Security update for systemd

Announcement ID: SUSE-SU-2019:0426-1
Rating: important
CVSS scores:
  • CVE-2019-6454 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-6454 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-6454 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • Basesystem Module 15
  • SUSE Linux Enterprise Desktop 15
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server for SAP Applications 15

An update that solves one vulnerability and has seven security fixes can now be installed.


This update for systemd fixes the following issues:

  • CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352)

  • units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)

  • logind: fix bad error propagation
  • login: log session state "closing" (as well as New/Removed)
  • logind: fix borked r check
  • login: don't remove all devices from PID1 when only one was removed
  • login: we only allow opening character devices
  • login: correct comment in session_device_free()
  • login: remember that fds received from PID1 need to be removed eventually
  • login: fix FDNAME in call to sd_pid_notify_with_fds()
  • logind: fd 0 is a valid fd
  • logind: rework sd_eviocrevoke()
  • logind: check file is device node before using .st_rdev
  • logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153)
  • core: add a new sd_notify() message for removing fds from the FD store again
  • logind: make sure we don't trip up on half-initialized session devices (bsc#1123727)
  • fd-util: accept that kcmp might fail with EPERM/EACCES
  • core: Fix use after free case in load_from_path() (bsc#1121563)
  • core: include Found state in device dumps
  • device: fix serialization and deserialization of DeviceFound
  • fix path in btrfs rule (#6844)
  • assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
  • Update systemd-system.conf.xml (bsc#1122000)
  • units: inform user that the default target is started after exiting from rescue or emergency mode
  • core: free lines after reading them (bsc#1123892)
  • sd-bus: if we receive an invalid dbus message, ignore and proceeed
  • automount: don't pass non-blocking pipe to kernel.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Basesystem Module 15
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-426=1

Package List:

  • Basesystem Module 15 (aarch64 ppc64le s390x x86_64)
    • udev-debuginfo-234-24.25.1
    • systemd-sysvinit-234-24.25.1
    • libsystemd0-234-24.25.1
    • systemd-container-debuginfo-234-24.25.1
    • systemd-devel-234-24.25.1
    • udev-234-24.25.1
    • systemd-coredump-234-24.25.1
    • systemd-debuginfo-234-24.25.1
    • systemd-coredump-debuginfo-234-24.25.1
    • libudev1-234-24.25.1
    • libsystemd0-debuginfo-234-24.25.1
    • libudev1-debuginfo-234-24.25.1
    • systemd-container-234-24.25.1
    • libudev-devel-234-24.25.1
    • systemd-debugsource-234-24.25.1
    • systemd-234-24.25.1
  • Basesystem Module 15 (noarch)
    • systemd-bash-completion-234-24.25.1
  • Basesystem Module 15 (x86_64)
    • systemd-32bit-234-24.25.1
    • libsystemd0-32bit-234-24.25.1
    • libsystemd0-32bit-debuginfo-234-24.25.1
    • libudev1-32bit-debuginfo-234-24.25.1
    • libudev1-32bit-234-24.25.1
    • systemd-32bit-debuginfo-234-24.25.1