Security update for systemd

Announcement ID: SUSE-SU-2019:1364-2
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2019-3842 ( SUSE ): 4.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2019-3842 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-3842 ( NVD ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-3843 ( SUSE ): 4.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2019-3843 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-3843 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-3844 ( SUSE ): 4.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2019-3844 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-3844 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-6454 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-6454 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-6454 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • Basesystem Module 15-SP1
  • SUSE Linux Enterprise Desktop 15 SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise Real Time 15 SP1
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Manager Proxy 4.0
  • SUSE Manager Retail Branch Server 4.0
  • SUSE Manager Server 4.0

An update that solves four vulnerabilities, contains one feature and has nine security fixes can now be installed.

Description:

This update for systemd fixes the following issues:

Security issues fixed:

  • CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348).
  • CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352).
  • CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509).

Non-security issued fixed:

  • logind: fix killing of scopes (bsc#1125604)
  • namespace: make MountFlags=shared work again (bsc#1124122)
  • rules: load drivers only on "add" events (bsc#1126056)
  • sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
  • systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933)
  • udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400)
  • sd-bus: bump message queue size again (bsc#1132721)
  • Do not automatically online memory on s390x (bsc#1127557)
  • Removed sg.conf (bsc#1036463)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Basesystem Module 15-SP1
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-1364=1

Package List:

  • Basesystem Module 15-SP1 (aarch64 ppc64le s390x x86_64)
    • systemd-container-234-24.30.1
    • systemd-debugsource-234-24.30.1
    • libsystemd0-234-24.30.1
    • systemd-devel-234-24.30.1
    • libudev1-234-24.30.1
    • systemd-coredump-234-24.30.1
    • libsystemd0-debuginfo-234-24.30.1
    • systemd-coredump-debuginfo-234-24.30.1
    • systemd-debuginfo-234-24.30.1
    • udev-234-24.30.1
    • udev-debuginfo-234-24.30.1
    • systemd-sysvinit-234-24.30.1
    • libudev-devel-234-24.30.1
    • systemd-234-24.30.1
    • libudev1-debuginfo-234-24.30.1
    • systemd-container-debuginfo-234-24.30.1
  • Basesystem Module 15-SP1 (noarch)
    • systemd-bash-completion-234-24.30.1
  • Basesystem Module 15-SP1 (x86_64)
    • libudev1-32bit-debuginfo-234-24.30.1
    • libudev1-32bit-234-24.30.1
    • libsystemd0-32bit-debuginfo-234-24.30.1
    • systemd-32bit-debuginfo-234-24.30.1
    • libsystemd0-32bit-234-24.30.1
    • systemd-32bit-234-24.30.1

References: