The "backport" portion essentially consisted of changing upstream's FLAGS_SET() macro for the manual operation, as the necessary patch [0] is not present in Bionic.
New changelog entries:
* d/t/logind: skip if nonexistent /sys/power/state (LP: #1862657)
* d/p/lp1839290-Change-job-mode-of-manager-triggered-restarts-to-JOB.patch:
- when restarting service after failure, replace existing queued jobs
(LP: #1839290)
* d/p/lp1867421-70-mouse.hwdb-Set-DPI-for-MS-Classic-IntelliMouse.patch:
- fix resolution of IntelliMouse (LP: #1867421)
* d/p/lp1858412-journalctl-allow-running-vacuum-on-remote-journals-t.patch:
- allow vacuuming journal 'root' dir (LP: #1858412)
* d/p/lp1862232/0001-network-add-more-log-messages-in-configuring-DHCP4-c.patch,
d/p/lp1862232/0002-network-add-more-log-messages-in-configuring-DHCP6-c.patch,
d/p/lp1862232/0003-network-also-check-that-Hostname-is-a-valid-DNS-doma.patch,
d/p/lp1862232/0004-network-use-free_and_replace.patch,
d/p/lp1862232/0005-network-DHCP-ignore-error-in-setting-hostname-when-i.patch,
d/p/lp1862232/0006-man-mention-that-Hostname-for-DHCP-must-be-a-valid-D.patch,
d/p/lp1862232/0007-resolve-fix-error-handling-of-dns_name_is_valid.patch:
- do not fail network setup if hostname is not valid (LP: #1862232)
* d/t/systemd-fsckd: Skip test on arm64 (LP: #1870194)
* d/p/lp1870589-seccomp-rework-how-the-S-UG-ID-filter-is-installed.patch:
- fix test-seccomp failure (LP: #1870589)
* d/rules: use meson --print-errorlogs instead of cat testlog
- (LP: #1870811)
* d/p/lp1776654-test-Synchronize-journal-before-reading-from-it.patch:
- sync journal before reading from it (LP: #1776654)
* d/p/lp1837914-journal-do-not-trigger-assertion-when-journal_file_c.patch:
- do not crash if NULL passted to journal destructor (LP: #1837914)
* d/e/initramfs-tools/hooks/udev:
- Follow symlinks when finding link files to copy into initramfs
(LP: #1868892)
New changelog entries:
* SECURITY UPDATE: local privilege escalation via DynamicUser
- debian/patches/CVE-2019-384x-1.patch: introduce
seccomp_restrict_suid_sgid() for blocking chmod() for suid/sgid files
in src/shared/seccomp-util.c, src/shared/seccomp-util.h.
- debian/patches/CVE-2019-384x-2.patch: add test case for
restrict_suid_sgid() in src/test/test-seccomp.c.
- debian/patches/CVE-2019-384x-3.patch: expose SUID/SGID restriction as
new unit setting RestrictSUIDSGID= in src/core/dbus-execute.c,
src/core/execute.c, src/core/execute.h,
src/core/load-fragment-gperf.gperf.m4, src/shared/bus-unit-util.c.
- debian/patches/CVE-2019-384x-4.patch: document the new
RestrictSUIDSGID= setting in man/systemd.exec.xml.
- debian/patches/CVE-2019-384x-5.patch: turn on RestrictSUIDSGID= in
most of our long-running daemons in units/systemd-*.service.in.
- debian/patches/CVE-2019-384x-6.patch: imply NNP and SUID/SGID
restriction for DynamicUser=yes service in man/systemd.exec.xml,
src/core/unit.c.
- debian/patches/CVE-2019-384x-7.patch: fix compilation on arm64 in
src/test/test-seccomp.c.
- CVE-2019-3843
- CVE-2019-3844
* SECURITY UPDATE: memory leak in button_open
- debian/patches/CVE-2019-20386.patch: fix event in
src/login/logind-button.c.
- CVE-2019-20386
* SECURITY UPDATE: heap use-after-free with async polkit queries
- debian/patches/CVE-2020-1712-1.patch: on async pk requests,
re-validate action/details in src/shared/bus-util.c.
- debian/patches/CVE-2020-1712-2.patch: introduce API for re-enqueuing
incoming messages in src/libsystemd/libsystemd.sym,
src/libsystemd/sd-bus/sd-bus.c, src/systemd/sd-bus.h.
- debian/patches/CVE-2020-1712-3.patch: when authorizing via PK
re-resolve callback/userdata instead of caching it in
src/shared/bus-util.c.
- debian/patches/CVE-2020-1712-4.patch: fix typo in function name in
src/libsystemd/libsystemd.sym, src/libsystemd/sd-bus/sd-bus.c,
src/systemd/sd-bus.h, src/shared/bus-util.c.
- debian/libsystemd0.symbols: added new symbols.
- CVE-2020-1712
* This package does _not_ contain the changes from 237-3ubuntu10.34 in
bionic-proposed.
New changelog entries:
* d/p/lp1852754/0001-network-do-not-re-set-MTU-when-current-and-requested.patch,
d/p/lp1852754/0002-network-call-link_acquire_conf-and-link_enter_join_n.patch,
d/p/lp1852754/0003-network-prohibit-to-set-MTUBytes-and-UseMTU-simultan.patch:
- Complete link setup after setting mtu (LP: #1852754)
New changelog entries:
* d/p/d/Revert-udev-network-device-renaming-immediately-give.patch:
- udev: add Revert-udev-network-device-renaming-immediately-give.patch back
Dropping this patch will cause the persistent network regression.
(LP: #1842651)
New changelog entries:
* SECURITY UPDATE: Unprivileged users are granted access to privileged
systemd-resolved D-Bus methods
- d/p/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch:
drop trusted annotation from bus_open_system_watch_bind()
- CVE-2019-15718
The "backport" portion essentially consisted of changing upstream's FLAGS_SET() macro for the manual operation, as the necessary patch [0] is not present in Bionic.
[0] https:/ /github. com/systemd/ systemd/ commit/ d94a24ca2ea7