4 (noarch):
systemd-bash-completion-228-150.53.3
- SUSE Linux Enterprise Desktop 12-SP4 (x86_64):
libsystemd0-228-150.53.3
libsystemd0-32bit-228-150.53.3
libsystemd0-debuginfo-228-150.53.3
libsystemd0-debuginfo-32bit-228-150.53.3
libudev1-228-150.53.3
libudev1-32bit-228-150.53.3
libudev1-debuginfo-228-150.53.3
libudev1-debuginfo-32bit-228-150.53.3
systemd-228-150.53.3
systemd-32bit-228-150.53.3
systemd-debuginfo-228-150.53.3
systemd-debuginfo-32bit-228-150.53.3
systemd-debugsource-228-150.53.3
systemd-sysvinit-228-150.53.3
udev-228-150.53.3
udev-debuginfo-228-150.53.3
References:
https://www.suse.com/security/cve/CVE-2018-15686.html
https://www.suse.com/security/cve/CVE-2018-15688.html
https://bugzilla.suse.com/1106923
https://bugzilla.suse.com/1108835
https://bugzilla.suse.com/1109252
https://bugzilla.suse.com/1110445
https://bugzilla.suse.com/1111278
https://bugzilla.suse.com/1112024
https://bugzilla.suse.com/1113083
https://bugzilla.suse.com/1113632
https://bugzilla.suse.com/1113665
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXEZctGaOgq3Tt24GAQh39hAA0uYZpam7BPnnHWVCOka2e2zl1jKSIGRi
ioPlVlb1CKD1CkB8rtMuBYaf53P8bCpbFQV/2y4BeSd2H3QXngSWyGy29xPJm2t1
/yAcOwCLPJnt6xjvrjcXqwnh9cpZ2MobYvrJumr30ta9QxzdA5uEqhqXniSqZJe2
MJNDQ/e3EHuk5ZEMJOoCh2NBLbHQYlD4vkG/Rdg3heGx7ohrYk6K1h9LabA/68UW
pzK6G8dvLODlvoPEEWXUsgyM3FsJlW3AWxk84QLksh0RIOLgIADuRGjCQq7fPhOT
Hfi4gJgZJqPGS5ztAgQi8ZOrxzhMyEcJZdm4ChvKr1E11Yi7QhrWE6t+ed+CJ3xA
+MfY/j8gPQCpb9dFy1zggeffbUvC/FU1/SW0Jit9dWjGNR1Bs5TJW5PdKTu5wxMJ
1adB/ORyaDAF9CDoI+qZfOGKx3m/hvYa7bUYEahmAloEfs6NQqQFK/tmKPi3f1RY
3kt7kXFB/tXz+FGTqOUEymwnJnFeItuDb9tzvpuT47jCHDzayVGI2juE2IXAlHyQ
NwJs0s4/Y+Jaue5aqZNe8XuLCGL2E7yy9q7LE29fQ/UAUEwzzOI+mkO7gUaLX7mA
Hja/lqm8lEsQrdTqFV1NYsUiTjccWjYDOjk0I8HMq4LmG4VhmqTkTuHKwJkJWRJp
Z9ZOtPbW9rQ=
=nuDl
-----END PGP SIGNATURE-----