Fedora has issued an advisory on November 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4NLJVOJMB6ANDILRLDZK26YGLYBEPHKY/ The issue is fixed upstream in 244. Mageia 7 is also affected.
Seems you are the best assignee for systemd, Thomas.
Assignee: bugsquad => tmbWhiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 243.4
Another security issue has been announced today (February 5): https://www.openwall.com/lists/oss-security/2020/02/05/1 The message above contains a link to the commit that fixes the issue.
Summary: systemd new security issue CVE-2018-21029 => systemd new security issues CVE-2018-21029 and CVE-2020-1712Status comment: Fixed upstream in 243.4 => Fixed upstream in 243.4 plus upstream patch
Ubuntu has issued an advisory on February 5: https://usn.ubuntu.com/4269-1/ It fixes one new CVE.
Summary: systemd new security issues CVE-2018-21029 and CVE-2020-1712 => systemd new security issues CVE-2018-21029, CVE-2019-20386, CVE-2020-1712
Fedora has issued an advisory for this today (February 7): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FOV6CXHBHDGVDF65X54DA4VS7R6R3XIM/ The issues are fixed upstream in 243.6.
Status comment: Fixed upstream in 243.4 plus upstream patch => Fixed upstream in 243.6
Thomas has added patches in Cauldron from the 241 branch upstream, hopefully fixing these (please confirm).
Yeah, will try to review all this tomorrow along with the binutils update
CVE-2018-21029 only affects v243 and up CVE-2019-20386 and CVE-2020-1712 affects us and is fixed in the upstream -stable sync I did in Cauldron, so the same fixes are synced in here in systemd-241-8.5.mga7 currently building
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Packages to test: SRPM: systemd-241-8.5.mga7.src.rpm i586: libsystemd0-241-8.5.mga7.i586.rpm libudev1-241-8.5.mga7.i586.rpm libudev-devel-241-8.5.mga7.i586.rpm nss-myhostname-241-8.5.mga7.i586.rpm systemd-241-8.5.mga7.i586.rpm systemd-devel-241-8.5.mga7.i586.rpm systemd-tests-241-8.5.mga7.i586.rpm systemd-units-241-8.5.mga7.i586.rpm x86_64: lib64systemd0-241-8.5.mga7.x86_64.rpm lib64udev1-241-8.5.mga7.x86_64.rpm lib64udev-devel-241-8.5.mga7.x86_64.rpm nss-myhostname-241-8.5.mga7.x86_64.rpm systemd-241-8.5.mga7.x86_64.rpm systemd-devel-241-8.5.mga7.x86_64.rpm systemd-tests-241-8.5.mga7.x86_64.rpm systemd-units-241-8.5.mga7.x86_64.rpm
Assignee: tmb => qa-bugs
The RedHat bug says CVE-2018-21029 affects 239 and up: https://bugzilla.redhat.com/show_bug.cgi?id=1771725
Ahh, upstream explains in the last comment that it's only really a vulnerability in 243: https://github.com/systemd/systemd/issues/9397
Advisory: ======================== Updated systemd packages fix security vulnerabilities: It was discovered that systemd incorrectly handled certain udevadm trigger commands. A local attacker could possibly use this issue to cause systemd to consume resources, leading to a denial of service (CVE-2019-20386). Tavis Ormandy discovered that systemd incorrectly handled certain Polkit queries. A local attacker could use this issue to cause systemd to crash, resulting in a denial of service, or possibly execute arbitrary code and escalate privileges (CVE-2020-1712). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20386 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1712 https://usn.ubuntu.com/4269-1/
On mga7-64 kernel-desktop plasma packages installed cleanly: - lib64systemd0-241-8.5.mga7.x86_64 - lib64udev1-241-8.5.mga7.x86_64 - nss-myhostname-241-8.5.mga7.x86_64 - systemd-241-8.5.mga7.x86_64 - systemd-units-241-8.5.mga7.x86_64 no regressions observed looks OK for mga7 on this system: Mobo: Dell model: 09WH54 Card: Intel HD Graphics 530 CPU: Quad core Intel Core i7-6700 (-HT-MCP-)
CC: (none) => jim
Installed and tested without issues. Tested for several days of desktop usage. No regressions noticed. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary drivers. $ uname -a Linux marte 5.5.4-desktop-1.mga7 #1 SMP Sat Feb 15 08:41:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep 241 | sort lib64systemd0-241-8.5.mga7 lib64udev1-241-8.5.mga7 lib64udev-devel-241-8.5.mga7 libsystemd0-241-8.5.mga7 libudev1-241-8.5.mga7 nss-myhostname-241-8.5.mga7 systemd-241-8.5.mga7 systemd-devel-241-8.5.mga7 systemd-units-241-8.5.mga7
CC: (none) => mageia
Installed and tested without issues on a QEMU/KVM VM. Tested for several hours of desktop usage. No regressions noticed. System: Mageia 7, x86_64, LXQt DE, virtio drivers. Host system: see comment 13. $ uname -a Linux marte-vm-mageia-7 5.5.4-desktop-1.mga7 #1 SMP Sat Feb 15 08:41:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep 241 | sort lib64systemd0-241-8.5.mga7 lib64udev1-241-8.5.mga7 lib64udev-devel-241-8.5.mga7 libsystemd0-241-8.4.mga7 nss-myhostname-241-8.5.mga7 systemd-241-8.5.mga7 systemd-devel-241-8.5.mga7 systemd-units-241-8.5.mga7
MGA7-64 Plasma on Lenovo B50 No installation issues. After reboot all seems normal (wifi connection, internet, local files). Waiting OK for someone else on other HW or DE.
CC: (none) => herman.viaene
HP Probook 6550b, i3, 8GB RAM, Intel graphics, Intel wifi, 32-bit Xfce system running the server kernel. Updated systemd onto kernel-server 5.4.17. All packages installed cleanly. Rebooted to a working desktop, no obvious issues. Updated to kernel-server 5.5.4, and again rebooted to a working desktop, no obvious issues. Giving this an OK on both arches, and validating. Advisory in Comment 11.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OK MGA7-32-OKKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0094.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED