Security update for systemd

SUSE Security Update: Security update for systemd
Announcement ID: SUSE-SU-2017:1773-1
Rating: moderate
References: #1004995 #1029102 #1029516 #1036873 #1038865 #1040258 #1040614 #1040942 #1043758 #982303
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 12-SP2
  • SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
  • SUSE Linux Enterprise Server 12-SP2
  • SUSE Linux Enterprise Desktop 12-SP2
  • OpenStack Cloud Magnum Orchestration 7

  • An update that solves one vulnerability and has 9 fixes is now available.

    Description:

    This update for systemd fixes the following issues:

    Security issue fixed:

    - CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that
    could lead to resolved aborting (bsc#1040614)

    The update also fixed several non-security bugs:

    - core/mount: Use the "-c" flag to not canonicalize paths when calling
    /bin/umount
    - automount: Handle expire_tokens when the mount unit changes its state
    (bsc#1040942)
    - automount: Rework propagation between automount and mount units
    - build: Make sure tmpfiles.d/systemd-remote.conf get installed when
    necessary
    - build: Fix systemd-journal-upload installation
    - basic: Detect XEN Dom0 as no virtualization (bsc#1036873)
    - virt: Make sure some errors are not ignored
    - fstab-generator: Do not skip Before= ordering for noauto mountpoints
    - fstab-gen: Do not convert device timeout into seconds when initializing
    JobTimeoutSec
    - core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995)
    - fstab-generator: Apply the _netdev option also to device units
    (bsc#1004995)
    - job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995)
    - job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995)
    - rules: Export NVMe WWID udev attribute (bsc#1038865)
    - rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives
    - rules: Add rules for NVMe devices
    - sysusers: Make group shadow support configurable (bsc#1029516)
    - core: When deserializing a unit, fully restore its cgroup state
    (bsc#1029102)
    - core: Introduce cg_mask_from_string()/cg_mask_to_string()
    - core:execute: Fix handling failures of calling fork() in exec_spawn()
    (bsc#1040258)
    - Fix systemd-sysv-convert when a package starts shipping service units
    (bsc#982303) The database might be missing when upgrading a package
    which was shipping no sysv init scripts nor unit files (at the time
    --save was called) but the new version start shipping unit files.
    - Disable group shadow support (bsc#1029516)
    - Only check signature job error if signature job exists (bsc#1043758)

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 12-SP2:
      zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1104=1
    • SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:
      zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-1104=1
    • SUSE Linux Enterprise Server 12-SP2:
      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1104=1
    • SUSE Linux Enterprise Desktop 12-SP2:
      zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-1104=1
    • OpenStack Cloud Magnum Orchestration 7:
      zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-1104=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):
      • libudev-devel-228-149.3
      • systemd-debuginfo-228-149.3
      • systemd-debugsource-228-149.3
      • systemd-devel-228-149.3
    • SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):
      • libsystemd0-228-149.3
      • libsystemd0-debuginfo-228-149.3
      • libudev1-228-149.3
      • libudev1-debuginfo-228-149.3
      • systemd-228-149.3
      • systemd-debuginfo-228-149.3
      • systemd-debugsource-228-149.3
      • systemd-sysvinit-228-149.3
      • udev-228-149.3
      • udev-debuginfo-228-149.3
    • SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (noarch):
      • systemd-bash-completion-228-149.3
    • SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64):
      • libsystemd0-228-149.3
      • libsystemd0-debuginfo-228-149.3
      • libudev1-228-149.3
      • libudev1-debuginfo-228-149.3
      • systemd-228-149.3
      • systemd-debuginfo-228-149.3
      • systemd-debugsource-228-149.3
      • systemd-sysvinit-228-149.3
      • udev-228-149.3
      • udev-debuginfo-228-149.3
    • SUSE Linux Enterprise Server 12-SP2 (noarch):
      • systemd-bash-completion-228-149.3
    • SUSE Linux Enterprise Server 12-SP2 (x86_64):
      • libsystemd0-32bit-228-149.3
      • libsystemd0-debuginfo-32bit-228-149.3
      • libudev1-32bit-228-149.3
      • libudev1-debuginfo-32bit-228-149.3
      • systemd-32bit-228-149.3
      • systemd-debuginfo-32bit-228-149.3
    • SUSE Linux Enterprise Desktop 12-SP2 (x86_64):
      • libsystemd0-228-149.3
      • libsystemd0-32bit-228-149.3
      • libsystemd0-debuginfo-228-149.3
      • libsystemd0-debuginfo-32bit-228-149.3
      • libudev1-228-149.3
      • libudev1-32bit-228-149.3
      • libudev1-debuginfo-228-149.3
      • libudev1-debuginfo-32bit-228-149.3
      • systemd-228-149.3
      • systemd-32bit-228-149.3
      • systemd-debuginfo-228-149.3
      • systemd-debuginfo-32bit-228-149.3
      • systemd-debugsource-228-149.3
      • systemd-sysvinit-228-149.3
      • udev-228-149.3
      • udev-debuginfo-228-149.3
    • SUSE Linux Enterprise Desktop 12-SP2 (noarch):
      • systemd-bash-completion-228-149.3
    • OpenStack Cloud Magnum Orchestration 7 (x86_64):
      • libsystemd0-228-149.3
      • libsystemd0-debuginfo-228-149.3
      • libudev1-228-149.3
      • libudev1-debuginfo-228-149.3
      • systemd-228-149.3
      • systemd-debuginfo-228-149.3
      • systemd-debugsource-228-149.3
      • systemd-sysvinit-228-149.3
      • udev-228-149.3
      • udev-debuginfo-228-149.3

    References: