Security update for systemd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0320-1 Final 1 1 2018-01-31T18:45:02Z current 2018-01-31T18:45:02Z 2018-01-31T18:45:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for systemd This update for systemd fixes several issues. This security issue was fixed: - CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308). These non-security issues were fixed: - core: don't choke if a unit another unit triggers vanishes during reload - delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX - delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428) - delta: check if a prefix needs to be skipped only once - delta: skip symlink paths when split-usr is enabled (#4591) - sysctl: use raw file descriptor in sysctl_write (#7753) - sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254) - Fix the regexp used to detect broken by-id symlinks in /etc/crypttab It was missing the following case: '/dev/disk/by-id/cr_-xxx'. - sysctl: disable buffer while writing to /proc (bsc#1071558) - Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558) - sysctl: no need to check for eof twice - def: add new constant LONG_LINE_MAX - fileio: add new helper call read_line() as bounded getline() replacement - service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156) - gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280) - gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422) - fstab-util: introduce fstab_has_fstype() helper - fstab-generator: ignore root=/dev/nfs (#3591) - fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452) - virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510) - analyze: replace --no-man with --man=no in the man page (bsc#1068251) - udev: net_setup_link: don't error out when we couldn't apply link config (#7328) - Add missing /etc/systemd/network directory - Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510) - sd-bus: use -- when passing arguments to ssh (#6706) - systemctl: make sure we terminate the bus connection first, and then close the pager (#3550) - sd-bus: bump message queue size (bsc#1075724) - tmpfiles: downgrade warning about duplicate line This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-01/msg00118.html E-Mail link for openSUSE-SU-2018:0320-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libsystemd0-228-41.1 libsystemd0-32bit-228-41.1 libsystemd0-mini-228-41.1 libudev-devel-228-41.1 libudev-mini-devel-228-41.1 libudev-mini1-228-41.1 libudev1-228-41.1 libudev1-32bit-228-41.1 nss-myhostname-228-41.1 nss-myhostname-32bit-228-41.1 nss-mymachines-228-41.1 systemd-228-41.1 systemd-32bit-228-41.1 systemd-bash-completion-228-41.1 systemd-devel-228-41.1 systemd-logger-228-41.1 systemd-mini-228-41.1 systemd-mini-bash-completion-228-41.1 systemd-mini-devel-228-41.1 systemd-mini-sysvinit-228-41.1 systemd-sysvinit-228-41.1 udev-228-41.1 udev-mini-228-41.1 libsystemd0-228-41.1 as a component of openSUSE Leap 42.3 libsystemd0-32bit-228-41.1 as a component of openSUSE Leap 42.3 libsystemd0-mini-228-41.1 as a component of openSUSE Leap 42.3 libudev-devel-228-41.1 as a component of openSUSE Leap 42.3 libudev-mini-devel-228-41.1 as a component of openSUSE Leap 42.3 libudev-mini1-228-41.1 as a component of openSUSE Leap 42.3 libudev1-228-41.1 as a component of openSUSE Leap 42.3 libudev1-32bit-228-41.1 as a component of openSUSE Leap 42.3 nss-myhostname-228-41.1 as a component of openSUSE Leap 42.3 nss-myhostname-32bit-228-41.1 as a component of openSUSE Leap 42.3 nss-mymachines-228-41.1 as a component of openSUSE Leap 42.3 systemd-228-41.1 as a component of openSUSE Leap 42.3 systemd-32bit-228-41.1 as a component of openSUSE Leap 42.3 systemd-bash-completion-228-41.1 as a component of openSUSE Leap 42.3 systemd-devel-228-41.1 as a component of openSUSE Leap 42.3 systemd-logger-228-41.1 as a component of openSUSE Leap 42.3 systemd-mini-228-41.1 as a component of openSUSE Leap 42.3 systemd-mini-bash-completion-228-41.1 as a component of openSUSE Leap 42.3 systemd-mini-devel-228-41.1 as a component of openSUSE Leap 42.3 systemd-mini-sysvinit-228-41.1 as a component of openSUSE Leap 42.3 systemd-sysvinit-228-41.1 as a component of openSUSE Leap 42.3 udev-228-41.1 as a component of openSUSE Leap 42.3 udev-mini-228-41.1 as a component of openSUSE Leap 42.3 In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service. CVE-2017-15908 openSUSE Leap 42.3:libsystemd0-228-41.1 openSUSE Leap 42.3:libsystemd0-32bit-228-41.1 openSUSE Leap 42.3:libsystemd0-mini-228-41.1 openSUSE Leap 42.3:libudev-devel-228-41.1 openSUSE Leap 42.3:libudev-mini-devel-228-41.1 openSUSE Leap 42.3:libudev-mini1-228-41.1 openSUSE Leap 42.3:libudev1-228-41.1 openSUSE Leap 42.3:libudev1-32bit-228-41.1 openSUSE Leap 42.3:nss-myhostname-228-41.1 openSUSE Leap 42.3:nss-myhostname-32bit-228-41.1 openSUSE Leap 42.3:nss-mymachines-228-41.1 openSUSE Leap 42.3:systemd-228-41.1 openSUSE Leap 42.3:systemd-32bit-228-41.1 openSUSE Leap 42.3:systemd-bash-completion-228-41.1 openSUSE Leap 42.3:systemd-devel-228-41.1 openSUSE Leap 42.3:systemd-logger-228-41.1 openSUSE Leap 42.3:systemd-mini-228-41.1 openSUSE Leap 42.3:systemd-mini-bash-completion-228-41.1 openSUSE Leap 42.3:systemd-mini-devel-228-41.1 openSUSE Leap 42.3:systemd-mini-sysvinit-228-41.1 openSUSE Leap 42.3:systemd-sysvinit-228-41.1 openSUSE Leap 42.3:udev-228-41.1 openSUSE Leap 42.3:udev-mini-228-41.1 moderate 4.6 AV:L/AC:L/Au:S/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00118.html https://www.suse.com/security/cve/CVE-2017-15908.html CVE-2017-15908 https://bugzilla.suse.com/1065276 SUSE Bug 1065276 In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted. CVE-2018-1049 openSUSE Leap 42.3:libsystemd0-228-41.1 openSUSE Leap 42.3:libsystemd0-32bit-228-41.1 openSUSE Leap 42.3:libsystemd0-mini-228-41.1 openSUSE Leap 42.3:libudev-devel-228-41.1 openSUSE Leap 42.3:libudev-mini-devel-228-41.1 openSUSE Leap 42.3:libudev-mini1-228-41.1 openSUSE Leap 42.3:libudev1-228-41.1 openSUSE Leap 42.3:libudev1-32bit-228-41.1 openSUSE Leap 42.3:nss-myhostname-228-41.1 openSUSE Leap 42.3:nss-myhostname-32bit-228-41.1 openSUSE Leap 42.3:nss-mymachines-228-41.1 openSUSE Leap 42.3:systemd-228-41.1 openSUSE Leap 42.3:systemd-32bit-228-41.1 openSUSE Leap 42.3:systemd-bash-completion-228-41.1 openSUSE Leap 42.3:systemd-devel-228-41.1 openSUSE Leap 42.3:systemd-logger-228-41.1 openSUSE Leap 42.3:systemd-mini-228-41.1 openSUSE Leap 42.3:systemd-mini-bash-completion-228-41.1 openSUSE Leap 42.3:systemd-mini-devel-228-41.1 openSUSE Leap 42.3:systemd-mini-sysvinit-228-41.1 openSUSE Leap 42.3:systemd-sysvinit-228-41.1 openSUSE Leap 42.3:udev-228-41.1 openSUSE Leap 42.3:udev-mini-228-41.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00118.html https://www.suse.com/security/cve/CVE-2018-1049.html CVE-2018-1049 https://bugzilla.suse.com/1076308 SUSE Bug 1076308 https://bugzilla.suse.com/1140475 SUSE Bug 1140475