openSUSE Security Update: Security update for systemd ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:0560-1 Rating: moderate References: #1057974 #1068588 #1071224 #1071311 #1075801 #1077925 Cross-References: CVE-2017-18078 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for systemd fixes the following issues: Security issue fixed: - CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on. This could be used by local attackers to gain privileges (bsc#1077925) Non Security issues fixed: - core: use id unit when retrieving unit file state (#8038) (bsc#1075801) - cryptsetup-generator: run cryptsetup service before swap unit (#5480) - udev-rules: all values can contain escaped double quotes now (#6890) - strv: fix buffer size calculation in strv_join_quoted() - tmpfiles: change ownership of symlinks too - stdio-bridge: Correctly propagate error - stdio-bridge: remove dead code - remove bus-proxyd (bsc#1057974) - core/timer: Prevent timer looping when unit cannot start (bsc#1068588) - Make systemd-timesyncd use the openSUSE NTP servers by default Previously systemd-timesyncd used the Google Public NTP servers time{1..4}.google.com - Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224) But we still ship a copy in /var. Users who want to use tmpfs on /tmp are supposed to add a symlink in /etc/ pointing to the copy shipped in /var. To support the update path we automatically create the symlink if tmp.mount in use is located in /usr. - Enable systemd-networkd on Leap distros only (bsc#1071311) This update was imported from the SUSE:SLE-12-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-216=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (i586 x86_64): libsystemd0-228-44.1 libsystemd0-debuginfo-228-44.1 libsystemd0-mini-228-44.1 libsystemd0-mini-debuginfo-228-44.1 libudev-devel-228-44.1 libudev-mini-devel-228-44.1 libudev-mini1-228-44.1 libudev-mini1-debuginfo-228-44.1 libudev1-228-44.1 libudev1-debuginfo-228-44.1 nss-myhostname-228-44.1 nss-myhostname-debuginfo-228-44.1 nss-mymachines-228-44.1 nss-mymachines-debuginfo-228-44.1 systemd-228-44.1 systemd-debuginfo-228-44.1 systemd-debugsource-228-44.1 systemd-devel-228-44.1 systemd-logger-228-44.1 systemd-mini-228-44.1 systemd-mini-debuginfo-228-44.1 systemd-mini-debugsource-228-44.1 systemd-mini-devel-228-44.1 systemd-mini-sysvinit-228-44.1 systemd-sysvinit-228-44.1 udev-228-44.1 udev-debuginfo-228-44.1 udev-mini-228-44.1 udev-mini-debuginfo-228-44.1 - openSUSE Leap 42.3 (noarch): systemd-bash-completion-228-44.1 systemd-mini-bash-completion-228-44.1 - openSUSE Leap 42.3 (x86_64): libsystemd0-32bit-228-44.1 libsystemd0-debuginfo-32bit-228-44.1 libudev1-32bit-228-44.1 libudev1-debuginfo-32bit-228-44.1 nss-myhostname-32bit-228-44.1 nss-myhostname-debuginfo-32bit-228-44.1 systemd-32bit-228-44.1 systemd-debuginfo-32bit-228-44.1 References: https://www.suse.com/security/cve/CVE-2017-18078.html https://bugzilla.suse.com/1057974 https://bugzilla.suse.com/1068588 https://bugzilla.suse.com/1071224 https://bugzilla.suse.com/1071311 https://bugzilla.suse.com/1075801 https://bugzilla.suse.com/1077925