openSUSE Security Update: Security update for systemd ______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:1414-1 Rating: moderate References: #959886 #960158 #963230 #965897 #967122 #970423 #970860 #972612 #972727 #973848 #976766 #978275
Cross-References: CVE-2014-9770 CVE-2015-8842 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________
An update that solves two vulnerabilities and has 10 fixes is now available.
Description:
This update for SystemD provides fixes and enhancements.
The following security issue has been fixed:
- Don't allow read access to journal files to users. (bsc#972612, CVE-2014-9770, CVE-2015-8842)
The following non-security issues have been fixed:
- Restore initrd-udevadm-cleanup-db.service. (bsc#978275, bsc#976766) - Incorrect permissions set after boot on journal files. (bsc#973848) - Exclude device-mapper from block device ownership event locking. (bsc#972727) - Explicitly set mode for /run/log. - Don't apply sgid and executable bit to journal files, only the directories they are contained in. - Add ability to mask access mode by pre-existing access mode on files/directories. - No need to pass --all if inactive is explicitly requested in list-units. (bsc#967122) - Fix automount option and don't start associated mount unit at boot. (bsc#970423) - Support more than just power-gpio-key. (fate#318444, bsc#970860) - Add standard gpio power button support. (fate#318444, bsc#970860) - Downgrade warnings about wanted unit which are not found. (bsc#960158) - Shorten hostname before checking for trailing dot. (bsc#965897) - Remove WorkingDirectory parameter from emergency, rescue and console-shell.service. (bsc#959886) - Don't ship boot.udev and systemd-journald.init anymore. - Revert "log: honour the kernel's quiet cmdline argument". (bsc#963230)
This update was imported from the SUSE:SLE-12-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-648=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.1 (i586 x86_64):
libgudev-1_0-0-210-92.1 libgudev-1_0-0-debuginfo-210-92.1 libgudev-1_0-devel-210-92.1 libudev-devel-210-92.1 libudev-mini-devel-210-92.1 libudev-mini1-210-92.1 libudev-mini1-debuginfo-210-92.1 libudev1-210-92.1 libudev1-debuginfo-210-92.1 nss-myhostname-210-92.1 nss-myhostname-debuginfo-210-92.1 systemd-210-92.1 systemd-debuginfo-210-92.1 systemd-debugsource-210-92.1 systemd-devel-210-92.1 systemd-journal-gateway-210-92.1 systemd-journal-gateway-debuginfo-210-92.1 systemd-logger-210-92.1 systemd-mini-210-92.1 systemd-mini-debuginfo-210-92.1 systemd-mini-debugsource-210-92.1 systemd-mini-devel-210-92.1 systemd-mini-sysvinit-210-92.1 systemd-sysvinit-210-92.1 typelib-1_0-GUdev-1_0-210-92.1 udev-210-92.1 udev-debuginfo-210-92.1 udev-mini-210-92.1 udev-mini-debuginfo-210-92.1
- openSUSE Leap 42.1 (noarch):
systemd-bash-completion-210-92.1
- openSUSE Leap 42.1 (x86_64):
libgudev-1_0-0-32bit-210-92.1 libgudev-1_0-0-debuginfo-32bit-210-92.1 libudev1-32bit-210-92.1 libudev1-debuginfo-32bit-210-92.1 nss-myhostname-32bit-210-92.1 nss-myhostname-debuginfo-32bit-210-92.1 systemd-32bit-210-92.1 systemd-debuginfo-32bit-210-92.1
References:
https://www.suse.com/security/cve/CVE-2014-9770.html https://www.suse.com/security/cve/CVE-2015-8842.html https://bugzilla.suse.com/959886 https://bugzilla.suse.com/960158 https://bugzilla.suse.com/963230 https://bugzilla.suse.com/965897 https://bugzilla.suse.com/967122 https://bugzilla.suse.com/970423 https://bugzilla.suse.com/970860 https://bugzilla.suse.com/972612 https://bugzilla.suse.com/972727 https://bugzilla.suse.com/973848 https://bugzilla.suse.com/976766 https://bugzilla.suse.com/978275