Fedora has issued an advisory on July 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IYGLFEKG45EYBJ7TPQMLWROWPTZBEU63/ It upgrades to 245.7 and has a bunch of other fixes, including rhbz#1830896, which I believe people have complained about on the dev mailing list. Mageia 7 is also affected (by the CVE).
Whiteboard: (none) => MGA7TOO
Sytemd is another package without an evident maintainer; assigning this to you Stig because you did a few recent updates to it; please re-assign it if you want.
Assignee: bugsquad => smelror
Caldron is updated to version 246. Should we do the same for MGA7? Cheers, Stig
Version: Cauldron => 7Source RPM: systemd-245.6-3.mga8.src.rpm => systemd-241-8.5.mga7.src.rpmWhiteboard: MGA7TOO => (none)
Does 246 has the all the fixes from 245.7 and that Fedora update? Looking at their commit: https://src.fedoraproject.org/rpms/systemd/c/f984b3dafbace9f67e028b862503ac400bcadb93?branch=f32 I'm not seeing any new patches added even though the changelog entry references backported patches. As for Mageia 7, no we should not update systemd. We should patch it.
Status comment: (none) => Patches available from upstream
RedHat has issued an advisory for this on May 18: https://access.redhat.com/errata/RHSA-2021:1611 We can probably use their patch (for 239 and we have 241).
This would require patches 0458-0474 from: https://git.centos.org/rpms/systemd/c/21255d0f332409fa2f3e6966e18449a34c49d3b4?branch=c8 Works fine with a couple of minor adjustments until you get to 0469 and then it gets more difficult.
CC: (none) => tmb
Advisory: ======================== Updated systemd packages fix security vulnerability: A flaw was found in systemd, where it mishandles numerical usernames beginning with decimal digits, or "0x" followed by hexadecimal digits. When the usernames are used by systemd, for example in service units, an unexpected user may be used instead. In some particular configurations, this flaw allows local attackers to elevate their privileges (CVE-2020-13776). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13776 https://access.redhat.com/errata/RHSA-2021:1611 ======================== Updated packages in core/updates_testing: ======================== systemd-241-8.6.mga7 systemd-units-241-8.6.mga7 systemd-devel-241-8.6.mga7 systemd-tests-241-8.6.mga7 nss-myhostname-241-8.6.mga7 libsystemd0-241-8.6.mga7 libudev1-241-8.6.mga7 libudev-devel-241-8.6.mga7 from systemd-241-8.6.mga7.src.rpm
Status comment: Patches available from upstream => (none)Assignee: smelror => qa-bugs
Using this for 2 days. System boots fine. systemctl journalctl timedatectl hostnamectl commands work as designed. No regression. Creating a user with "0x2b3bfa0" as name and correct UID of 1005 is well seen by tools as "0x2b3bfa0" user with 1005 as UID. Tools do not try to use the above hexa number to an UID of 45334432. MGA7-64-OK Validating. Advisory pushed.
CC: (none) => ouaurelienCVE: (none) => CVE-2020-13776Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0304.html
Status: NEW => RESOLVEDResolution: (none) => FIXED