stable

systemd-238-11.gita76ee90.fc28

FEDORA-2019-e0eb3d797e created by zbyszek 5 years ago for Fedora 28
  • systemd-journald and systemd-journal-remote reject entries which contain too many fields (CVE-2018-16865, #1664973) and set limits on the process' command line length (CVE-2018-16864, #1664972)
  • Fix out-of-bounds read when parsing a crafted syslog message in systemd-journald (CVE-2018-16866, #1664975)

No need to log out or reboot.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2019-e0eb3d797e

This update has been submitted for testing by zbyszek.

5 years ago

zbyszek edited this update.

5 years ago

This update has been pushed to testing.

5 years ago
User Icon hreindl commented & provided feedback 5 years ago
karma

works for me - but i don#t get why journald does not use 'ProtectSystem=strict, ProtectHome=yes, ReadWritePaths=-/run, ReadWritePaths=-/tmp, ReadWritePaths=-/var/log, ReadWritePaths=-/var/tmp' to begin with which would have dramatically limited the impact

User Icon samoht0 commented & provided feedback 5 years ago
karma

works for me

User Icon hreindl commented & provided feedback 5 years ago
karma

the in the meantime well known memory leak is simply not acceptable https://bugzilla.redhat.com/show_bug.cgi?id=1665931#c5

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

5 years ago
User Icon samoht0 commented & provided feedback 5 years ago
karma

I'm staying with +1 karma. No memory leakage for my desktop use case noticed.

User Icon jonathancalloway commented & provided feedback 5 years ago
karma

Works for me

User Icon samoht0 commented & provided feedback 5 years ago
karma

As I understand there's no current patch candidate:

https://github.com/systemd/systemd/pull/11527

As security impact is high and the update is pushed stable for for F29 anyway, this might be pushed even with the regression in some use cases. Users can still downgrade using packages from koji.

User Icon bowlofeggs commented & provided feedback 5 years ago
karma

I installed this on my Ampache server and music still plays.

User Icon filiperosset commented & provided feedback 5 years ago
karma

no regressions noted

This update has been submitted for batched by zbyszek.

5 years ago

This update has been submitted for stable by bodhi.

5 years ago

This update has been pushed to stable.

5 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
5 years ago
in testing
5 years ago
in stable
5 years ago
modified
5 years ago
BZ#1664972 CVE-2018-16864 systemd: stack overflow when calling syslog from a command with long cmdline [fedora-all]
0
0
BZ#1664973 CVE-2018-16865 systemd: stack overflow when receiving many journald entries [fedora-all]
0
0
BZ#1664975 CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message [fedora-all]
0
0

Automated Test Results

Test Cases

0 0 Test Case Services start
0 0 Test Case base service manipulation
0 0 Test Case base services start
0 0 Test Case base shutdown/reboot
0 0 Test Case User:Tablepc/Draft testcase reboot