ubuntu/+source/systemd:debian/stretch

Last commit made on 2019-09-07
Get this branch:
git clone -b debian/stretch https://git.launchpad.net/ubuntu/+source/systemd
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
debian/stretch
Repository:
lp:ubuntu/+source/systemd

Recent commits

4d1d332... by Michael Biebl on 2019-07-21

Import patches-unapplied version 232-25+deb9u12 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: e5da040df2d5f639d1cdec33cdc6703bb260906e

New changelog entries:
  * networkd: Do not stop ndisc client in case of conf error.
    When an NDisc error happens, e.g. in case of a prefix change, do not shut
    down the dhcp client. Instead log about it and continue.
    Otherwise networkd might fail to renew the DHCPv4 address and lose IPv4
    connectivity. (Closes: #930353)

e5da040... by Michael Biebl on 2019-04-08

Import patches-unapplied version 232-25+deb9u11 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: aa3c1294734604c66913b58f444c6ddd5546f4b3

New changelog entries:
  * pam-systemd: use secure_getenv() rather than getenv()
    Fixes a vulnerability in the systemd PAM module which insecurely uses
    the environment and lacks seat verification permitting spoofing an
    active session to PolicyKit. (CVE-2019-3842)
  * journald: fix assertion failure on journal_file_link_data (Closes: #916880)
  * tmpfiles: fix "e" to support shell style globs (Closes: #918400)
  * mount-util: accept that name_to_handle_at() might fail with EPERM.
    Container managers frequently block name_to_handle_at(), returning
    EACCES or EPERM when this is issued. Accept that, and simply fall back
    to fdinfo-based checks. (Closes: #917122)
  * automount: ack automount requests even when already mounted.
    Fixes a race condition in systemd which could result in automount requests
    not being serviced and processes using them to hang, causing denial of
    service. (CVE-2018-1049)
  * core: when deserializing state always use read_line(…, LONG_LINE_MAX, …)
    Fixes improper serialization on upgrade which can influence systemd
    execution environment and lead to root privilege escalation.
    (CVE-2018-15686, Closes: #912005)
  * Non-maintainer upload by the Security Team.
  * Refuse dbus message paths longer than BUS_PATH_SIZE_MAX limit
    (CVE-2019-6454)
  * Allocate temporary strings to hold dbus paths on the heap (CVE-2019-6454)
  * sd-bus: if we receive an invalid dbus message, ignore and proceeed
    (CVE-2019-6454)

aa3c129... by Salvatore Bonaccorso on 2019-01-15

Import patches-unapplied version 232-25+deb9u8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4efd0d15734ccb46bd82c7c4fd0bf254f6af87b0

New changelog entries:
  * Non-maintainer upload by the Security Team.
  * Address memory leak in dispatch_message_real()
    In dispatch_message_real() memory allocated by set_iovec_field_free()
    is not free()d.
    Follow upstream and introduce specific variables cmdline1 and cmdline2
    and free() those automatically when dispatch_message_real() returns.
  * Correctly allocate core_timestamp on the heap and avoid invalid free()
  * Remove unused core* variables in process_kernel()
  * Non-maintainer upload by the Security Team.
  * journald: do not store the iovec entry for process commandline on stack
    (CVE-2018-16864) (Closes: #918841)
  * journald: set a limit on the number of fields (1k) (CVE-2018-16865)
    (Closes: #918848)
  * journal-remote: set a limit on the number of fields in a message
    (CVE-2018-16865) (Closes: #918848)
  * journal: fix syslog_parse_identifier() (CVE-2018-16866)
  * journal: do not remove multiple spaces after identifier in syslog message
    (CVE-2018-16866)

4efd0d1... by Michael Biebl on 2018-10-28

Import patches-unapplied version 232-25+deb9u6 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: 51ee31dc46b7f2b526824783865a8cee5f53aca8

New changelog entries:
  * dhcp6: Make sure we have enough space for the DHCP6 option header.
    Fixes out-of-bounds heap write in systemd-networkd dhcpv6 option
    handling.
    (CVE-2018-15688, LP: #1795921, Closes: #912008)
  * networkd: Do not fail manager_connect_bus() if dbus is not active yet
    (Closes: #901834)

51ee31d... by Michael Biebl on 2018-06-13

Import patches-unapplied version 232-25+deb9u4 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: ef7319f02f87d8901438e6db5f7bc61cefd8426f

New changelog entries:
  * core/load-fragment: Add RemoveIPC=
    Allow RemoveIPC= to be set in the unit file not only via D-Bus.
    (Closes: #892829)
  * nspawn: Add missing -E to getopt_long.
    The -E alias for --setenv in systemd-nspawn was not working as
    documented. This commit fixes that by adding -E to getopt_long.
    (Closes: #895798)
  * login: Respect --no-wall when cancelling a shutdown request
    (Closes: #897938)
  [ Cyril Brulebois ]
  * networkd-ndisc: Handle missing mtu gracefully.
    The previous upload made networkd respect the MTU field in IPv6 RA but
    unfortunately broke setups where there's no such field. (Closes: #892794)

ef7319f... by Michael Biebl on 2017-12-03

Import patches-unapplied version 232-25+deb9u2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b2ce7c20db26a53b798fecbf4b20a9141ce034d1

New changelog entries:
  * networkd: Handle MTU field in IPv6 RA (Closes: #878162)
  * shared: Add a linker script so that all functions are tagged @SD_SHARED
    instead of @Base.
    This helps prevent symbol collisions with other programs and libraries.
    In particular, because PAM modules are loaded into the process that is
    creating the session, and systemd creates PAM sessions, the potential
    for collisions is high. (Closes: #873708)
  * resolved: Fix loop on packets with pseudo dns types.
    CVE-2017-15908 (Closes: #880026)
  * machinectl: Don't output "No machines." with --no-legend option
    (Closes: #880158)

b2ce7c2... by Michael Biebl on 2017-07-05

Import patches-unapplied version 232-25+deb9u1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 77e4a82817914858720773746fd9a49e1bae082f

New changelog entries:
  [ Dimitri John Ledkov ]
  * Fix out-of-bounds write in systemd-resolved.
    CVE-2017-9445 (Closes: #866147, LP: #1695546)
  [ Michael Biebl ]
  * Be truly quiet in systemctl -q is-enabled (Closes: #866579)
  * Improve RLIMIT_NOFILE handling.
    Use /proc/sys/fs/nr_open to find the current limit of open files
    compiled into the kernel instead of using a hard-coded value of 65536
    for RLIMIT_NOFILE. (Closes: #865449)
  [ Nicolas Braud-Santoni ]
  * debian/extra/rules: Use updated U2F ruleset.
    This ruleset comes from Yubico's libu2f-host. (Closes: #824532)

77e4a82... by Michael Biebl on 2017-06-04

Import patches-unapplied version 232-25 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d52ede5d0ff47220dac8f5a0161cf5fbbeeaada4

New changelog entries:
  * hwdb: Use path_join() to generate the hwdb_bin path.
    This ensures /lib/udev/hwdb.bin gets the correct SELinux context. Having
    double slashes in the path makes selabel_lookup_raw() return the wrong
    context. (Closes: #851933)
  * selinux: Enable labeling and access checks for unprivileged users.
    Revert commit that inadvertently broke a lot of SELinux related
    functionality for both unprivileged users and systemd instances running
    as MANAGER_USER and instead deal with the auditd issue by checking for
    the CAP_AUDIT_WRITE capability before opening an audit netlink socket.
    (Closes: #863800)
  * Revert "systemd-sysv: Add Conflicts: systemd-shim"
    Under certain conditions this confuses Jessies's apt which then tries to
    remove systemd while being the active init system, resulting in a failed
    dist-upgrade. While this turned out to be a bug in apt, avoid this
    situation by dropping the Conflicts. (Closes: #854041)
  * link: Fix offload features initialization.
    This fixes a regression introduced in v232 which caused TCP
    segmentation offloads being disabled by default, resulting in
    significant performance issues under certain conditions. (Closes: #864073)

d52ede5... by Michael Biebl on 2017-05-29

Import patches-unapplied version 232-24 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e460be23a315e5aa3f38488eb0c943d76f5b710c

New changelog entries:
  [ Felipe Sateler ]
  * Specify nobody user and group.
    Otherwise nss-systemd will translate to group 'nobody', which doesn't
    exist on debian systems.
  [ Michael Biebl ]
  * Add Depends: procps to systemd.
    It's required by /usr/lib/systemd/user/systemd-exit.service which calls
    /bin/kill to stop the systemd --user instance. (Closes: #862292)
  * resolved: fix null pointer p->question dereferencing.
    This fixes a bug which allowed a remote DoS (daemon crash) via a crafted
    DNS response with an empty question section.
    Fixes: CVE-2017-9217 (Closes: #863277)

e460be2... by Michael Biebl on 2017-04-29

Import patches-unapplied version 232-23 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7f58aa4d103beb29639a5a478beaf94dbae3232f

New changelog entries:
  [ Michael Biebl ]
  * journal: fix up syslog facility when forwarding native messages.
    Native journal messages (_TRANSPORT=journal) typically don't have a
    syslog facility attached to it. As a result when forwarding the
    messages to syslog they ended up with facility 0 (LOG_KERN).
    Apply syslog_fixup_facility() so we use LOG_USER instead. (Closes: #837893)
  * nspawn: Support ephemeral boots from images (Closes: #858149)
  * Exclude test binaries from dh_shlibdeps.
    The test binaries in libsystemd-dev require libsystemd-shared which is
    shipped in the systemd package. Those test binaries are primarily meant
    to be run via autopkgtest. As the libsystemd-dev package is not supposed
    to depend on systemd, exclude the tests from dh_shlibdeps and instead
    update the autopkgtest dependencies to pull in the systemd package.
    (Closes: #859152)
  [ Felipe Sateler ]
  * Backport patch to make inability to get OS version nonfatal in machinectl.
    Otherwise machinectl list breaks when there are libvirt machines
    (Closes: #849316)
  [ Sjoerd Simons ]
  * init-functions: Only call daemon-reload when planning to redirect.
    systemctl daemon-reload is a quite a heavy operation, it will re-parse
    all configuration and re-run all generators. This should only be done
    when strictly needed. (Closes: #861158)