FEDORA-2019-e0eb3d797e

security update in Fedora 28 for systemd

Status: stable 4 months ago
  • systemd-journald and systemd-journal-remote reject entries which contain too many fields (CVE-2018-16865, #1664973) and set limits on the process' command line length (CVE-2018-16864, #1664972)
  • Fix out-of-bounds read when parsing a crafted syslog message in systemd-journald (CVE-2018-16866, #1664975)

No need to log out or reboot.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-e0eb3d797e

Comments 15

This update has been submitted for testing by zbyszek.

zbyszek edited this update.

This update has been pushed to testing.

works for me - but i don#t get why journald does not use 'ProtectSystem=strict, ProtectHome=yes, ReadWritePaths=-/run, ReadWritePaths=-/tmp, ReadWritePaths=-/var/log, ReadWritePaths=-/var/tmp' to begin with which would have dramatically limited the impact

karma: +1

works for me

karma: +1

the in the meantime well known memory leak is simply not acceptable https://bugzilla.redhat.com/show_bug.cgi?id=1665931#c5

karma: -1

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

I'm staying with +1 karma. No memory leakage for my desktop use case noticed.

karma: +1

Works for me

karma: +1

As I understand there's no current patch candidate:

https://github.com/systemd/systemd/pull/11527

As security impact is high and the update is pushed stable for for F29 anyway, this might be pushed even with the regression in some use cases. Users can still downgrade using packages from koji.

karma: +1

I installed this on my Ampache server and music still plays.

karma: +1 critpath: +1

no regressions noted

karma: +1

This update has been submitted for batched by zbyszek.

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
+3
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted 5 months ago
in testing 5 months ago
in stable 4 months ago
modified 5 months ago

Related Bugs 3

00 #1664972 CVE-2018-16864 systemd: stack overflow when calling syslog from a command with long cmdline [fedora-all]
00 #1664973 CVE-2018-16865 systemd: stack overflow when receiving many journald entries [fedora-all]
00 #1664975 CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message [fedora-all]

Automated Test Results

Test Cases

00 Test Case Services start
00 Test Case base service manipulation
00 Test Case base services start
00 Test Case base shutdown/reboot