[Touch-packages] [Bug 1806088] [NEW] disco livecd still has insecure version 15 days after 10.4 bugfix hit proposed

Charles Evans Fri, 30 Nov 2018 09:11:28 -0800

Public bug reported:

This applies to disco only.
Ref: symlink exploit fixed in 10.4 release


Systemd restart is masked.
Debian lists this update as high priority.
Any easy get-root bug should be critical, 
not medium priority as listed in the usn. 
Updating while running the livecd  is not securing anything.
Please prioritize release of proposed security updates to disco,
and all future current livecd versions.
At least push out those updates that require substantial knowledge to activate
(libc6, dbus, systemd, and their dependencies, etc )
and packages needed to do updates (apt, networkmanager, their dependencies, etc)


Is there a way to override the mask and restart systemd?
Can I use apparmor to prevent the symlink exploit? How?


Should I file this elsewhere?

** Affects: systemd (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1806088

Title:
  disco livecd still has insecure version 15 days after 10.4 bugfix hit
  proposed

Status in systemd package in Ubuntu:
  New

Bug description:
  This applies to disco only.
  Ref: symlink exploit fixed in 10.4 release

  Systemd restart is masked.
  Debian lists this update as high priority.
  Any easy get-root bug should be critical, 
  not medium priority as listed in the usn. 
  Updating while running the livecd  is not securing anything.
  Please prioritize release of proposed security updates to disco,
  and all future current livecd versions.
  At least push out those updates that require substantial knowledge to activate
  (libc6, dbus, systemd, and their dependencies, etc )
  and packages needed to do updates (apt, networkmanager, their dependencies, 
etc)

  
  Is there a way to override the mask and restart systemd?
  Can I use apparmor to prevent the symlink exploit? How?

  
  Should I file this elsewhere?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1806088/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1806088] [NEW] disco livecd still has insecure version 15 days after 10.4 bugfix hit proposed

Reply via email to