[ubuntu/xenial-security] systemd 229-4ubuntu21.1 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Mon Feb 5 18:01:42 UTC 2018
systemd (229-4ubuntu21.1) xenial-security; urgency=medium
* SECURITY UPDATE: remote DoS in resolved (LP: #1725351)
- debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo
dns types in src/resolve/resolved-dns-packet.c.
- CVE-2017-15908
* SECURITY UPDATE: access to automounted volumes can lock up
(LP: #1709649)
- debian/patches/CVE-2018-1049.patch: ack automount requests even when
already mounted in src/core/automount.c.
- CVE-2018-1049
systemd (229-4ubuntu21) xenial; urgency=medium
* networkd: do not uncoditionally apply NOARP.
* networkd: fix size of MTUBytes so that it does not overwrites ARP.
* Fixes regression-updates LP: #1727301
systemd (229-4ubuntu20) xenial; urgency=medium
* resolved: recognize DNS names with more than one trailing dot as invalid
(LP: #1600000)
* Ignore failures to set Nice priority on services in containers.
(LP: #1709536)
* networkd: accept `:' in ifnames in systemd/networkd. (LP: #1714933)
* initramfs-tools: trigger udevadm add actions with subsystems first.
(LP: #1713536)
* networkd: Add support to set STP value on a bridge. (LP: #1665088)
* networkd: add support for AgeingTImeSec, Priority and DefaultPVID settings.
(LP: #1715131)
- Drop cherrypick of uint16 config parser, superseeded by above commit.
* networkd: add support to set ActiveSlave and PrimarySlave. (LP: #1709135)
- networkd: add support to configure ARP, depedency of Primary/ActiveSlave.
systemd (229-4ubuntu19) xenial; urgency=medium
* debian/extra/units/systemd-resolved.service.d/resolvconf.conf: partially
revert, by removing ExecStart|StopPost lines, as these are not needed on
xenial and generate warnings in the journal. (LP: #1704677)
systemd (229-4ubuntu18) xenial; urgency=medium
* debian/extra/units/systemd-resolved.service.d/resolvconf.conf: if resolved
is going to be started, make sure this blocks network-online.target.
(LP: #1673860)
* networkd: cherry-pick support for setting bridge port's priority
(LP: #1668347)
* Cherrypick upstream commit to enable system use kernel maximum limit for
RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361)
* Cherrypick upstream patch for platform predictable interface names.
(LP: #1686784)
* resolved: fix null pointer dereference crash (LP: #1621396)
* Cherrypick core/timer downgrade message about random time addition
(LP: #1692136)
* SECURITY UPDATE: Out-of-bounds write in systemd-resolved (LP: #1695546)
- CVE-2017-9445
* Cherry-pick subset of patches to introduce infinity value in logind.conf
for UserTasksMax (LP: #1651518)
systemd (229-4ubuntu17) xenial; urgency=medium
* Make systemd-networkd-resolvconf-update.{service,path} run earlier
to ensure DNS is configured prior to reaching network-online.target.
(LP: #1649931)
systemd (229-4ubuntu16) xenial; urgency=medium
* d/p/0001-libudev-util-change-util_replace_whitespace-to-retur.patch,
d/p/0002-udev-event-add-replace_whitespace-param-to-udev_even.patch,
d/p/0003-udev-rules-perform-whitespace-replacement-for-symlin.patch:
Cherry-pick upstream fixes from Dan Streetman <ddstreet at ieee.org> to
fix by-id symlinks for devices whose IDs contain whitespace.
LP: #1647485.
systemd (229-4ubuntu13) xenial; urgency=medium
[ Martin Pitt ]
* Backport graphical-session{,-pre}.target user units, for future usage from
snaps. (LP: #1640293)
* debian/rules: Clean up *.busname units. They are useless in 16.04 as they
will always be "condition failed" as kdbus has never existed. But they add
ordering constraints which make it impossible to start
systemd-networkd.service during early boot, which is an upcoming
requirement for cloud-init. (Part of LP: #1636912)
* Drop systemd-networkd's "After=dbus.service" ordering so that it can start
during early boot (for cloud-init.service). It will auto-connect to D-Bus
once it becomes available later, and transient (from DHCP) hostname and
timezone setting do not work in 16.04 anyway. (LP: #1636912)
[ Dan Streetman ]
* rules: introduce disk/by-id (wwid and model_serial) symlinks
for NVMe drives (LP: #1642903)
systemd (229-4ubuntu12) xenial; urgency=medium
* unit: sent change signal before removing the unit if necessary
(LP: #1632964)
* networkd: Fix assertion crash on adding VTI with IPv6 addresses
(LP: #1633274)
* systemd-networkd-resolvconf-update.service: Propagate search domains
(LP: #1635256)
systemd (229-4ubuntu11) xenial; urgency=medium
* 73-usb-net-by-mac.rules: Split kernel command line import line.
Reportedly this makes the rule actually work on some platforms. Thanks
Alp Toker! (LP: #1593379)
* fsckd: Do not exit on idle timeout if there are still clients connected
(Closes: #788050, LP: #1547844)
* libnss-*.prerm: Remove possible [key=value] options from NSS modules as
well. (LP: #1625584)
* Backport networkd 231. Compared to 229 this has a lot of fixes, some of
which we need for good netplan support. Backporting them individually
would be a lot more work and a lot less robust, and we did not use/support
networkd in 16.04 so far. Drop the other network related patches as they
are included in this backport now. (LP: #1627641)
* debian/tests/networkd: Re-enable the the DHCPv6 tests. The DHCPv6
behaviour is fixed with the above backport now.
* pid1: process zero-length notification messages again. Just remove the
assertion, the "n" value was not used anyway. This fixes a local DoS due
to unprocessed/unclosed fds which got introduced by the previous fix.
(LP: #1628687)
* pid1: Robustify manager_dispatch_notify_fd(). If
manager_dispatch_notify_fd() fails and returns an error then the handling
of service notifications will be disabled entirely leading to a
compromised system. (side issue of LP: #1628687)
Date: 2018-02-01 14:15:19.632824+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu21.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Xenial-changes
mailing list