Synopsis
Moderate: systemd security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
An update for systemd is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.
Security Fix(es):
- systemd: services with DynamicUser can create SUID/SGID binaries (CVE-2019-3843)
- systemd: services with DynamicUser can get new privileges and create SGID binaries (CVE-2019-3844)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
-
Red Hat Enterprise Linux for x86_64 8 x86_64
-
Red Hat Enterprise Linux for IBM z Systems 8 s390x
-
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
-
Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 1684607 - CVE-2019-3843 systemd: services with DynamicUser can create SUID/SGID binaries
- BZ - 1684610 - CVE-2019-3844 systemd: services with DynamicUser can get new privileges and create SGID binaries
- BZ - 1689346 - please add kptr_restrict=1 to /usr/lib/sysctl.conf/50-default.conf
- BZ - 1696602 - systemd-cryptsetup: Serialize access to memory hard enabled keyslots while unlocking many LUKS devices
- BZ - 1717603 - Systemd doesn't allow to set User in service files to a username with a dot in it. Error: Invalid user/group name or numeric ID
- BZ - 1719577 - [RFE] Enhance journald to allow rate-limits to be applied per unit instead of just per server
- BZ - 1723722 - debug-generator: enable custom systemd.debug_shell tty
- BZ - 1724617 - RFE: add support for cgroups v2 cpuset controller
- BZ - 1734787 - Backport NUMA stuff
- BZ - 1735787 - Unable to repeatedly reload service that fails
- BZ - 1743235 - journalctl dumps core when stack limit is reduced to 256 KB
- BZ - 1748258 - systemd rpm has gaps in annobin coverage
- BZ - 1749212 - Backport 0a2eef1ee1fef74be9d12f7dc4d0006b645b579c
- BZ - 1752050 - Memory corruption in systemd-cryptsetup
- BZ - 1753369 - U2F enablement package not available in EPEL8 for RHEL8
- BZ - 1762679 - Rules in 40-redhat.rules file for SUBSYSTEM==memory are suboptimal and may lead to timing issues
- BZ - 1763155 - Password fallback when using systemd-cryptsetup-generator keydev option
- BZ - 1763161 - High load in systemd when cups.path and cups.service is enabled
- BZ - 1763619 - Assertion failure when system journal rotation fails
- BZ - 1770189 - sd-bus: bump message queue size
- BZ - 1776408 - Ambiguous error returned preventing user from understanding the root cause of the error
- BZ - 1777110 - provide systemd-rpm-macros to keep compatibility with Fedora/EPEL packages
- BZ - 1778384 - systemd doesn't reset ownership of StateDirectory if directory already exists
- BZ - 1808940 - cpuset controller group not created for qemu vm
CVEs
References
Vulmon