FEDORA-2019-e0eb3d797e

security update in Fedora 28 for systemd

Status: testing 8 days ago
  • systemd-journald and systemd-journal-remote reject entries which contain too many fields (CVE-2018-16865, #1664973) and set limits on the process' command line length (CVE-2018-16864, #1664972)
  • Fix out-of-bounds read when parsing a crafted syslog message in systemd-journald (CVE-2018-16866, #1664975)

No need to log out or reboot.

Comments 8

This update has been submitted for testing by zbyszek.

zbyszek edited this update.

This update has been pushed to testing.

works for me - but i don#t get why journald does not use 'ProtectSystem=strict, ProtectHome=yes, ReadWritePaths=-/run, ReadWritePaths=-/tmp, ReadWritePaths=-/var/log, ReadWritePaths=-/var/tmp' to begin with which would have dramatically limited the impact

karma: +1

works for me

karma: +1

the in the meantime well known memory leak is simply not acceptable https://bugzilla.redhat.com/show_bug.cgi?id=1665931#c5

karma: -1

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

I'm staying with +1 karma. No memory leakage for my desktop use case noticed.

karma: +1

Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown. Comments are governed under this privacy policy.

-1 0 +1 Feedback Guidelines

Is the update generally functional? (karma)

You need to be logged in to add karma!

Does the system's basic functionality continue to work after this update?
#1664972 CVE-2018-16864 systemd: stack overflow when calling syslog from a command with long cmdline [fedora-all]
#1664973 CVE-2018-16865 systemd: stack overflow when receiving many journald entries [fedora-all]
#1664975 CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message [fedora-all]
Test Case Services start
Test Case base service manipulation
Test Case base services start
Test Case base shutdown/reboot
Content Type
RPM
Status
testing
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted 9 days ago
in testing 8 days ago
days to stable 6
modified 9 days ago

Related Bugs 3

00 #1664972 CVE-2018-16864 systemd: stack overflow when calling syslog from a command with long cmdline [fedora-all]
00 #1664973 CVE-2018-16865 systemd: stack overflow when receiving many journald entries [fedora-all]
00 #1664975 CVE-2018-16866 systemd: out-of-bounds read when parsing a crafted syslog message [fedora-all]

Automated Test Results

Test Cases

00 Test Case Services start
00 Test Case base service manipulation
00 Test Case base services start
00 Test Case base shutdown/reboot