Hi Moritz On Mon, 23 May 2016 09:49:38 +0200 Moritz Muehlenhoff <[email protected]> wrote: > Package: systemd > Version: 215-17+deb8u4 > Severity: important > Tags: security patch > > As discussed on IRC it would be great if CVE-2015-8842 could be fixed > in a jessie point release. Please see here for further links: > https://security-tracker.debian.org/tracker/CVE-2015-8842
I looked into this today. The faulty commit was introduced in v213 by the commit referenced in the security tracker. There was a followup commit in v214: commit 176f2acf8dee45fee832fd2ab07243f63783a238 Author: Lennart Poettering <[email protected]> Date: Wed Jun 11 10:23:16 2014 +0200 tmpfiles: don't allow read access to journal files to users not in systemd-journal Also, don't apply access mode recursively to /var/log/journal/*/, since that might be quite large, and should be correct anyway. This means, users who installed jessie from scratch and never had 214-1 installed, won't be affected. Only if a (unstable) user had /var/log/journal enabled and 214-1 installed in the past, he might end up with a systemd.journal which has the wrong permissions. The commit [1] basically fixes up borked permissions of existing system.journal files. And if he's an (up-to-date) unstable user, he has already received the update in 230-1. So, considering this, I don't think this will be an issue in practice and I think we can safely close this issue. Waiting for your confirmation though, before doing so. Regards, Michael [1] https://github.com/systemd/systemd/commit/afae249efa4774c6676738ac5de6aeb4daf4889f -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pkg-systemd-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
