CVEs have been assigned for a local denial of service issue in systemd: http://openwall.com/lists/oss-security/2016/09/30/1 If I understand correctly, CVE-2016-7795 affects Cauldron and CVE-2016-7796 affects Mageia 5. I don't know of a fix for CVE-2016-7795, but I see some references at the bottom of the upstream issue [1] of NixOS adding fixes from upstream (not sure for which issue, as I'm not sure which systemd version they have). They did reference an upstream pull request [2] with a possible fix for CVE-2016-7796. [1] - https://github.com/systemd/systemd/issues/4234 [2] - https://github.com/systemd/systemd/pull/4240
Ubuntu has issued an advisory for this on September 29: http://www.ubuntu.com/usn/usn-3094-1/ That should include a fix for CVE-2016-7795.
URL: (none) => http://lwn.net/Vulnerabilities/702225/
Updated in cauldron with upstream cherry picks (four patches, but only three strictly needed). I've also written a backported patch for MGA5. I think it's right, but I've not tested it so this should certainly be done with care before pushing to updates!
LWN reference for CVE-2016-7796: http://lwn.net/Vulnerabilities/703125/
Colin, what is the status of this?
I've been using systemd-217-11.2.mga5 since it was built Mon 03 Oct. Is this ready to assign to qa? Advisory needed too.
CC: (none) => davidwhodgins
CC: (none) => mageiaAssignee: mageia => qa-bugs
Advisory: ================ Updated systemd packages fix security vulnerability: Andrew Ayer discovered that Systemd improperly handled zero-length notification messages. A local unprivileged attacker could use this to cause a denial of service (init crash leading to system unavailability) (CVE-2016-7795). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7795 http://www.ubuntu.com/usn/usn-3094-1/ ================ Updated packages in core/updates_testing: ================ libgudev-gir1.0-217-11.2.mga5 libgudev1.0-devel-217-11.2.mga5 libgudev1.0_0-217-11.2.mga5 libsystemd0-217-11.2.mga5 libudev-devel-217-11.2.mga5 libudev1-217-11.2.mga5 nss-myhostname-217-11.2.mga5 python-systemd-217-11.2.mga5 systemd-217-11.2.mga5 systemd-devel-217-11.2.mga5 systemd-units-217-11.2.mga5 from systemd-217-11.2.mga5.src.rpm
Version: Cauldron => 5
On mga5-64 Updates installed: - lib64gudev1.0_0-217-11.2.mga5.x86_64 - lib64systemd0-217-11.2.mga5.x86_64 - lib64udev1-217-11.2.mga5.x86_64 - nss-myhostname-217-11.2.mga5.x86_64 - systemd-217-11.2.mga5.x86_64 - systemd-units-217-11.2.mga5.x86_64 Packages installed cleanly After normal running for 6 hours, no regressions noted $ NOTIFY_SOCKET=/run/systemd/notify systemd-notify "" Failed to notify init system: Connection refused Which, IIUC, means that the vulnerability has been fixed. OK for mga5-64 Do we need more testing before marking this as OK for mga5-64?
CC: (none) => jim
I know that I and at least a few others have been running this for weeks with no issue (in my case on both architectures). As long as the PoC no longer works, this can be validated.
On mga5-32 Updates installed: - libgudev1.0_0-217-11.2.mga5.i586 - libsystemd0-217-11.2.mga5.i586 - libudev1-217-11.2.mga5.i586 - nss-myhostname-217-11.2.mga5.i586 - systemd-217-11.2.mga5.i586 - systemd-units-217-11.2.mga5.i586 Packages installed cleanly No regressions noted. $ NOTIFY_SOCKET=/run/systemd/notify systemd-notify "" $ The lack of a response I take to mean that the vulnerability has been fixed. Before the update that command caused the system to become unresponsive. OK for mga5-32
This update is now validated. The advisory needs to be uploaded to SVN The packages can then be pushed to updates.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
x86_64 real hardware. I was just about to ask if it was safe to run. A reboot I guess? Here goes.
CC: (none) => tarazed25
$ NOTIFY_SOCKET=/run/systemd/notify systemd-notify "" NOTIFY_SOCKET=/run/systemd/notify: Command not found. $ sudo /run/systemd/notify systemd-notify "" sudo: /run/systemd/notify: command not found $ sudo NOTIFY-SOCKET=/run/systemd/notify systemd-notify "" However, I have just checked the versions and find that the updates are in place. No memory of having done that. So it is also good for 64-bits.
Just noticed that James had already OKd it.
Advisory uploaded as per Comment 6.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0380.html
Status: NEW => RESOLVEDResolution: (none) => FIXED