Security update for systemd

Announcement ID: SUSE-SU-2017:2031-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2017-9217 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2017-9217 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-9217 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-9445 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2017-9445 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-9445 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP3
  • SUSE Linux Enterprise Software Development Kit 12 SP3

An update that solves two vulnerabilities and has 17 security fixes can now be installed.

Description:

This update for systemd provides several fixes and enhancements.

Security issues fixed:

  • CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614)
  • CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290)

The update also fixed several non-security bugs:

  • core/mount: Use the "-c" flag to not canonicalize paths when calling /bin/umount
  • automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942)
  • automount: Rework propagation between automount and mount units
  • build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary
  • build: Fix systemd-journal-upload installation
  • basic: Detect XEN Dom0 as no virtualization (bsc#1036873)
  • virt: Make sure some errors are not ignored
  • fstab-generator: Do not skip Before= ordering for noauto mountpoints
  • fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec
  • core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995)
  • fstab-generator: Apply the _netdev option also to device units (bsc#1004995)
  • job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995)
  • job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995)
  • rules: Export NVMe WWID udev attribute (bsc#1038865)
  • rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives
  • rules: Add rules for NVMe devices
  • sysusers: Make group shadow support configurable (bsc#1029516)
  • core: When deserializing a unit, fully restore its cgroup state (bsc#1029102)
  • core: Introduce cg_mask_from_string()/cg_mask_to_string()
  • core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258)
  • Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files.
  • Disable group shadow support (bsc#1029516)
  • Only check signature job error if signature job exists (bsc#1043758)
  • Automounter issue in combination with NFS volumes (bsc#1040968)
  • Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153)
  • Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP3
    zypper in -t patch SUSE-SLE-BSK-12-SP3-2017-1245=1
  • SUSE Linux Enterprise Desktop 12 SP3
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2017-1245=1
  • SUSE Linux Enterprise Software Development Kit 12 SP3
    zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-1245=1
  • SUSE Linux Enterprise Server 12 SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1245=1
  • SUSE Linux Enterprise High Performance Computing 12 SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1245=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1245=1

Package List:

  • SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP3 (ppc64le s390x x86_64)
    • libudev-mini1-debuginfo-228-150.9.2
    • systemd-mini-debuginfo-228-150.9.2
    • udev-mini-228-150.9.2
    • systemd-mini-228-150.9.2
    • systemd-mini-debugsource-228-150.9.2
    • libudev-mini-devel-228-150.9.2
    • libudev-mini1-228-150.9.2
    • systemd-mini-devel-228-150.9.2
    • udev-mini-debuginfo-228-150.9.2
  • SUSE Linux Enterprise Desktop 12 SP3 (x86_64)
    • systemd-debuginfo-32bit-228-150.9.3
    • systemd-32bit-228-150.9.3
    • systemd-debugsource-228-150.9.3
    • udev-debuginfo-228-150.9.3
    • libudev1-debuginfo-228-150.9.3
    • systemd-debuginfo-228-150.9.3
    • systemd-228-150.9.3
    • libsystemd0-32bit-228-150.9.3
    • libudev1-32bit-228-150.9.3
    • libudev1-228-150.9.3
    • libsystemd0-debuginfo-228-150.9.3
    • libsystemd0-228-150.9.3
    • libudev1-debuginfo-32bit-228-150.9.3
    • udev-228-150.9.3
    • libsystemd0-debuginfo-32bit-228-150.9.3
    • systemd-sysvinit-228-150.9.3
  • SUSE Linux Enterprise Desktop 12 SP3 (noarch)
    • systemd-bash-completion-228-150.9.3
  • SUSE Linux Enterprise Software Development Kit 12 SP3 (aarch64 ppc64le s390x x86_64)
    • systemd-devel-228-150.9.3
    • libudev-devel-228-150.9.3
    • systemd-debugsource-228-150.9.3
    • systemd-debuginfo-228-150.9.3
  • SUSE Linux Enterprise Server 12 SP3 (aarch64 ppc64le s390x x86_64)
    • systemd-debugsource-228-150.9.3
    • udev-debuginfo-228-150.9.3
    • libudev1-debuginfo-228-150.9.3
    • systemd-debuginfo-228-150.9.3
    • systemd-228-150.9.3
    • libudev1-228-150.9.3
    • libsystemd0-debuginfo-228-150.9.3
    • libsystemd0-228-150.9.3
    • udev-228-150.9.3
    • systemd-sysvinit-228-150.9.3
  • SUSE Linux Enterprise Server 12 SP3 (noarch)
    • systemd-bash-completion-228-150.9.3
  • SUSE Linux Enterprise Server 12 SP3 (s390x x86_64)
    • systemd-debuginfo-32bit-228-150.9.3
    • systemd-32bit-228-150.9.3
    • libudev1-32bit-228-150.9.3
    • libsystemd0-32bit-228-150.9.3
    • libudev1-debuginfo-32bit-228-150.9.3
    • libsystemd0-debuginfo-32bit-228-150.9.3
  • SUSE Linux Enterprise High Performance Computing 12 SP3 (aarch64 x86_64)
    • systemd-debugsource-228-150.9.3
    • udev-debuginfo-228-150.9.3
    • libudev1-debuginfo-228-150.9.3
    • systemd-debuginfo-228-150.9.3
    • systemd-228-150.9.3
    • libudev1-228-150.9.3
    • libsystemd0-debuginfo-228-150.9.3
    • libsystemd0-228-150.9.3
    • udev-228-150.9.3
    • systemd-sysvinit-228-150.9.3
  • SUSE Linux Enterprise High Performance Computing 12 SP3 (noarch)
    • systemd-bash-completion-228-150.9.3
  • SUSE Linux Enterprise High Performance Computing 12 SP3 (x86_64)
    • systemd-debuginfo-32bit-228-150.9.3
    • systemd-32bit-228-150.9.3
    • libudev1-32bit-228-150.9.3
    • libsystemd0-32bit-228-150.9.3
    • libudev1-debuginfo-32bit-228-150.9.3
    • libsystemd0-debuginfo-32bit-228-150.9.3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
    • systemd-debugsource-228-150.9.3
    • udev-debuginfo-228-150.9.3
    • libudev1-debuginfo-228-150.9.3
    • systemd-debuginfo-228-150.9.3
    • systemd-228-150.9.3
    • libudev1-228-150.9.3
    • libsystemd0-debuginfo-228-150.9.3
    • libsystemd0-228-150.9.3
    • udev-228-150.9.3
    • systemd-sysvinit-228-150.9.3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3 (noarch)
    • systemd-bash-completion-228-150.9.3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3 (x86_64)
    • systemd-debuginfo-32bit-228-150.9.3
    • systemd-32bit-228-150.9.3
    • libudev1-32bit-228-150.9.3
    • libsystemd0-32bit-228-150.9.3
    • libudev1-debuginfo-32bit-228-150.9.3
    • libsystemd0-debuginfo-32bit-228-150.9.3

References: