| Summary: | systemd new security issue CVE-2018-1049 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK MGA6-32-OK | ||
| Source RPM: | systemd-230-12.2.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-01-20 18:10:19 CET
Mageia 5 may be affected, but the code is a bit different, so I'll leave that for now. Advisory: ======================== Updated systemd packages fix security vulnerability: In systemd prior to 234 a race exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race like this may lead to denial of service, until mount points are unmounted (CVE-2018-1049). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1049 http://openwall.com/lists/oss-security/2018/01/19/8 ======================== Updated packages in core/updates_testing: ======================== systemd-230-12.3.mga6 systemd-units-230-12.3.mga6 systemd-devel-230-12.3.mga6 nss-myhostname-230-12.3.mga6 libsystemd0-230-12.3.mga6 libudev1-230-12.3.mga6 libudev-devel-230-12.3.mga6 from systemd-230-12.3.mga6.src.rpm Assignee:
bugsquad =>
qa-bugs
Lewis Smith
2018-01-22 09:47:55 CET
Keywords:
(none) =>
advisory MGA6-32 on Dell Latitude D600 Mate No installation issues After reboot exercised usual set of functions (text images, etc...) in the period of some hours, no problems encountered. OK for me. Whiteboard:
(none) =>
MGA6-32-OK Mga6 -64 Plasma on real hardware with an Intel Core2Duo, 8GB RAM, Intel graphics. Installed this update, ran the usual apps. In an uninformed attempt to test the issue, I plugged a flash drive and an external hard drive into usb ports while Dolphin was running. Each was detected and shown in the Places window, and automounted when I clicked on it. Each also unmounted when I chose "safely remove..." Nothing locked up, but then I've done this before, many times, and never saw a lockup, so perhaps this isn't a proper test. Anyway, I'm not seeing any problems. CC:
(none) =>
andrewsfarm Mga6-64 on real hardware, Athlon X2 7750, 8GB, nvidia340 graphics, Atheros wifi. Seems to check out on this hardware, as well. Giving it a 64-bit OK. Whiteboard:
MGA6-32-OK =>
MGA6-64-OK MGA6-32-OK Same hardware as Comment 4, this time with a 32-bit Xfce system, server kernel. Looks OK. M6/64 Used the system with this update without noticing any grief. Second the previous M6/64 OK. Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0094.html Resolution:
(none) =>
FIXED RedHat has issued an advisory for this today (January 31): https://access.redhat.com/errata/RHSA-2018:0260 Their patch for systemd 219: https://git.centos.org/raw/rpms/systemd.git/99d80ac905364a56e7e1d3aba7071ce0da365c4a/SOURCES!0507-automount-ack-automount-requests-even-when-already-m.patch Still doesn't cleanly apply to our 217 in Mageia 5. |