openSUSE Security Update: Security update for systemd ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:1414-1 Rating: moderate References: #959886 #960158 #963230 #965897 #967122 #970423 #970860 #972612 #972727 #973848 #976766 #978275 Cross-References: CVE-2014-9770 CVE-2015-8842 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________ An update that solves two vulnerabilities and has 10 fixes is now available. Description: This update for SystemD provides fixes and enhancements. The following security issue has been fixed: - Don't allow read access to journal files to users. (bsc#972612, CVE-2014-9770, CVE-2015-8842) The following non-security issues have been fixed: - Restore initrd-udevadm-cleanup-db.service. (bsc#978275, bsc#976766) - Incorrect permissions set after boot on journal files. (bsc#973848) - Exclude device-mapper from block device ownership event locking. (bsc#972727) - Explicitly set mode for /run/log. - Don't apply sgid and executable bit to journal files, only the directories they are contained in. - Add ability to mask access mode by pre-existing access mode on files/directories. - No need to pass --all if inactive is explicitly requested in list-units. (bsc#967122) - Fix automount option and don't start associated mount unit at boot. (bsc#970423) - Support more than just power-gpio-key. (fate#318444, bsc#970860) - Add standard gpio power button support. (fate#318444, bsc#970860) - Downgrade warnings about wanted unit which are not found. (bsc#960158) - Shorten hostname before checking for trailing dot. (bsc#965897) - Remove WorkingDirectory parameter from emergency, rescue and console-shell.service. (bsc#959886) - Don't ship boot.udev and systemd-journald.init anymore. - Revert "log: honour the kernel's quiet cmdline argument". (bsc#963230) This update was imported from the SUSE:SLE-12-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-648=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (i586 x86_64): libgudev-1_0-0-210-92.1 libgudev-1_0-0-debuginfo-210-92.1 libgudev-1_0-devel-210-92.1 libudev-devel-210-92.1 libudev-mini-devel-210-92.1 libudev-mini1-210-92.1 libudev-mini1-debuginfo-210-92.1 libudev1-210-92.1 libudev1-debuginfo-210-92.1 nss-myhostname-210-92.1 nss-myhostname-debuginfo-210-92.1 systemd-210-92.1 systemd-debuginfo-210-92.1 systemd-debugsource-210-92.1 systemd-devel-210-92.1 systemd-journal-gateway-210-92.1 systemd-journal-gateway-debuginfo-210-92.1 systemd-logger-210-92.1 systemd-mini-210-92.1 systemd-mini-debuginfo-210-92.1 systemd-mini-debugsource-210-92.1 systemd-mini-devel-210-92.1 systemd-mini-sysvinit-210-92.1 systemd-sysvinit-210-92.1 typelib-1_0-GUdev-1_0-210-92.1 udev-210-92.1 udev-debuginfo-210-92.1 udev-mini-210-92.1 udev-mini-debuginfo-210-92.1 - openSUSE Leap 42.1 (noarch): systemd-bash-completion-210-92.1 - openSUSE Leap 42.1 (x86_64): libgudev-1_0-0-32bit-210-92.1 libgudev-1_0-0-debuginfo-32bit-210-92.1 libudev1-32bit-210-92.1 libudev1-debuginfo-32bit-210-92.1 nss-myhostname-32bit-210-92.1 nss-myhostname-debuginfo-32bit-210-92.1 systemd-32bit-210-92.1 systemd-debuginfo-32bit-210-92.1 References: https://www.suse.com/security/cve/CVE-2014-9770.html https://www.suse.com/security/cve/CVE-2015-8842.html https://bugzilla.suse.com/959886 https://bugzilla.suse.com/960158 https://bugzilla.suse.com/963230 https://bugzilla.suse.com/965897 https://bugzilla.suse.com/967122 https://bugzilla.suse.com/970423 https://bugzilla.suse.com/970860 https://bugzilla.suse.com/972612 https://bugzilla.suse.com/972727 https://bugzilla.suse.com/973848 https://bugzilla.suse.com/976766 https://bugzilla.suse.com/978275