Your message dated Wed, 07 Mar 2018 23:05:23 +0000
with message-id <e1eti7f-000cxl...@fasolo.debian.org>
and subject line Bug#890779: fixed in systemd 238-1
has caused the Debian Bug report #890779,
regarding systemd: CVE-2018-6954: Mishandled sysmlinks in systemd-tmpfiles 
allows local users to obtain ownership of arbitrary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
890779: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890779
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: systemd
Version: 236-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/systemd/systemd/issues/7986

Hi,

the following vulnerability was published for systemd, filling this
bug to keep track of the bug in the Debian BTS.

CVE-2018-6954[0]:
| systemd-tmpfiles in systemd through 237 mishandles symlinks present in
| non-terminal path components, which allows local users to obtain
| ownership of arbitrary files via vectors involving creation of a
| directory and a file under that directory, and later replacing that
| directory with a symlink. This occurs even if the fs.protected_symlinks
| sysctl is turned on.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-6954
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954
[1] https://github.com/systemd/systemd/issues/7986

Please adjust the affected versions in the BTS as needed (all earlier
versions should be affected).

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: systemd
Source-Version: 238-1

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <bi...@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 07 Mar 2018 23:21:53 +0100
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote 
systemd-coredump systemd-tests libpam-systemd libnss-myhostname 
libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev 
libudev1 libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 238-1
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers 
<pkg-systemd-maintain...@lists.alioth.debian.org>
Changed-By: Michael Biebl <bi...@debian.org>
Description:
 libnss-myhostname - nss module providing fallback resolution for the current 
hostname
 libnss-mymachines - nss module to resolve hostnames for local container 
instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libnss-systemd - nss module providing dynamic user and group name resolution
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 systemd-tests - tests for systemd
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 890779
Changes:
 systemd (238-1) unstable; urgency=medium
 .
   [ Michael Biebl ]
   * New upstream version 238
     - Fixes systemd-tmpfiles to correctly handle symlinks present in
       non-terminal path components. (CVE-2018-6954, Closes: #890779)
   * Rebase patches
   * Use compat symlinks as provided by upstream.
     As the upstream build system now creates those symlinks for us, we no
     longer have to create them manually.
   * Update symbols file for libsystemd0
   * test-cgroup-util: bail out when running under a buildd environment
 .
   [ Dimitri John Ledkov ]
   * systemd-sysv-install: Fix name initialisation.
     Only initialise NAME after --root optional argument has been parsed,
     otherwise NAME is initialized to e.g. `enable`, instead of to the
     `unit-name`, resulting in failures. (LP: #1752882)
Checksums-Sha1:
 938cd28b6144bc79482c3df2888f73d6556cf973 4846 systemd_238-1.dsc
 8179cc62c7f0cb1b61b7fa21e843197229535fe6 6954022 systemd_238.orig.tar.gz
 f3f1ef8967fa797a2dacf01f1801aca5f62863cc 134088 systemd_238-1.debian.tar.xz
 3a103b057d9c763d1cde648a5478fd6bc23eb709 9424 systemd_238-1_source.buildinfo
Checksums-Sha256:
 e818654e5437ee08e68992cdea464b01085b5e6de1a786dd4e78e2ecaf4c3580 4846 
systemd_238-1.dsc
 bbc8599bab2e3c4273886dfab12464e488ecdaf20b8284949e50f8858de3e022 6954022 
systemd_238.orig.tar.gz
 8204804653fecdadc824e4cb0cd341a703ed846a87eec11050f67b19df4b149f 134088 
systemd_238-1.debian.tar.xz
 e3e688bfcecccc4a9e9e8913ed8004ea3f5a7aed841893fb3e141c0ff1254b77 9424 
systemd_238-1_source.buildinfo
Files:
 e224e439374370d9ed2b8a24fc816e6b 4846 admin optional systemd_238-1.dsc
 76db8004647283b779234364cd637d3c 6954022 admin optional systemd_238.orig.tar.gz
 69d5b6c7e8038db0544c1617a9a5554d 134088 admin optional 
systemd_238-1.debian.tar.xz
 b9f14e1390fc5c37c29b8f475a64856a 9424 admin optional 
systemd_238-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlqganAACgkQauHfDWCP
ItwUuQ/+M1RnZgLgRdf4oi4Rnc+oRSTTl3Wx3PAIQICwBlswjjdQGd39Fk75akMd
7Edbr/yjGP6VwMK31JisguJJAngHKYRfeEtiQFV0M4I/D97lfSw+tO/H/edYEGT6
hRmyd4dVjkulchajeYYSK89DBwvAT3UZF5Z01q42lNi50zFPMSVo6YocxO+6vcEM
LdbhUV6fBLd44SPYM36vdwXDfESrnAV+mmNPMFAhsFMm7JOWxTgGmWpPq4gmjuD9
NWjBpXfwFKHZxtxCjVjbUzbD0rbrReYamBzAmtktA3i2CwoP1vBJVvJc3WH9ydRY
tFq0l6qFkPTvvtOizdFU0w0qbOwBv0hnqckFuAc657uOfQ/sOUXKB08hhoz3Dg3W
pgk3yrDMnso8Avdt0tWNv8ZpuTM8DCU2Y8z8A3hgtRgoYHrxBfxzvKNG2+ZML456
jDO9BvTL/MBcOncukxQE145Mg6hQ19hkiu38+neRVgxVNawRNOm4ABDIQvDBflJB
6SMsfd3VOZsERChV2MaKBKufn/ooVjt6F249onN6gxdIwM3lqafdidvWLoh+6o6C
yGsxQXXDc1Fe/RpkPyO/iH4oTTJLTsfKexssiy9Z3RH6rmnzDrVFkU+sbmbC0YB8
1wkZkxm8ouzzLX5X8Lg71aXqbcQOUfi5f6I7qmuwMTokVNdF30A=
=anbu
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to