Otkrivena je i ispravljena nepravilnost programskog paketa systemd. Potencijalni zloćudan korisnik može iskoristiti propust za izmjenu podataka.
| Paket: | systemd 17.x |
| Operacijski sustavi: | Fedora 15, Fedora 16 |
| Kritičnost: | 4.1 |
| Problem: | neodgovarajuće rukovanje datotekama |
| Iskorištavanje: | lokalno |
| Posljedica: | izmjena podataka |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2012-1174 |
| Izvorni ID preporuke: | FEDORA-2012-4018 |
| Izvor: | Fedora |
| Problem: | |
| Uočeno je da dolazi do pogreške u komponenti systemd-logind, a javlja se prilikom brisanja određenih podataka tijekom odjave korisnika. |
|
| Posljedica: | |
| Lokalni zloćudan korisnik može iskoristiti navedeni propust za mjenjanje i brisanje podataka. |
|
| Rješenje: | |
| Savjetuje se nadogradnja ranjivog programskog paketa. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-4018
2012-03-17 22:57:59
--------------------------------------------------------------------------------
Name : systemd
Product : Fedora 16
Version : 37
Release : 17.fc16
URL : http://www.freedesktop.org/wiki/Software/systemd
Summary : A System and Service Manager
Description :
systemd is a system and service manager for Linux, compatible with
SysV and LSB init scripts. systemd provides aggressive parallelization
capabilities, uses socket and D-Bus activation for starting services,
offers on-demand starting of daemons, keeps track of processes using
Linux cgroups, supports snapshotting and restoring of the system
state, maintains mount and automount points and implements an
elaborate transactional dependency-based service control logic. It can
work as a drop-in replacement for sysvinit.
--------------------------------------------------------------------------------
Update Information:
This update fixes a bug that could be exploited to delete arbitrary directories.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Mar 16 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-17
- CVE-2012-1174 (#804118)
* Tue Mar 6 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-16
- From upstream:
- avoid socket tarpits when the service keeps failing
- get rid of awk, sed, grep in bash completion
- and minor fixes
* Thu Mar 1 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-15
- logind: move X11 socket
* Mon Feb 27 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-14
- A few fixes from upstream:
- PrivateTmp permissions (#790522)
- timedated without ntp installed (#790260)
- logind: allow PowerOff and Reboot via polkit
- loading empty files in read_one_line_file() (fdo#45362)
- fix cgit URLs in manpages
* Thu Feb 9 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-13
- Minor fixes and some manpage updates from upstream.
* Sun Jan 29 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-12
- Avoid a glitch with plymouth (#785548).
- Fix logind capabilities.
* Thu Jan 26 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-11
- Fix automount regression.
* Sat Jan 21 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-10
- Fix occasionally failing socket units with Accept=yes (#783344).
* Fri Jan 20 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-9
- Fix a crash related to pid file watch and daemon-reload (#783118).
- Added Conflicts with known broken spamassassin.
* Tue Jan 17 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-8
- Shut up another logind message (#727315).
* Sat Jan 14 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-7
- Fix for quota and a couple of other issues.
* Wed Jan 11 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-6
- Fixes and low-risk enhancements (no journald) from upstream v38.
* Fri Dec 2 2011 Karsten Hopp <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-5
- add upstream patch for bugzilla 744415, encrypted filesystem passphrases
fail on runtime systems in hvc consoles
* Tue Nov 15 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-4
- Run authconfig if /etc/pam.d/system-auth is not a symlink.
- Resolves: #753160
* Wed Nov 2 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-3
- Fix remote-fs-pre.target and its ordering.
- Resolves: #749940
* Wed Oct 19 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-2
- A couple of fixes from upstream:
- Fix a regression in bash-completion reported in Bodhi.
- Fix a crash in isolating.
- Resolves: #717325
* Tue Oct 11 2011 Lennart Poettering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 37-1
- New upstream release
- Resolves: #744726, #718464, #713567, #713707, #736756
* Thu Sep 29 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 36-5
- Undo the workaround. Kay says it does not belong in systemd.
- Unresolves: #741655
* Thu Sep 29 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 36-4
- Workaround for the crypto-on-lvm-on-crypto disk layout
- Resolves: #741655
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #803358 - CVE-2012-1174 systemd (systemd-logind): TOCTOU race
condition by removing user session
https://bugzilla.redhat.com/show_bug.cgi?id=803358
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update systemd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-4024
2012-03-17 22:58:15
--------------------------------------------------------------------------------
Name : systemd
Product : Fedora 15
Version : 26
Release : 18.fc15
URL : http://www.freedesktop.org/wiki/Software/systemd
Summary : A System and Service Manager
Description :
systemd is a system and service manager for Linux, compatible with
SysV and LSB init scripts. systemd provides aggressive parallelization
capabilities, uses socket and D-Bus activation for starting services,
offers on-demand starting of daemons, keeps track of processes using
Linux cgroups, supports snapshotting and restoring of the system
state, maintains mount and automount points and implements an
elaborate transactional dependency-based service control logic. It can
work as a drop-in replacement for sysvinit.
--------------------------------------------------------------------------------
Update Information:
This update fixes a bug that could be exploited to delete arbitrary directories.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Mar 16 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-18
- CVE-2012-1174 (#803358)
* Mon Feb 27 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-17
- Backport the detection of root storage daemons.
http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons
* Tue Jan 31 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-16
- Backport PassCredentials to avoid #757628 when F15 kernel is rebased to 3.2.
* Tue Jan 31 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-15
- Fix quota (#773431).
* Tue Jan 17 2012 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-14
- Slowing down in F15. Only a few fixes for bugs reported against F15:
- StopWhenUnneeded
- wtmp
- gc of units with load error
* Wed Nov 2 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-13
- Fix remote-fs-pre.target and its ordering.
- Fixes: BZ#749940
* Wed Oct 19 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-12
- Fix a crash in isolating.
- Fixes: BZ#717325
* Wed Oct 12 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-11
- Pick a few fixes from upstream v37.
- Including the change to disable main PID guessing for SysV services.
- Loop over %{patches} in the spec.
- Fixes: BZ#718464, fdo#41336
* Sun Sep 25 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-10
- Pick lots of fixes from upstream up to v36.
- A few features added too:
- support more types of virtual serial consoles in getty-generator
- log control via RT signals
- support for LANGUAGE in environment
- show fsck progress on the console
- Fixes: BZ#735013, BZ#722803, BZ#736360, BZ#698198, BZ#710487
- Fixes: fdo39957, fdo39818, fdo40510
* Tue Aug 23 2011 Lennart Poettering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-9
- Fix a couple of bugs (#723892, #726976)
* Fri Jul 8 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-8
- Drop the pidfile patch for now. It exposes a bug in sendmail (BZ#719884)
* Wed Jul 6 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-7
- Add more fixes from upstream:
- don't trim cgroups on reexec (BZ#678555)
- treat SysV services with "pidfile:" header as real daemons (BZ#702621)
* Mon Jul 4 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-6
- Cherry-picked a bunch of upstream patches.
- Fixes: BZ#633774, BZ#708886, BZ#712710, BZ#716663
- Partially fixes: BZ#624149
- other small fixes
* Mon Jun 20 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-5
- Temporary workaround to detect LVM VGs on encrypted PVs. (BZ#708684)
* Wed Jun 15 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-4
- Pick bugfixes from upstream:
- systemctl: fix 'is-enabled' for native units under /lib (BZ#699027)
- dbus: fix name of capability property
- pam-module: add debug= parameter (BZ#705427)
* Sun Jun 12 2011 Michal Schmidt <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-3
- Pick bugfixes from upstream:
- systemctl: fix double unref of a dbus message (BZ#709909)
- cryptsetup-generator: fix /etc/cryptsetup options (BZ#710839)
- readahead-common: fix total memory size detection (BZ#712341)
* Wed May 25 2011 Lennart Poettering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 26-2
- Bugfix release
- https://bugzilla.redhat.com/show_bug.cgi?id=707507
- https://bugzilla.redhat.com/show_bug.cgi?id=707483
- https://bugzilla.redhat.com/show_bug.cgi?id=705427
- https://bugzilla.redhat.com/show_bug.cgi?id=707577
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #803358 - CVE-2012-1174 systemd (systemd-logind): TOCTOU race
condition by removing user session
https://bugzilla.redhat.com/show_bug.cgi?id=803358
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update systemd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke