-
systemd (237-3ubuntu10.57) bionic-security; urgency=medium
* SECURITY UPDATE: buffer overrun vulnerability in format_timespan()
- debian/patches/CVE-2022-3821.patch: time-util: fix buffer-over-run
- CVE-2022-3821
-- Nishit Majithia <email address hidden> Thu, 02 Mar 2023 18:28:02 +0530
-
systemd (237-3ubuntu10.56) bionic-security; urgency=medium
* debian/udev.preinst:
Add check_ID_NET_DRIVER() to ensure that on upgrade or install
from an earlier version ID_NET_DRIVER is present on network
interfaces. (LP: #1988119)
-- Matthew Ruffell <email address hidden> Tue, 06 Sep 2022 15:18:05 +1200
-
systemd (237-3ubuntu10.54) bionic-security; urgency=medium
* SECURITY UPDATE: Use-after-free vulnerability in systemd.
- debian/patches/CVE-2022-2526.patch: pin stream while calling callbacks
for it in src/resolve/resolved-dns-stream.c
- CVE-2022-2526
-- Nishit Majithia <email address hidden> Mon, 29 Aug 2022 10:28:49 +0530
-
systemd (237-3ubuntu10.53) bionic; urgency=medium
[ Ratchanan Srirattanamet ]
* d/p/debian/timedatectl-lp1650688.patch,
d/p/debian/UBUNTU-Fix-timezone-setting-on-read-only-etc.patch:
Fix timedated unable to retrieve & properly set timezone on
read-only /etc (e.g. Ubuntu Core and system-image-based systems)
(LP: #1650688)
[ Lukas Märdian ]
* Support detection for ARM64 Hyper-V guests (LP: #1952599)
-- Lukas Märdian <email address hidden> Fri, 10 Dec 2021 10:15:49 +0100
-
systemd (237-3ubuntu10.52) bionic; urgency=medium
* d/extra/dhclient-enter-resolved-hook:
Reset start limit counter for systemd-resolved in dhclient hook
(LP: #1939255)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ea6710476dde78e8595274c3c4ba7acca6d5162c
* d/p/lp1934147/0001-core-add-a-new-unit-method-catchup.patch,
d/p/lp1934147/0002-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch,
d/p/lp1934147/0003-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch:
Catch up on cgroup empty inotify after reexec/reload (LP: #1934147)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5ef61bd930612a90ce3ed9105cbadc5ff97b6ffc
* d/p/lp1934981-correct-suspend-then-sleep-string.patch:
Fix sleep verb used by logind during suspend-then-hibernate
(LP: #1934981)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=1ade873a41ad018a5e07f10775738c6eb8c82310
* d/extra/dhclient-enter-resolved-hook:
Check is-enabled systemd-resolved in dhclient hook (LP: #1853164)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=774c2f82a39a88fa0fd8b2adbfa0b8a8c3cd1fb5
-- Dan Streetman <email address hidden> Thu, 26 Aug 2021 10:20:40 -0400
-
systemd (237-3ubuntu10.51) bionic; urgency=medium
* Add support to keepconfiguration (LP: #1815101)
- lp1815101-0001-add-macro-if-flags-are-set.patch
- lp1815101-0002-networkd-add-support-to-keepconfiguration.patch
- lp1815101-0003-network-use-hashmap_steal_first-rather-than-hashmap_.patch
- lp1815101-0004-networkd-stop-clients-when-networkd-shuts-down.patch
- lp1815101-0005-network-add-KeepConfiguration-dhcp-on-stop.patch
- lp1815101-0006-network-make-KeepConfiguration-static-drop-DHCP-addr.patch
- lp1815101-0007-man-add-documentation-about-KeepConfiguration.patch
-- Eric Desrochers <email address hidden> Mon, 26 Jul 2021 11:31:02 -0400
-
systemd (237-3ubuntu10.50) bionic-security; urgency=medium
* d/p/lp1937117-revert-lp1929560-network-move-set-MAC-and-set-nomaster-operations-out.patch:
Revert patch due to users expecting previous buggy behavior
(LP: #1937117)
-- Dan Streetman <email address hidden> Wed, 21 Jul 2021 14:51:38 -0400
-
systemd (237-3ubuntu10.49) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via DHCP FORCERENEW
- debian/patches/CVE-2020-13529.patch: tentatively ignore FORCERENEW
command in src/libsystemd-network/sd-dhcp-client.c.
- CVE-2020-13529
* SECURITY UPDATE: denial of service via stack exhaustion
- debian/patches/CVE-2021-33910.patch: do not use strdupa() on a path
in src/basic/unit-name.c.
- CVE-2021-33910
-- Marc Deslauriers <email address hidden> Fri, 09 Jul 2021 11:12:13 -0400
-
systemd (237-3ubuntu10.48) bionic; urgency=medium
* d/p/lp1925216-seccomp-rework-functions-for-parsing-system-call-fil.patch:
Downgrade syscall group parsing failure logs to debug (LP: #1925216)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=8c0181e24f7c0128a48c706d1f4b28ec0f225fd7
* d/p/lp1929560-network-move-set-MAC-and-set-nomaster-operations-out.patch:
Move link mac and master config out of link_up() (LP: #1929560)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=d808ea22366ca7ba4b5bb32815ab0ca2eea8a49f
* d/p/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch,
d/p/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch,
d/p/lp1880258-log-nxdomain-as-debug.patch,
d/p/lp1785383-resolved-address-DVE-2018-0001.patch:
- Use upstream patch for DVE-2018-0001 handling (LP: #1785383)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b6258fda64c84c34b0f8026e6e29bcfffa8dc4f1
-- Dan Streetman <email address hidden> Thu, 27 May 2021 11:18:38 -0400
-
systemd (237-3ubuntu10.47) bionic; urgency=medium
* d/p/network_always_drop_configs_when_interface_is_renamed.patch:
Fix networkd renaming race condition (LP: #1923115)
-- Seyeong Kim <email address hidden> Wed, 07 Apr 2021 15:11:17 +0900
-
systemd (237-3ubuntu10.46) bionic; urgency=medium
* d/p/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch:
Add support for faccessat2 (LP: #1916485)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b5f11a9baecf0cefb503632e938d473234172128
* d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch:
Stop attempting to restrict address families on ppc archs
(LP: #1918696)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4569a047ece8b1b300ef63e49b5aea8aba35c500
* d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch:
Add openat2() syscall to seccomp filter list
(LP: #1891810)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2ddfbfa79af4f22b7adf946c4299433fd74a4f17
-- Dan Streetman <email address hidden> Wed, 17 Mar 2021 17:38:05 -0400
-
systemd (237-3ubuntu10.45) bionic; urgency=medium
[ Ioanna Alifieraki ]
* d/p/lp1911187-systemctl-do-not-shutdown-immediately-on-scheduled-shutdo.patch:
Do not shutdown immediately when scheduled shutdown fails (LP: #1911187)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=257135a59455f4e4063e78cdd3f5cfeca2597b5b
[ Dimitri John Ledkov ]
* d/p/lp1878969-meson-initialize-time-epoch-to-reproducible-builds-compat.patch:
meson: initialize time-epoch to reproducible builds compatible value
(LP: #1878969)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6f5a0c94ff4a486ee0b72af926672b24d16ff5a8
[ Dan Streetman ]
* d/p/lp1913189-test-accept-that-char-device-0-0-can-now-be-created-.patch:
- Fix failing test case under 5.8 kernel (LP: #1913189)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=15143ec6cd584a18866390a042348a543e5aa22d
* d/p/lp1913423-hashmap-make-sure-to-initialize-shared-hash-key-atom.patch:
Thread-safe init of hashmap shared key (LP: #1913423)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=95c189adb9c3e22576b26b084c7edf001cbc8307
* d/p/lp1890448-hwdb-Add-EliteBook-to-use-micmute-hotkey.patch:
Add EliteBook to use micmute hotkey (LP: #1890448)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=19b48bdac5129aa772fbcd2dbf8d1bb5c30c1510
* d/p/debian/patches/lp1902553-test-disable-QEMU-based-testing-for-TEST-16-EXTEND-T.patch:
Disable TEST-03 run under qemu (LP: #1902553)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4e37d20ec379d169cfd53088d0c3b4d7bb65d25b
* d/p/debian/patches/lp1883447-seccomp-add-all-time64-syscalls.patch:
Add *time64 syscalls (LP: #1883447)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a459492c67c5c5855b03daca4b44141705495376
* d/p/lp1685754-pid1-by-default-make-user-units-inherit-their-umask-.patch:
Inherit umask for --user processes (LP: #1685754)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=00df8d0e76975594adb765182c587ef495262fe1
* d/p/debian/patches/lp1880258-log-nxdomain-as-debug.patch:
Change NXDOMAIN 'errors' to log level debug (LP: #1880258)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9684abed02669bfcf696763b887518cf54cd3f69
* d/p/lp1913763-udev-rules-add-rule-to-create-dev-ptp_hyperv.patch:
Create symlink for hyperv-provided ptp device (LP: #1913763)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ff2a9ed2ece6bbd86a3d57f42b26cb1a6ca2845a
-- Ioanna Alifieraki <email address hidden> Tue, 23 Feb 2021 03:45:01 +0200
-
systemd (237-3ubuntu10.44) bionic; urgency=medium
* d/extra/dhclient-enter-resolved-hook:
suppress output of cmp command in dhclient hook (LP: #1878955)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c5a2db69aafc7a3ab4e71bae44fd7ad9dd955c97
* d/p/lp1905044/0001-capability-add-a-way-to-get-a-uint64_t-with-all-caps.patch,
d/p/lp1905044/0002-test-use-cap_last_cap-for-max-supported-cap-number-n.patch:
test: use cap_last_cap() instead of capability_list_length()
(LP: #1905044)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=34ebc6e28e63881d40c91c5839597acc2fdab546
* d/p/lp1905245/0001-basic-cap-list-parse-print-numerical-capabilities.patch:
print number of unknown capabilities instead of failing
(LP: #1905245)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5ab225b7f731c6cf6b4655cb27c3a842150c4c1a
* d/p/lp1907306/0001-sd-dhcp-client-don-t-log-timeouts-if-already-expired.patch,
d/p/lp1907306/0002-sd-dhcp-client-track-dhcp4-t1-t2-expire-times.patch,
d/p/lp1907306/0003-sd-dhcp-client-add-RFC2131-retransmission-details.patch,
d/p/lp1907306/0004-sd-dhcp-client-simplify-dhcp4-t1-t2-parsing.patch,
d/p/lp1907306/0005-sd-dhcp-client-correct-dhcpv4-renew-rebind-retransmi.patch,
d/p/lp1907306/0008-sd-dhcp-client-fix-renew-rebind-timeout-calculation-.patch:
Send correct number of dhcpv4 renew and rebind requests
(LP: #1907306)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=036230cac8232bf4f970e565c355ee1a82fc2ee6
* d/t/root-unittests:
Remove any corrupt journal files (LP: #1881947)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b284b93e40b6cb834bb40dd3db94850853ab5bb8
-- Dan Streetman <email address hidden> Wed, 06 Jan 2021 16:04:25 -0500
-
systemd (237-3ubuntu10.43) bionic; urgency=medium
[ Guilherme G. Piccoli ]
* d/p/lp1830746-bump-mlock-ulimit-to-64Mb.patch:
- Bump the memlock limit to match Focal and newer releases (LP: #1830746)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=61adb797642f3dd2e5c14f7914c2949c665cefe8
[ Victor Manuel Tapia King ]
* d/p/lp1896614-core-Avoid-race-when-starting-dbus-services.patch:
- Fix race when starting dbus services (LP: #1896614)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=373cb6ccd6978a7112bbfd7e5cf4f703a9f8448e
[ Dan Streetman ]
* d/t/*,
d/p/lp1892358/0001-test-increase-qemu-timeout-for-TEST-08-and-TEST-09.patch,
d/p/lp1892358/0002-test-increase-timeout-for-TEST-17-UDEV-WANTS.patch,
d/p/lp1892358/0003-test-increase-qemu-timeout-for-TEST-18-and-TEST-19.patch:
- Increase QEMU_TIMEOUT on 'upstream' autopkgtest tests
- Pull latest tests from newer releases to fix false negatives
- Blacklist flaky 'upstream' TEST-03
(LP: #1892358)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9fd8391c2499e163515b629a8ca5790898fc599d
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=d1756b3e1c3e625ed7162cff4909e7a29c315051
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=37f8d73516a84e85e4057d6a92204b4a174af718
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=229ed2076eb773efc548035262b8b8009bf89207
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f2d7b1f952667316cc07a4b3c5010e66ace07a90
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=659befe61bbfeb7afc9efa24458c9745412d7c6d
-- Victor Manuel Tapia King <email address hidden> Wed, 07 Oct 2020 16:30:03 -0400
-
systemd (237-3ubuntu10.42) bionic; urgency=medium
[ Dan Streetman ]
* d/p/lp1860926/0001-networkd-Allow-to-retain-configs-even-if-carrier-is-.patch,
d/p/lp1860926/0002-network-Change-IgnoreCarrierLoss-default-to-value-of.patch,
d/p/lp1860926/0003-network-always-drop-configs-when-corresponding-netwo.patch:
- Add IgnoreCarrierLoss and default to value of ConfigureWithoutCarrier
(LP: #1860926)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9a12a31a62f1a50cd3a67a164ee34c546809815e
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3cc3870fde47982a4dda53f820e18065e5488e7e
* d/e/rules-ubuntu/40-vm-hotadd.rules:
- Hotadd only offline memory and CPUs
(LP: #1876018)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ba305d7ad00e80bc1a03f93e6986eef7cbbb18fc
* d/p/lp1881972-network-strdup-iif-and-oif-when-creating-RoutingPoli.patch:
- Avoid double-free by strdup'ing iif/oif strings for new policy rules
(LP: #1881972)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=874056f0d429aaa2cc872c3b35ec33cd3b740483
* d/p/lp1886197-seccomp-more-comprehensive-protection-against-libsec.patch
- Fix FTBFS on arm64 due to libseccomp changes (LP: #1886197)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c284a72ca2e3d87bfe1c20afb2fcfb379cda544f
* d/p/lp1832754/0001-umount-Try-unmounting-even-if-remounting-read-only-f.patch,
d/p/lp1832754/0002-umount-Don-t-bother-remounting-api-and-ro-filesystem.patch:
- Try unmounting even if ro-remount fails, and don't bother remounting api/ro fs
(LP: #1832754)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a518baa673aeaaf42000a3a01b7e03347652b216
[ Alex Murray, Jamie Strandboge ]
* d/p/lp1886115-pid1-fix-free-of-uninitialized-pointer-in-unit_fail_.patch:
- Fix free of uninitialized pointer (LP: #1886115)
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=491c76fd0f2fba0007a9b54d63a50f21add643c8
-- Dan Streetman <email address hidden> Wed, 08 Jul 2020 14:59:14 -0400
-
systemd (237-3ubuntu10.41) bionic; urgency=medium
[ Dan Streetman ]
* d/p/lp1867375/0001-network-Allow-to-configure-GW-even-UseRoutes-false.patch,
d/p/lp1867375/0002-network-add-a-flag-to-ignore-gateway-provided-by-DHC.patch,
d/p/lp1867375/0003-network-change-UseGateway-default-to-UseRoutes-setti.patch:
- Move gateway ignoring from UseRoutes= to UseGateway= (LP: #1867375)
* d/p/lp1873607/0002-core-make-sure-to-restore-the-control-command-id-too.patch:
- Avoid segfault during serialization (LP: #1873607)
* d/p/lp1529152/0001-bash-completion-systemctl-use-systemctl-no-pager.patch,
d/p/lp1529152/0002-bash-completion-systemctl-pass-current-partial-unit-.patch,
d/p/lp1529152/0003-shell-completion-systemctl-pass-current-word-to-all-.patch,
d/p/lp1529152/0004-bash-completion-systemctl-re-implement-__filter_unit.patch,
d/p/lp1529152/0005-strip-value-from-property-names.patch:
- fix slow systemctl tab completion (LP: #1529152)
* d/p/lp1877159-networkd-fix-attribute-length-for-wireguard-10380.patch:
- avoid kernel err msg setting wireguard param (LP: #1877159)
[ Heitor Alves de Siqueira ]
* d/p/lp1876600-sd-bus-deal-with-cookie-overruns.patch:
- deal with dbus cookie overruns (LP: #1876600)
-- Heitor Alves de Siqueira <email address hidden> Sun, 03 May 2020 11:30:25 +0000
-
systemd (237-3ubuntu10.40) bionic; urgency=medium
* d/t/logind: skip if nonexistent /sys/power/state (LP: #1862657)
* d/p/lp1839290-Change-job-mode-of-manager-triggered-restarts-to-JOB.patch:
- when restarting service after failure, replace existing queued jobs
(LP: #1839290)
* d/p/lp1867421-70-mouse.hwdb-Set-DPI-for-MS-Classic-IntelliMouse.patch:
- fix resolution of IntelliMouse (LP: #1867421)
* d/p/lp1858412-journalctl-allow-running-vacuum-on-remote-journals-t.patch:
- allow vacuuming journal 'root' dir (LP: #1858412)
* d/p/lp1862232/0001-network-add-more-log-messages-in-configuring-DHCP4-c.patch,
d/p/lp1862232/0002-network-add-more-log-messages-in-configuring-DHCP6-c.patch,
d/p/lp1862232/0003-network-also-check-that-Hostname-is-a-valid-DNS-doma.patch,
d/p/lp1862232/0004-network-use-free_and_replace.patch,
d/p/lp1862232/0005-network-DHCP-ignore-error-in-setting-hostname-when-i.patch,
d/p/lp1862232/0006-man-mention-that-Hostname-for-DHCP-must-be-a-valid-D.patch,
d/p/lp1862232/0007-resolve-fix-error-handling-of-dns_name_is_valid.patch:
- do not fail network setup if hostname is not valid (LP: #1862232)
* d/t/systemd-fsckd: Skip test on arm64 (LP: #1870194)
* d/p/lp1870589-seccomp-rework-how-the-S-UG-ID-filter-is-installed.patch:
- fix test-seccomp failure (LP: #1870589)
* d/rules: use meson --print-errorlogs instead of cat testlog
- (LP: #1870811)
* d/p/lp1776654-test-Synchronize-journal-before-reading-from-it.patch:
- sync journal before reading from it (LP: #1776654)
* d/p/lp1837914-journal-do-not-trigger-assertion-when-journal_file_c.patch:
- do not crash if NULL passted to journal destructor (LP: #1837914)
* d/e/initramfs-tools/hooks/udev:
- Follow symlinks when finding link files to copy into initramfs
(LP: #1868892)
-- Dan Streetman <email address hidden> Mon, 20 Apr 2020 10:12:49 -0400
-
systemd (237-3ubuntu10.39) bionic; urgency=medium
[ Dariusz Gadomski ]
* d/p/lp1762391/0001-Call-getgroups-to-know-size-of-supplementary-groups-.patch,
d/p/lp1762391/0002-user-util-tweak-to-in_gid.patch,
d/p/lp1762391/0003-user-util-Add-helper-functions-for-gid-lists-operati.patch,
d/p/lp1762391/0004-execute-Restore-call-to-pam_setcred.patch,
d/p/lp1762391/0005-execute-Detect-groups-added-by-PAM-and-merge-them-wi.patch,
d/p/lp1762391/0006-test-Add-tests-for-gid-list-ops.patch,
d/p/lp1762391/0007-execute-add-const-to-array-parameters-where-possible.patch,
d/p/lp1762391/0008-execute-allow-pam_setcred-to-fail-ignore-errors.patch:
- Restore call to pam_setcred (LP: #1762391)
[ Ioanna Alifieraki ]
* d/p/lp1860548/0001-Revert-Replace-use-of-snprintf-with-xsprintf.patch,
d/p/lp1860548/0002-job-truncate-unit-description.patch:
- use snprintf instead of xsprintf (LP: #1860548)
[ Dan Streetman ]
* d/p/lp1833193-network-update-address-when-static-address-was-alrea.patch:
- Update lft when static addr was cfg by dhcp (LP: #1833193)
* d/p/lp1849261/0001-core-when-we-can-t-enqueue-OnFailure-job-show-full-e.patch,
d/p/lp1849261/0002-core-don-t-trigger-OnFailure-deps-when-a-unit-is-goi.patch:
- Only trigger OnFailure= if Restart= is not in effect (LP: #1849261)
* d/p/lp1671951-network-set-ipv6-mtu-after-link-up-or-device-mtu-cha.patch:
- set ipv6 mtu at correct time (LP: #1671951)
* d/p/lp1845909/0001-networkd-honour-LinkLocalAddressing.patch,
d/p/lp1845909/0002-networkd-fix-link_up-12505.patch,
d/p/lp1845909/0003-network-do-not-send-ipv6-token-to-kernel.patch,
d/p/lp1845909/0004-network-rename-linux_configure_after_setting_mtu-to-linux.patch,
d/p/lp1845909/0005-network-add-link-setting_genmode-flag.patch,
d/p/lp1845909/0006-network-if-ipv6ll-is-disabled-enumerate-tentative-ipv6-ad.patch,
d/p/lp1845909/0007-network-drop-foreign-config-after-addr_gen_mode-has-been-.patch,
d/p/lp1845909/0008-network-drop-IPv6LL-address-when-LinkLocalAddressing.patch:
- if LinkLocalAddressing=no prevent creation of ipv6ll (LP: #1845909)
* d/p/lp1859862-network-Do-not-disable-IPv6-by-writing-to-sysctl.patch:
- enable ipv6 when needed (LP: #1859862)
* d/p/lp1836695-networkd-Add-back-static-routes-after-DHCPv4-lease-e.patch:
- (re)add static routes after getting dhcp4 addr (LP: #1836695)
* d/t/storage:
- fix buggy test (LP: #1831459)
- without scsi_debug, skip test (LP: #1847816)
-- Dan Streetman <email address hidden> Thu, 06 Feb 2020 10:00:49 -0500
-
systemd (237-3ubuntu10.38) bionic-security; urgency=medium
* SECURITY UPDATE: local privilege escalation via DynamicUser
- debian/patches/CVE-2019-384x-1.patch: introduce
seccomp_restrict_suid_sgid() for blocking chmod() for suid/sgid files
in src/shared/seccomp-util.c, src/shared/seccomp-util.h.
- debian/patches/CVE-2019-384x-2.patch: add test case for
restrict_suid_sgid() in src/test/test-seccomp.c.
- debian/patches/CVE-2019-384x-3.patch: expose SUID/SGID restriction as
new unit setting RestrictSUIDSGID= in src/core/dbus-execute.c,
src/core/execute.c, src/core/execute.h,
src/core/load-fragment-gperf.gperf.m4, src/shared/bus-unit-util.c.
- debian/patches/CVE-2019-384x-4.patch: document the new
RestrictSUIDSGID= setting in man/systemd.exec.xml.
- debian/patches/CVE-2019-384x-5.patch: turn on RestrictSUIDSGID= in
most of our long-running daemons in units/systemd-*.service.in.
- debian/patches/CVE-2019-384x-6.patch: imply NNP and SUID/SGID
restriction for DynamicUser=yes service in man/systemd.exec.xml,
src/core/unit.c.
- debian/patches/CVE-2019-384x-7.patch: fix compilation on arm64 in
src/test/test-seccomp.c.
- CVE-2019-3843
- CVE-2019-3844
* SECURITY UPDATE: memory leak in button_open
- debian/patches/CVE-2019-20386.patch: fix event in
src/login/logind-button.c.
- CVE-2019-20386
* SECURITY UPDATE: heap use-after-free with async polkit queries
- debian/patches/CVE-2020-1712-1.patch: on async pk requests,
re-validate action/details in src/shared/bus-util.c.
- debian/patches/CVE-2020-1712-2.patch: introduce API for re-enqueuing
incoming messages in src/libsystemd/libsystemd.sym,
src/libsystemd/sd-bus/sd-bus.c, src/systemd/sd-bus.h.
- debian/patches/CVE-2020-1712-3.patch: when authorizing via PK
re-resolve callback/userdata instead of caching it in
src/shared/bus-util.c.
- debian/patches/CVE-2020-1712-4.patch: fix typo in function name in
src/libsystemd/libsystemd.sym, src/libsystemd/sd-bus/sd-bus.c,
src/systemd/sd-bus.h, src/shared/bus-util.c.
- debian/libsystemd0.symbols: added new symbols.
- CVE-2020-1712
* This package does _not_ contain the changes from 237-3ubuntu10.34 in
bionic-proposed.
-- Marc Deslauriers <email address hidden> Tue, 04 Feb 2020 20:07:56 -0500
-
systemd (237-3ubuntu10.34) bionic; urgency=medium
[ Dariusz Gadomski ]
* d/p/lp1762391/0001-Call-getgroups-to-know-size-of-supplementary-groups-.patch,
d/p/lp1762391/0002-user-util-tweak-to-in_gid.patch,
d/p/lp1762391/0003-user-util-Add-helper-functions-for-gid-lists-operati.patch,
d/p/lp1762391/0004-execute-Restore-call-to-pam_setcred.patch,
d/p/lp1762391/0005-execute-Detect-groups-added-by-PAM-and-merge-them-wi.patch,
d/p/lp1762391/0006-test-Add-tests-for-gid-list-ops.patch,
d/p/lp1762391/0007-execute-add-const-to-array-parameters-where-possible.patch,
d/p/lp1762391/0008-execute-allow-pam_setcred-to-fail-ignore-errors.patch:
- Restore call to pam_setcred (LP: #1762391)
[ Ioanna Alifieraki ]
* d/p/lp1860548/0001-Revert-Replace-use-of-snprintf-with-xsprintf.patch,
d/p/lp1860548/0002-job-truncate-unit-description.patch:
- use snprintf instead of xsprintf (LP: #1860548)
[ Dan Streetman ]
* d/p/lp1833193-network-update-address-when-static-address-was-alrea.patch:
- Update lft when static addr was cfg by dhcp (LP: #1833193)
* d/p/lp1849261/0001-core-when-we-can-t-enqueue-OnFailure-job-show-full-e.patch,
d/p/lp1849261/0002-core-don-t-trigger-OnFailure-deps-when-a-unit-is-goi.patch:
- Only trigger OnFailure= if Restart= is not in effect (LP: #1849261)
* d/p/lp1671951-network-set-ipv6-mtu-after-link-up-or-device-mtu-cha.patch:
- set ipv6 mtu at correct time (LP: #1671951)
* d/p/lp1845909/0001-networkd-honour-LinkLocalAddressing.patch,
d/p/lp1845909/0002-networkd-fix-link_up-12505.patch,
d/p/lp1845909/0003-network-do-not-send-ipv6-token-to-kernel.patch,
d/p/lp1845909/0004-network-rename-linux_configure_after_setting_mtu-to-linux.patch,
d/p/lp1845909/0005-network-add-link-setting_genmode-flag.patch,
d/p/lp1845909/0006-network-if-ipv6ll-is-disabled-enumerate-tentative-ipv6-ad.patch,
d/p/lp1845909/0007-network-drop-foreign-config-after-addr_gen_mode-has-been-.patch,
d/p/lp1845909/0008-network-drop-IPv6LL-address-when-LinkLocalAddressing.patch:
- if LinkLocalAddressing=no prevent creation of ipv6ll (LP: #1845909)
* d/p/lp1859862-network-Do-not-disable-IPv6-by-writing-to-sysctl.patch:
- enable ipv6 when needed (LP: #1859862)
* d/p/lp1836695-networkd-Add-back-static-routes-after-DHCPv4-lease-e.patch:
- (re)add static routes after getting dhcp4 addr (LP: #1836695)
* d/t/storage:
- fix buggy test (LP: #1831459)
- without scsi_debug, skip test (LP: #1847816)
-- Dan Streetman <email address hidden> Wed, 22 Jan 2020 17:31:23 -0500
-
systemd (237-3ubuntu10.33) bionic; urgency=medium
* d/p/lp1852754/0001-network-do-not-re-set-MTU-when-current-and-requested.patch,
d/p/lp1852754/0002-network-call-link_acquire_conf-and-link_enter_join_n.patch,
d/p/lp1852754/0003-network-prohibit-to-set-MTUBytes-and-UseMTU-simultan.patch:
- Complete link setup after setting mtu (LP: #1852754)
systemd (237-3ubuntu10.32) bionic; urgency=medium
[ Victor Tapia ]
* d/p/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch
Fix regression introduced by
resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch when
DNSSEC=yes (LP: #1796501)
[ Dan Streetman ]
* d/p/fix-typo-lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch:
- Fix typo in previous patch
* d/p/lp1840640-shared-seccomp-add-sync_file_range2.patch:
- allow sync_file_range2 in nspawn container
(LP: #1840640)
* d/p/lp1783994-dissect-Don-t-count-RPMB-and-boot-partitions-8609.patch:
- avoid systemd-gpt-auto-generator failure if mmc dev present
(LP: #1783994)
* d/p/lp1832672-resolved-rework-parsing-of-etc-hosts.patch:
- do not fail entire file on error when parsing /etc/hosts
- parse # char anywhere in line as start of comment
(LP: #1832672)
* d/p/lp1843381-dell_passthrough_skip_rename_retry.patch,
debian/extra/rules/73-usb-net-by-mac.rules:
- fix rename delay for systems using "Dell MAC passthrough"
(LP: #1843381)
* d/p/lp1849733/0001-resolved-longlived-TCP-connections.patch,
d/p/lp1849733/0002-resolved-line-split-dns_stream_new-function-signatur.patch,
d/p/lp1849733/0003-resolved-add-some-assert-s.patch,
d/p/lp1849733/0004-stream-track-type-of-DnsStream-object.patch,
d/p/lp1849733/0005-llmnr-add-comment-why-we-install-no-complete-handler.patch,
d/p/lp1849733/0006-resolved-restart-stream-timeout-whenever-we-managed-.patch,
d/p/lp1849733/0007-resolved-only-call-complete-with-zero-argument-in-LL.patch,
d/p/lp1849733/0008-resolved-add-comment-to-dns_stream_complete-about-it.patch,
d/p/lp1849733/0009-resolved-keep-stub-stream-connections-up-for-as-long.patch,
d/p/lp1849733/0010-resolved-if-we-can-t-append-EDNS-OPT-RR-then-indicat.patch,
d/p/lp1849733/0011-resolved-don-t-let-EDNS0-OPT-dgram-size-affect-TCP.patch,
d/p/lp1849733/0012-resolved-add-new-accessor-dns_stream_take_read_packe.patch,
d/p/lp1849733/0013-resolve-do-not-complete-stream-transaction-when-it-i.patch:
- add TCP pipelining to handle getaddrinfo() fallback to TCP
- ignore EDNS0 payload limit when responding over TCP (LP: #1849733)
* d/p/lp1849658-resolved-set-stream-type-during-DnsStream-creation.patch:
- Fix bug in refcounting TCP stream types (LP: #1849658)
* d/p/lp1850704/0001-networkd-Unify-set-MTU.patch,
d/p/lp1850704/0002-network-drop-redundant-lines.patch:
- Fix setting mtu if interface already up (LP: #1850704)
* d/extra/dhclient-enter-resolved-hook:
- only restart resolved if dhclient conf changed (LP: #1805183)
-- Dan Streetman <email address hidden> Fri, 15 Nov 2019 10:01:16 -0500
-
systemd (237-3ubuntu10.32) bionic; urgency=medium
[ Victor Tapia ]
* d/p/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch
Fix regression introduced by
resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch when
DNSSEC=yes (LP: #1796501)
[ Dan Streetman ]
* d/p/fix-typo-lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch:
- Fix typo in previous patch
* d/p/lp1840640-shared-seccomp-add-sync_file_range2.patch:
- allow sync_file_range2 in nspawn container
(LP: #1840640)
* d/p/lp1783994-dissect-Don-t-count-RPMB-and-boot-partitions-8609.patch:
- avoid systemd-gpt-auto-generator failure if mmc dev present
(LP: #1783994)
* d/p/lp1832672-resolved-rework-parsing-of-etc-hosts.patch:
- do not fail entire file on error when parsing /etc/hosts
- parse # char anywhere in line as start of comment
(LP: #1832672)
* d/p/lp1843381-dell_passthrough_skip_rename_retry.patch,
debian/extra/rules/73-usb-net-by-mac.rules:
- fix rename delay for systems using "Dell MAC passthrough"
(LP: #1843381)
* d/p/lp1849733/0001-resolved-longlived-TCP-connections.patch,
d/p/lp1849733/0002-resolved-line-split-dns_stream_new-function-signatur.patch,
d/p/lp1849733/0003-resolved-add-some-assert-s.patch,
d/p/lp1849733/0004-stream-track-type-of-DnsStream-object.patch,
d/p/lp1849733/0005-llmnr-add-comment-why-we-install-no-complete-handler.patch,
d/p/lp1849733/0006-resolved-restart-stream-timeout-whenever-we-managed-.patch,
d/p/lp1849733/0007-resolved-only-call-complete-with-zero-argument-in-LL.patch,
d/p/lp1849733/0008-resolved-add-comment-to-dns_stream_complete-about-it.patch,
d/p/lp1849733/0009-resolved-keep-stub-stream-connections-up-for-as-long.patch,
d/p/lp1849733/0010-resolved-if-we-can-t-append-EDNS-OPT-RR-then-indicat.patch,
d/p/lp1849733/0011-resolved-don-t-let-EDNS0-OPT-dgram-size-affect-TCP.patch,
d/p/lp1849733/0012-resolved-add-new-accessor-dns_stream_take_read_packe.patch,
d/p/lp1849733/0013-resolve-do-not-complete-stream-transaction-when-it-i.patch:
- add TCP pipelining to handle getaddrinfo() fallback to TCP
- ignore EDNS0 payload limit when responding over TCP (LP: #1849733)
* d/p/lp1849658-resolved-set-stream-type-during-DnsStream-creation.patch:
- Fix bug in refcounting TCP stream types (LP: #1849658)
* d/p/lp1850704/0001-networkd-Unify-set-MTU.patch,
d/p/lp1850704/0002-network-drop-redundant-lines.patch:
- Fix setting mtu if interface already up (LP: #1850704)
* d/extra/dhclient-enter-resolved-hook:
- only restart resolved if dhclient conf changed (LP: #1805183)
-- Dan Streetman <email address hidden> Fri, 04 Oct 2019 09:06:58 -0400
-
systemd (237-3ubuntu10.31) bionic; urgency=medium
[ Dimitri John Ledkov ]
* Add conflicts with upstart and systemd-shim. (LP: #1773859)
* d/p/debian/UBUNTU-units-disable-journald-watchdog.patch
- units: Disable journald Watchdog (LP: #1773148)
* d/p/cryptsetup-add-support-for-sector-size-option-8881.patch
- cryptsetup: add support for sector-size= option (LP: #1776626)
* d/p/systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch
- systemctl: correctly proceed to immediate shutdown if scheduling fails
(LP: #1670291)
* d/p/networkd-add-support-to-configure-IPv6-MTU-8664.patch
- networkd: add support to set IPv6MTUBytes (LP: #1671951)
-- Balint Reczey <email address hidden> Mon, 30 Sep 2019 17:23:17 +0200
-
systemd (237-3ubuntu10.30) bionic; urgency=medium
[ Dimitri John Ledkov ]
* debian/extra/start-udev: ignore failure to set sync parameter.
On old kernels (e.g. v4.4) the file is available but appears to be
non-writable. Hide error messages and ignore failure to write out sync into
the parameters file. This does not regress https://pad.lv/1779815 since
older kernel did synchronous scan anyway. But it does resolve failure to
start the installer on old kernels. (LP: #1784454)
* Add conflicts with upstart and systemd-shim. (LP: #1773859)
* d/p/debian/UBUNTU-units-disable-journald-watchdog.patch
- units: Disable journald Watchdog (LP: #1773148)
* d/p/cryptsetup-add-support-for-sector-size-option-8881.patch
- cryptsetup: add support for sector-size= option (LP: #1776626)
* d/p/systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch
- systemctl: correctly proceed to immediate shutdown if scheduling fails
(LP: #1670291)
* d/p/networkd-add-support-to-configure-IPv6-MTU-8664.patch
- networkd: add support to set IPv6MTUBytes (LP: #1671951)
-- Balint Reczey <email address hidden> Mon, 30 Sep 2019 17:23:17 +0200
-
systemd (237-3ubuntu10.29) bionic; urgency=medium
* d/p/d/Revert-udev-network-device-renaming-immediately-give.patch:
- udev: add Revert-udev-network-device-renaming-immediately-give.patch back
Dropping this patch will cause the persistent network regression.
(LP: #1842651)
-- Shih-Yuan Lee (FourDollars) <email address hidden> Thu, 05 Sep 2019 11:59:51 +0800
-
systemd (237-3ubuntu10.28) bionic-security; urgency=medium
* SECURITY UPDATE: Unprivileged users are granted access to privileged
systemd-resolved D-Bus methods
- d/p/0001-shared-but-util-drop-trusted-annotation-from-bus_ope.patch:
drop trusted annotation from bus_open_system_watch_bind()
- CVE-2019-15718
-- Chris Coulson <email address hidden> Thu, 29 Aug 2019 23:30:33 +0100
-
systemd (237-3ubuntu10.26) bionic; urgency=medium
[ You-Sheng Yang ]
* d/p/d/Revert-udev-network-device-renaming-immediately-give.patch:
- udev: drop Revert-udev-network-device-renaming-immediately-give.patch
The removing patch was for the already deprecated
"75-persistent-net-generator.rules" based interface renaming mechanism,
and it's causing unnecessary problem when a system happends to NICs with
same MAC address, e.g. Dell's MAC address pass-thru. (LP: #1837700)
[ Shih-Yuan Lee (FourDollars) ]
* d/p/hwdb-revert-airplane-mode-keys-handling-on-Dell.patch:
- hwdb: revert airplane mode keys handling on Dell
That reverts some commits those created double key events issues on some
Dell laptops. (LP: #1740894)
-- Shih-Yuan Lee (FourDollars) <email address hidden> Wed, 07 Aug 2019 17:56:02 +0800
-
systemd (237-3ubuntu10.25) bionic; urgency=medium
[ Dan Streetman ]
* d/p/lp1835581-src-network-networkd-dhcp4.c-set-prefsrc-for-classle.patch:
- set src address for dhcp 'classless' routes (LP: #1835581)
* d/p/lp1833671-networkd-keep-bond-slave-up-if-already-attached.patch:
- keep bond slave up if already attached (LP: #1833671)
[ Jorge Niedbalski ]
* d/p/lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch:
Allows cache=no-negative option to be set, ignoring negative
answers to be cached (LP: #1668771).
-- Dan Streetman <email address hidden> Mon, 22 Jul 2019 12:45:02 -0400
-
systemd (237-3ubuntu10.24) bionic; urgency=medium
[Dimitri John Ledkov 🌈]
* core: export environment when running generators.
Ensure that manager's environment (including e.g. PATH) is exported when
running generators. Otherwise, one is at a mercy of running without PATH which
can lead to buggy generator behaviour. (LP: #1771858)
-- Balint Reczey <email address hidden> Mon, 24 Jun 2019 14:50:38 +0200
-
systemd (237-3ubuntu10.23) bionic; urgency=medium
* d/p/resolved-do-not-hit-CNAME-in-NODATA.patch:
- fix stub resolver cache (LP: #1818527)
-- Heitor Alves de Siqueira <email address hidden> Tue, 04 Jun 2019 15:54:24 -0300
-
systemd (237-3ubuntu10.22) bionic; urgency=medium
* d/p/resolved-rework-how-we-determine-which-scope-to-send.patch
- fix DNS leakage (LP: 1754671)
* d/p/ask-password-prevent-buffer-overrow-when-reading-fro.patch:
- prevent buffer overflow when reading keyring (LP: #1814373)
* d/t/boot-smoke:
- Fix false negative checking for running jobs after boot
(LP: #1825997)
-- Dan Streetman <email address hidden> Wed, 24 Apr 2019 17:15:36 -0400
-
systemd (237-3ubuntu10.21) bionic; urgency=medium
* d/p/networkd-fix-dhcp4-link-without-routes-not-being-con.patch:
- fix dhcp4 link without routes not being considered ready
- (LP: #1804478)
-- Dan Streetman <email address hidden> Mon, 15 Apr 2019 08:29:50 -0400
-
systemd (237-3ubuntu10.20) bionic; urgency=medium
[ Ioanna Alifieraki ]
* d/p/backport_network-fix-return-value-of-routing_policy_rule_get.patch,
d/p/backport_network-remove-routing-policy-rule-from-foreign.patch,
d/p/backport_network-do-not-remove-rule-when-requested-by-existing-links.patch:
- Fix RoutingPolicyRule does not apply correctly (LP: #1818282)
[ Dan Streetman ]
* d/p/fix-test-22.patch
- fix TEST-22 failures
* d/p/networkd-Track-address-configuration.patch,
d/p/networkd-Use-only-a-generic-CONFIGURING-state.patch,
d/p/networkd-don-t-remove-route.patch,
d/p/networkd-don-t-remove-ip-address.patch,
d/p/Move-link_check_ready-to-later-in-the-file.patch,
d/p/network-set-_configured-flags-to-false-before-reques.patch,
d/p/Install-routes-after-addresses-are-ready.patch:
- PreferredSource not working in *.network files (LP: #1812760)
[ Dimitri John Ledkov ]
* Specify Ubuntu's Vcs-Git
-- Dan Streetman <email address hidden> Thu, 04 Apr 2019 07:29:38 -0400
-
systemd (237-3ubuntu10.19) bionic-security; urgency=medium
* SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to
incorrect Policykit authorization
- debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than
getenv() in pam_systemd.c
- CVE-2019-3842
-- Chris Coulson <email address hidden> Fri, 29 Mar 2019 16:40:26 +0000
-
systemd (237-3ubuntu10.17) bionic; urgency=medium
[ Michael Vogt ]
* d/p/Support-system-image-read-only-etc.patch:
- re-add support for /etc/writable for core18 (LP: #1778936)
* d/p/fix-race-daemon-reload-8803.patch:
- backport systemd upstream PR#8803 and PR#11121 to fix race
when doing systemctl and systemctl daemon-reload at the
same time LP: #1819728
[ Balint Reczey ]
* d/p/virt-detect-WSL-environment-as-a-container.patch:
- virt: detect WSL environment as a container (LP: #1816753)
-- Michael Vogt <email address hidden> Mon, 18 Mar 2019 08:40:44 +0100
-
systemd (237-3ubuntu10.16) bionic; urgency=medium
* d/p/Support-system-image-read-only-etc.patch:
- re-add support for /etc/writable for core18 (LP: #1778936)
* d/p/fix-race-daemon-reload-8803.patch:
- backport systemd upstream PR#8803 to fix race when doing
systemctl and systemctl daemon-reload at the same time
LP: #1819728
-- Michael Vogt <email address hidden> Wed, 13 Mar 2019 07:42:11 +0100
-
systemd (237-3ubuntu10.15) bionic; urgency=medium
[ Victor Tapia ]
* d/p/stop-mount-error-propagation.patch:
keep mount errors local to the failing mount point instead of blocking
the processing of all mounts (LP: #1755863)
-- Dan Streetman <email address hidden> Thu, 28 Feb 2019 16:03:40 -0500
-
systemd (237-3ubuntu10.14) bionic; urgency=medium
[ Victor Tapia ]
* d/p/stop-mount-error-propagation.patch:
keep mount errors local to the failing mount point instead of blocking
the processing of all mounts (LP: #1755863)
[ Daniel Axtens ]
* Fix an issue where IPv6 routes that specified PreferredSource
would not be added - upstream bug #5882. (LP: #1812760)
- debian/patches/networkd-don-t-remove-ip-address.patch,
debian/patches/networkd-don-t-remove-route.patch: don't clear out all
IP addresses and routes when starting, only ones not in the config.
Required for the remaining patches to fully cover the field.
- debian/patches/Move-link_check_ready-to-later-in-the-file.patch,
debian/patches/Install-routes-after-addresses-are-ready.patch: wait
until addresses are ready (not tentative) before installing routes,
allowing routes with IPv6 source addresses to work.
-- Dan Streetman <email address hidden> Thu, 28 Feb 2019 16:03:40 -0500
-
systemd (237-3ubuntu10.13) bionic-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted dbus message
- debian/patches/CVE-2019-6454.patch: sd-bus: enforce a size limit for
dbus paths, and don't allocate them on the stack
- debian/patches/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch:
sd-bus: if we receive an invalid dbus message, ignore and proceeed
- CVE-2019-6454
* Do not remove multiple spaces after identifier in syslog message
- add debian/patches/journal-do-not-remove-multiple-spaces-after-identifi.patch
-- Chris Coulson <email address hidden> Wed, 13 Feb 2019 21:32:34 +0000
-
systemd (237-3ubuntu10.12) bionic; urgency=medium
* d/p/resolve-enable-EDNS0-towards-the-127.0.0.53-stub-res.patch
getaddrinfo() failures when fallback to dns tcp queries, so enable
edns0 in resolv.conf (LP: #1811471)
[ Victor Tapia ]
* d/p/resolved-Increase-size-of-TCP-stub-replies.patch
dns failures with edns0 disabled and truncated response (LP: #1804487)
-- Dan Streetman <email address hidden> Tue, 29 Jan 2019 14:26:48 -0500
-
systemd (237-3ubuntu10.11) bionic-security; urgency=medium
* SECURITY UPDATE: memory corruption in journald via attacker controlled alloca
- debian/patches/CVE-2018-16864.patch: journald: do not store the iovec
entry for process commandline on the stack
- CVE-2018-16864
* SECURITY UPDATE: memory corruption in journald via attacker controlled alloca
- debian/patches/CVE-2018-16865_1.patch: journald: set a limit on the
number of fields (1k)
- debian/patches/CVE-2018-16865_2.patch: journal-remote: set a limit on the
number of fields in a message
- CVE-2018-16865
* SECURITY UPDATE: out-of-bounds read in journald
- debian/patches/CVE-2018-16866.patch: journal: fix syslog_parse_identifier()
- CVE-2018-16866
* Fix LP: #1804603 - btrfs-util: unbreak tmpfiles' subvol creation
- add debian/patches/btrfs-util-unbreak-tmpfiles-subvol-creation.patch
- update debian/patches/series
* Fix LP: #1804864 - test: Set executable bits on TEST-22-TMPFILES shell scripts
- add debian/patches/test-Set-executable-bits-on-TEST-22-TMPFILES-shell-script.patch
- update debian/patches/series
-- Chris Coulson <email address hidden> Wed, 09 Jan 2019 15:11:53 +0000
-
systemd (237-3ubuntu10.10) bionic; urgency=medium
* debian/extra/start-udev: ignore failure to set sync parameter.
On old kernels (e.g. v4.4) the file is available but appears to be
non-writable. Hide error messages and ignore failure to write out sync into the
parameters file. This does not regress https://pad.lv/1779815 since older
kernel did synchronous scan anyway. But it does resolve failure to start the
installer on old kernels. (LP: #1784454)
File: debian/extra/start-udev
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=98862745cf9cbbb74ea6b30ecd29e45a17feff95
* Add conflicts with upstart and systemd-shim. (LP: #1773859)
File: debian/control
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5ca89133e790fd0942e0ad81fa0c6998032d8882
* units: Disable journald Watchdog (LP: #1773148)
File: debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=779d89090e81ec832417146f4a858626febfb595
* cryptsetup: add support for sector-size= option (LP: #1776626)
File: debian/patches/cryptsetup-add-support-for-sector-size-option-8881.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2de081e8901f1780c3c1ffe586e40d2d8e8df1ed
* Re-add support for /etc/writable for core18. (LP: #1778936)
Author: Michael Vogt
File: debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b2c03bbc5ae7d3e9bf3c9dde9aa6c247c3f6573b
* systemctl: correctly proceed to immediate shutdown if scheduling fails
(LP: #1670291)
File: debian/patches/systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e69ab6c34b9bb7cd1b42a6ad7d24d7ce0ca103f5
* core: export environment when running generators.
Ensure that manager's environment (including e.g. PATH) is exported when
running generators. Otherwise, one is at a mercy of running without PATH which
can lead to buggy generator behaviour. (LP: #1771858)
Files:
- debian/patches/core-execute-environment_generators-with-manager-s-enviro.patch
- debian/patches/core-execute-generators-with-manager-s-environmnet.patch
- debian/patches/exec-util-in-execute_directories-support-initial-exec-env.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=76b0ec80fdff83b8a14596fe001e2e9fccd83bf2
* networkd: add support to set IPv6MTUBytes (LP: #1671951)
File: debian/patches/networkd-add-support-to-configure-IPv6-MTU-8664.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b700a36f3d272e740460619ad7a5f489dadd010f
* Specify Ubuntu's Vcs-Git
File: debian/control
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a69e9713d513fb1cdf547e1cc7f21d283cdd9a74
-- Dimitri John Ledkov <email address hidden> Mon, 19 Nov 2018 17:48:47 +0000
-
systemd (237-3ubuntu10.9) bionic-security; urgency=medium
[ Chris Coulson ]
* SECURITY UPDATE: symlink mishandling in systemd-tmpfiles
- debian/patches/CVE-2018-6954_2.patch: backport the remaining patches to
resolve this completely
- CVE-2018-6954
[ Balint Reczey ]
* Fix LP: #1803391 - Skip daemon-reexec and try-restarts during shutdown
- update debian/systemd.postinst
-- Chris Coulson <email address hidden> Thu, 15 Nov 2018 20:45:11 +0000
-
systemd (237-3ubuntu10.8) bionic; urgency=medium
* debian/extra/start-udev: ignore failure to set sync parameter.
On old kernels (e.g. v4.4) the file is available but appears to be
non-writable. Hide error messages and ignore failure to write out sync into the
parameters file. This does not regress https://pad.lv/1779815 since older
kernel did synchronous scan anyway. But it does resolve failure to start the
installer on old kernels. (LP: #1784454)
File: debian/extra/start-udev
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=62edd5c6e963dbf1df4f4bb7556a6d3477559083
* Add conflicts with upstart and systemd-shim. (LP: #1773859)
File: debian/control
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=33385a01dbe44765dc24eead52d677147b2b06c9
* units: Disable journald Watchdog (LP: #1773148)
File: debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=622407bc2aa723a3bdf10e1de946d0d6e88fbeb6
* cryptsetup: add support for sector-size= option (LP: #1776626)
File: debian/patches/cryptsetup-add-support-for-sector-size-option-8881.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=89899133e977eb34dac4c3e9f83c59853eda66ab
* Re-add support for /etc/writable for core18. (LP: #1778936)
Author: Michael Vogt
File: debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=fdc87994ab8f7036d07c8c208ad1fbac32cbd639
* systemctl: correctly proceed to immediate shutdown if scheduling fails
(LP: #1670291)
File: debian/patches/systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cdd3a0bb5f568a2500dbdff4bfcf97e3ba996fe3
* core: export environment when running generators.
Ensure that manager's environment (including e.g. PATH) is exported when
running generators. Otherwise, one is at a mercy of running without PATH which
can lead to buggy generator behaviour. (LP: #1771858)
Files:
- debian/patches/core-execute-environment_generators-with-manager-s-enviro.patch
- debian/patches/core-execute-generators-with-manager-s-environmnet.patch
- debian/patches/exec-util-in-execute_directories-support-initial-exec-env.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=d494ef816ca950c9a7c2bfb07620b3df8e46ed35
* networkd: add support to set IPv6MTUBytes (LP: #1671951)
File: debian/patches/networkd-add-support-to-configure-IPv6-MTU-8664.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f4a308ea8f3f9187c97f81868a0408f9cefc96a7
* Specify Ubuntu's Vcs-Git
File: debian/control
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b739661356fe0e47223ae28c79b4b7f7740bea3a
systemd (237-3ubuntu10.7) bionic-security; urgency=medium
* debian/systemd.postinst: Skip daemon-reexec and try-restarts during shutdown
(LP: #1803391)
Author: Balint Reczey
File: debian/systemd.postinst
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=18eea38c62e73158d2160e319de31e054a58b8df
-- Dimitri John Ledkov <email address hidden> Thu, 15 Nov 2018 23:15:00 +0000
-
systemd (237-3ubuntu10.6) bionic-security; urgency=medium
* SECURITY UPDATE: reexec state injection
- debian/patches/CVE-2018-15686.patch: when deserializing state always use
read_line(…, LONG_LINE_MAX, …) rather than fgets()
- CVE-2018-15686
* SECURITY UPDATE: chown_one() can dereference symlinks
- debian/patches/CVE-2018-15687.patch: rework recursive logic to use O_PATH
- CVE-2018-15687
* SECURITY UPDATE: symlink mishandling in systemd-tmpfiles
- debian/patches/CVE-2018-6954.patch: don't resolve pathnames when traversing
recursively through directory trees
- CVE-2018-6954
-- Chris Coulson <email address hidden> Tue, 06 Nov 2018 22:32:27 +0000
-
systemd (237-3ubuntu10.4) bionic-security; urgency=medium
* SECURITY UPDATE: buffer overflow in dhcp6 client
- debian/patches/CVE-2018-15688.patch: make sure we have enough space
for the DHCP6 option header in src/libsystemd-network/dhcp6-option.c.
- CVE-2018-15688
-- Marc Deslauriers <email address hidden> Wed, 31 Oct 2018 11:38:31 -0400
-
systemd (237-3ubuntu10.3) bionic; urgency=medium
* debian/extra/start-udev: Set scsi_mod scan=sync even if it's builtin
to the kernel (we previously only set it in modprobe.d) LP: #1779815
-- Adam Conrad <email address hidden> Fri, 20 Jul 2018 11:13:58 -0600
-
systemd (237-3ubuntu10.2) bionic; urgency=medium
* logind: backport v238/v239 fixes for handling DRM devices.
These changes introduce all the fixes that correct handling of open fd's
related to the DRM devices, as used by for example NVIDIA GPUs. This backport
includes some refactoring, corrections, and comment updates. This to insure
that correct history is preserved, code comments match reality, and to ease
backporting logind fixes in the future SRUs. (LP: #1777099)
* Disable dh_installinit generation of tmpfiles for the systemd package.
Replace with a manual safe call to systemd-tmpfiles which will process any
updates to the tmpfiles shipped by systemd package, taking into account any
overrides shipped by other packages, sysadmin, or specified in the runtime
directories. (LP: #1748147)
systemd (237-3ubuntu10.1) bionic; urgency=medium
[ Dimitri John Ledkov ]
* hwdb: Fix wlan/rfkill keycode on Dell systems. (LP: #1762385)
* Cherrypick upstream fix for corrected detection of Virtualbox & Xen.
(LP: #1768104)
* Further improve captive portal workarounds.
Retry any NXDOMAIN results with lower feature levels, instead of just those
with 'secure' in the domain name. (LP: #1766969)
[ Michael Biebl ]
* Add dependencies of libsystemd-shared to Pre-Depends.
This is necessary so systemctl is functional at all times during a
dist-upgrade. (Closes: #897986) (LP: #1771791)
[ Mario Limonciello ]
* Fix hibernate disk offsets.
Configure resume offset via sysfs, to enable resume from a swapfile.
(LP: #1760106)
-- Dimitri John Ledkov 🌈 <email address hidden> Fri, 22 Jun 2018 13:55:09 +0100
-
systemd (237-3ubuntu10.1) bionic; urgency=medium
[ Dimitri John Ledkov ]
* hwdb: Fix wlan/rfkill keycode on Dell systems. (LP: #1762385)
* Cherrypick upstream fix for corrected detection of Virtualbox & Xen.
(LP: #1768104)
* Further improve captive portal workarounds.
Retry any NXDOMAIN results with lower feature levels, instead of just those
with 'secure' in the domain name. (LP: #1766969)
[ Michael Biebl ]
* Add dependencies of libsystemd-shared to Pre-Depends.
This is necessary so systemctl is functional at all times during a
dist-upgrade. (Closes: #897986) (LP: #1771791)
[ Mario Limonciello ]
* Fix hibernate disk offsets.
Configure resume offset via sysfs, to enable resume from a swapfile.
(LP: #1760106)
-- Dimitri John Ledkov <email address hidden> Mon, 21 May 2018 16:30:12 +0100
-
systemd (237-3ubuntu10) bionic; urgency=medium
* Create tmpfiles for persistent journal in postinst only when running
systemd (LP: #1748659)
-- Balint Reczey <email address hidden> Fri, 20 Apr 2018 18:55:56 +0200
-
systemd (237-3ubuntu9) bionic; urgency=medium
* networkd: if RA was implicit, do not await ndisc_configured.
If RA was iplicit, meaning not otherwise requested, and a kernel default was in
use. Do not prevent link entering configured state, whilst ndisc configuration
is pending. Implicit kernel RA, is expected to be asynchronous and
non-blocking. (LP: #1765173)
* udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i.
This ensures that all scans are completed, before installer reaches
partitioning stage. (LP: #1751813)
-- Dimitri John Ledkov <email address hidden> Fri, 20 Apr 2018 04:35:33 +0100
-
systemd (237-3ubuntu8) bionic; urgency=medium
* Workaround captive portals not responding to EDNS0 queries (DVE-2018-0001).
(LP: #1727237)
* resolved: Listen on both TCP and UDP by default. (LP: #1731522)
* Recommend networkd-dispatcher (LP: #1762386)
* Refresh patches
-- Dimitri John Ledkov <email address hidden> Thu, 12 Apr 2018 12:12:24 +0100
-
systemd (237-3ubuntu7) bionic; urgency=medium
* Introduce suspend then hibernate (LP: #1756006)
-- Mario Limonciello <email address hidden> Mon, 02 Apr 2018 14:25:04 -0500
-
systemd (237-3ubuntu6) bionic; urgency=medium
* Adjust the new dropin test, for v237 systemd.
* Refresh the keyring patch, to the one merged.
-- Dimitri John Ledkov <email address hidden> Tue, 27 Mar 2018 13:40:09 +0100
-
systemd (237-3ubuntu5) bionic; urgency=medium
* Drop old keyring/invocation_id patch, which made keyring setup be skipped in containers.
* Use new patch, which sets up session keyring without relying on chown operation.
* Drop systemd.prerm safety check.
On Ubuntu, systemd is the only choice, and is essential, via init ->
systemd-sysv -> systemd dependency chain, thus removing systemd is already
quite hard, and appropriate warnings are emitted by dpkg. (LP: #1758438)
* Detect Masked unit with drop-ins. (LP: #1752722)
* wait-online: do not wait, if no links are managed (neither configured, or failed).
(LP: #1728181)
* journald.service: set Nice=-1 to dodge watchdog on soft lockups.
(LP: #1696970)
* Refresh all patches.
-- Dimitri John Ledkov <email address hidden> Mon, 26 Mar 2018 15:55:25 +0100
-
systemd (237-3ubuntu4) bionic; urgency=medium
* systemd-sysv-install: fix name initialisation.
Only initialise NAME, after --root optional argument has been parsed, otherwise
NAME is initialized to e.g. `enable', instead of to the `unit-name`, resulting
in failures. (LP: #1752882)
-- Dimitri John Ledkov <email address hidden> Mon, 05 Mar 2018 09:57:58 +0100
-
systemd (237-3ubuntu3) bionic; urgency=medium
* tests/control: drop qemu-system-ppc.
Whilst some tests pass, many regress / fail to boot. This is not a regression,
as qemu-based tests were not run previously.
-- Dimitri John Ledkov <email address hidden> Tue, 20 Feb 2018 17:40:02 +0000
-
systemd (237-3ubuntu2) bionic; urgency=medium
* tests/boot-smoke: ignore udevd connection timeouts resolving colord group.
* tests/systemd-fsckd: ignore systemd_fsck_with_plymouth_failure.
* tests/control: ensure boot-smoke uses latest systemd & udev.
* test/test-functions: on PPC64 use hvc0 console.
-- Dimitri John Ledkov <email address hidden> Tue, 20 Feb 2018 12:03:14 +0000
-
systemd (237-3ubuntu1) bionic; urgency=medium
[ Gunnar Hjalmarsson ]
* Fix PO template creation.
Cherry-pick upstream patches to build a correct systemd.pot including
the polkit policy files even without policykit-1 being installed.
(LP: #1707898)
[ Dimitri John Ledkov ]
* Blacklist TEST-16-EXTEND-TIMEOUT
* test/test-functions: use vmlinux for ppc64 tests.
systemd (237-3) unstable; urgency=medium
[ Martin Pitt ]
* debian/tests/boot-smoke: More robust journal checking.
Also fail the test if calling journalctl fails, and avoid calling it
twice. See https://github.com/systemd/systemd/pull/8032
* Simplify PO template creation.
Use the existing upstream build system instead of a manual call to
`intltool-update` and `xgettext` to build systemd.pot. Remove the now
obsolete intltool build dependency, but still explicitly keep gettext.
(LP: #1707898)
* Make systemd-sysv-install robust against existing $ROOT.
Always initialize `$ROOT`, to avoid the script getting confused by an
existing outside env variable. Also fix the `--root` option to actually
work, the previous approach was conceptually broken due to how shell
quoting works. Make the work with `set -u`. (Closes: #890436)
[ Felipe Sateler ]
* Backport upstream patch fixing a wrong assert() call (Closes: #890423)
-- Dimitri John Ledkov <email address hidden> Mon, 19 Feb 2018 21:15:23 +0000
-
systemd (237-2ubuntu3) bionic; urgency=medium
* test/test-fs-util: detect container, in addition to root.
On armhf, during autopkgtests, whilst root is avilable, full capabilities in
parent namespace are not, since the tests are run in an LXD container.
This should resolve armhf autopkgtest failure.
* test/test-functions: launch qemu-system with -vga none.
Should resolve booting qemu-system-ppc64 without seabios.
* tests/upstream: skip parts of extend time out tests, regressed.
(LP: #1750364)
-- Dimitri John Ledkov <email address hidden> Mon, 19 Feb 2018 13:32:07 +0000
-
systemd (237-2ubuntu2) bionic; urgency=medium
* Fix cryptsetup tests by shipping 95-dm-notify udev rule. (LP: #1749432)
* debian/tests/systemd-fsckd: update assertions expectations for v237
fsck got rewritten to use "safe_fork" and whilst previously it would ignore the
error, when fsck is terminated by signal PIPE, it no longer does so. Thus one
should expect systemd-fsck-root.service to have failed in certain test cases.
-- Dimitri John Ledkov <email address hidden> Thu, 15 Feb 2018 00:32:54 +0000
-
systemd (237-2ubuntu1) bionic; urgency=medium
[ Michael Vogt ]
* Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file
(LP: #1749000)
[ Martin Pitt ]
* debian/tests/boot-smoke: More robust journal checking.
Also fail the test if calling journalctl fails, and avoid calling it
twice. See https://github.com/systemd/systemd/pull/8032
[ Gunnar Hjalmarsson ]
* Fix creation of translation template
- State the gettext package domain "systemd" explicitly, as with the
move to meson it ended up as "untitled.pot"
- Call xgettext to extract strings from polkit *.policy.in files, which
intltool-update ignores. (LP: #1707898)
[ Dimitri John Ledkov ]
* Enable qemu tests on all architectures LP: #1749540
systemd (237-2) unstable; urgency=medium
* Drop debian/extra/rules/70-debian-uaccess.rules.
Up-to-date udev rules for U2F devices are shipped in libu2f-udev nowadays.
(Closes: #889665)
* service: relax PID file symlink chain checks a bit.
Let's read the PID file after all if there's a potentially unsafe symlink
chain in place. But if we do, then refuse taking the PID if its outside of
the cgroup. (Closes: #889144)
-- Dimitri John Ledkov <email address hidden> Wed, 14 Feb 2018 16:43:12 +0000
-
systemd (237-1ubuntu3) bionic; urgency=medium
* Re-enable gnu-efi on arm64, binutils is fixed
* Cherrpick PR8133 to resolve too strict PidFile handling, which breaks
services starting with potentially insecure pidfiles e.g. munin
* Disable LLMNR and MulticastDNS by default LP: #1739672
-- Dimitri John Ledkov <email address hidden> Fri, 09 Feb 2018 15:49:01 +0000
-
systemd (237-1ubuntu2) bionic; urgency=medium
* Disable gnu-efi on arm64, due to FTBFS. LP: #1746765
-- Dimitri John Ledkov <email address hidden> Fri, 02 Feb 2018 23:30:05 +0000
-
systemd (237-1ubuntu1) bionic; urgency=medium
* Remaining delta from Debian:
- ship dhclient enter hook for dhclient integration with resolved
- Use stub-resolv.conf as the default provider of /etc/resolv.conf
- ship s390x virtio interface names migration
- do not disable systemd-resolved upon libnss-resolve removal
- do not remount fs in containers, for non-degrated boot
- Unlink invocation id key, upon chown failure in containers
- Change default to UseDomains by default
- Do not treat failure to set Nice= setting as error in containers
- Add a condition to systemd-journald-audit.socet to not start in
containers (fails)
- Build without any built-in/fallback DNS server setting
- Enable resolved by default
- Update autopkgtests for reliability/raciness, and testing for typical
defaults
- Always upgrade udev, when running adt tests
- Skip test-execute on armhf
- Cherry-pick a few testsuite fixes
- Do not use nested kvm during ADT tests
- Fix ADT systemd-fsckd tests to work on s390x too
- Enable persistent journal by default
systemd (237-1) unstable; urgency=medium
* New upstream version 237
* Rebase patches
* Update symbols file for libsystemd0
* Update Vcs-* to point to https://salsa.debian.org
* Bump Standards-Version to 4.1.3
* Set Rules-Requires-Root to no
systemd (236-4) unstable; urgency=medium
[ Felipe Sateler ]
* Allow systemd-timesyncd to start when libnss-systemd is not installed.
Pick upstream patch requiring the existence of the systemd-timesync user
only when running as root, which is not the case for the system unit.
(Closes: #887343)
[ Nicolas Braud-Santoni ]
* debian/copyright: Refer to the CC0 license file (Closes: #882629)
[ Michael Biebl ]
* Add Build-Depends on python3-evdev <!nocheck>
This is used by hwdb/parse_hwdb.py to perform additional validation on
hwdb files.
systemd (236-3) unstable; urgency=medium
* Revert "core/execute: RuntimeDirectory= or friends requires mount
namespace"
This was making mounts from SSH sessions invisible to the system.
(Closes: #885325)
systemd (236-2) unstable; urgency=medium
* Downgrade priority of libudev1 to optional.
This makes it compliant with recent versions of debian-policy which
recommends to use priority optional for library packages.
* Clarify NEWS entry about removal of system users.
Mention in the recent NEWS entry that the associated system groups
should be removed as well. (Closes: #885061)
* cryptsetup-generator: Don't mistake NULL input as OOM.
Fixes systemd-cryptsetup-generator failing to run during boot.
(Closes: #885201)
* analyze: Use normal bus connection for "plot" verb.
Fixes "systemd-analyze plot" failing to run as root. (Closes: #884506)
* Stop re-enabling systemd services on every upgrade.
This was done so changes to the [Install] section would be applied on
upgrades. Forcefully re-enabling a service might overwrite local
modifications though and thus far, none of the affected services did
actually change its [Install] section. So remove this code from the
maintainer scripts as it was apparently doing more harm then good.
(Closes: #869354)
systemd (236-1) unstable; urgency=medium
[ Martin Pitt ]
* debian/tests/upstream: Only show ≥ warning in journal dumps.
Showing the entire debug log is too hard to scan visually, and most of
the time the warnings and errors are sufficient to explain a failure.
Put the journal files into the artifacts though, in case the debug
information is necessary.
[ Michael Biebl ]
* New upstream version 236
- nspawn: Adjust path to static resolv.conf to support split usr.
(Closes: #881310)
- networkd: Don't stop networkd if CONFIG_FIB_RULES=n in kernel.
(Closes: #881823)
- core: Fix segfault in compile_bind_mounts() when BindPaths= or
BindReadOnlyPaths= is set. (Closes: #883380)
- meson: Link NSS modules with -z nodelete to fix memory leak in
nss-systemd. (Closes: #883407)
- logind: Make sure we don't acces m->action_what if it's not initialized.
(Closes: #882270)
- systemctl: Ignore shutdown's "-t" argument. (Closes: #882245)
- core: Be more defensive if we can't determine per-connection socket
peer. (Closes: #879603)
- bpf-firewall: Actually invoke BPF_PROG_ATTACH to check whether
cgroup/bpf is available. (Closes: #878965)
* Rebase patches
* Update symbols file for libsystemd0
* Bump Standards-Version to 4.1.2
* Clean up old /var/lib/systemd/clock on upgrade.
The clock file used by systemd-timesyncd is now stored in
StateDirectory=systemd/timesync. (Closes: #883605)
* Stop creating systemd-timesync system user.
DynamicUser=yes has been enabled for systemd-timesyncd.service so
allocating a system user statically is no longer necessary.
* Document removal of systemd-{timesync,journal-gateway,journal-upload} user.
We no longer create those system users as the corresponding services now
use DynamicUser=yes. Removing those system users automatically is tricky,
as the relevant services might be running during upgrade. Add a NEWS
entry instead which documents this change.
* Revert "udev-rules: Permission changes for /dev/dri/renderD*"
This would introduce a new system group "render". As the name is rather
generic, this needs further discussion first, so revert this change for
now.
-- Dimitri John Ledkov <email address hidden> Tue, 30 Jan 2018 13:52:27 +0000
-
systemd (235-3ubuntu3) bionic; urgency=medium
* netwokrd: add support for RequiredForOnline stanza. (LP: #1737570)
* resolved.service: set DefaultDependencies=no (LP: #1734167)
* systemd.postinst: enable persistent journal. (LP: #1618188)
* core: add support for non-writable unified cgroup hierarchy for container support.
(LP: #1734410)
-- Dimitri John Ledkov <email address hidden> Tue, 12 Dec 2017 13:25:32 +0000
-
systemd (235-3ubuntu2) bionic; urgency=medium
* systemd-fsckd: Fix ADT tests to work on s390x too.
systemd (235-3ubuntu1) bionic; urgency=medium
* Merge 235-3 from debian:
- Drop UBUNTU-CVE-2017-15908 included in Debian.
* Remaining delta from Debian:
- ship dhclient enter hook for dhclient integration with resolved
- ship resolvconf integration via stub-resolv.conf
- ship s390x virtio interface names migration
- do not disable systemd-resolved upon libnss-resolve removal
- do not remote fs in containers, for non-degrated boot
- CVE-2017-15908 in resolved fix loop on packets with pseudo dns types
- Unlink invocation id key, upon chown failure in containers
- Change default to UseDomains by default
- Do not treat failure to set Nice= setting as error in containers
- Add a condition to systemd-journald-audit.socet to not start in
containers (fails)
- Build without any built-in/fallback DNS server setting
- Enable resolved by default
- Update autopkgtests for reliability/raciness, and testing for typical
defaults
- Always upgrade udev, when running adt tests
- Skip test-execute on armhf
- Cherry-pick a few testsuite fixes
* UBUNTU Do not use nested kvm during ADT tests.
systemd (235-3) unstable; urgency=medium
[ Michael Biebl ]
* Switch from XC-Package-Type to Package-Type. As of dpkg-dev 1.15.7
Package-Type is recognized as an official field name.
* Install modprobe configuration file to /lib/modprobe.d.
Otherwise it is not read by kmod. (Closes: #879191)
[ Felipe Sateler ]
* Backport upstream (partial) fix for combined DynamicUser= + User=
UID was not allowed to be different to GID, which is normally the case in
debian, due to the group users being allocated the GID 100 without an
equivalent UID 100 being allocated.
* Backport upstream patches to fully make DynamicUser=yes + static,
pre-existing User= work.
[ Martin Pitt ]
* Add missing python3-minimal dependency to systemd-tests
* Drop long-obsolete systemd-bus-proxy system user
systemd-bus-proxy hasn't been shipped since before stretch and never
created any files. Thus clean up the obsolete system user on upgrades.
(Closes: #878182)
* Drop static systemd-journal-gateway system user
systemd-journal-gatewayd.service now uses DynamicUser=, so we don't need
to create this statically any more. Don't remove the user on upgrades
though, as there is likely still be a running process. (Closes: #878183)
* Use DynamicUser= for systemd-journal-upload.service.
* Add Recommends: libnss-systemd to systemd-sysv.
This is useful to actually be able to resolve dynamically created system
users with DynamicUser=true. This concept is going to be used much more
in future versions and (hopefully) third-party .services, so pulling it
into the default installation seems prudent now.
* resolved: Fix loop on packets with pseudo dns types.
(CVE-2017-15908, Closes: #880026, LP: #1725351)
* bpf-firewall: Properly handle kernels without BPF cgroup but with TRIE maps.
Fixes "Detaching egress BPF: Invalid argument" log spam. (Closes: #878965)
* Fix MemoryDenyWriteExecution= bypass with pkey_mprotect() (LP: #1725348)
-- Dimitri John Ledkov <email address hidden> Tue, 21 Nov 2017 16:41:15 +0000
-
systemd (235-3ubuntu1) bionic; urgency=medium
* Merge 235-3 from debian:
- Drop UBUNTU-CVE-2017-15908 included in Debian.
* Remaining delta from Debian:
- ship dhclient enter hook for dhclient integration with resolved
- ship resolvconf integration via stub-resolv.conf
- ship s390x virtio interface names migration
- do not disable systemd-resolved upon libnss-resolve removal
- do not remote fs in containers, for non-degrated boot
- CVE-2017-15908 in resolved fix loop on packets with pseudo dns types
- Unlink invocation id key, upon chown failure in containers
- Change default to UseDomains by default
- Do not treat failure to set Nice= setting as error in containers
- Add a condition to systemd-journald-audit.socet to not start in
containers (fails)
- Build without any built-in/fallback DNS server setting
- Enable resolved by default
- Update autopkgtests for reliability/raciness, and testing for typical
defaults
- Always upgrade udev, when running adt tests
- Skip test-execute on armhf
- Cherry-pick a few testsuite fixes
* UBUNTU Do not use nested kvm during ADT tests.
systemd (235-3) unstable; urgency=medium
[ Michael Biebl ]
* Switch from XC-Package-Type to Package-Type. As of dpkg-dev 1.15.7
Package-Type is recognized as an official field name.
* Install modprobe configuration file to /lib/modprobe.d.
Otherwise it is not read by kmod. (Closes: #879191)
[ Felipe Sateler ]
* Backport upstream (partial) fix for combined DynamicUser= + User=
UID was not allowed to be different to GID, which is normally the case in
debian, due to the group users being allocated the GID 100 without an
equivalent UID 100 being allocated.
* Backport upstream patches to fully make DynamicUser=yes + static,
pre-existing User= work.
[ Martin Pitt ]
* Add missing python3-minimal dependency to systemd-tests
* Drop long-obsolete systemd-bus-proxy system user
systemd-bus-proxy hasn't been shipped since before stretch and never
created any files. Thus clean up the obsolete system user on upgrades.
(Closes: #878182)
* Drop static systemd-journal-gateway system user
systemd-journal-gatewayd.service now uses DynamicUser=, so we don't need
to create this statically any more. Don't remove the user on upgrades
though, as there is likely still be a running process. (Closes: #878183)
* Use DynamicUser= for systemd-journal-upload.service.
* Add Recommends: libnss-systemd to systemd-sysv.
This is useful to actually be able to resolve dynamically created system
users with DynamicUser=true. This concept is going to be used much more
in future versions and (hopefully) third-party .services, so pulling it
into the default installation seems prudent now.
* resolved: Fix loop on packets with pseudo dns types.
(CVE-2017-15908, Closes: #880026, LP: #1725351)
* bpf-firewall: Properly handle kernels without BPF cgroup but with TRIE maps.
Fixes "Detaching egress BPF: Invalid argument" log spam. (Closes: #878965)
* Fix MemoryDenyWriteExecution= bypass with pkey_mprotect() (LP: #1725348)
-- Dimitri John Ledkov <email address hidden> Tue, 21 Nov 2017 09:34:14 +0000
-
systemd (235-2ubuntu3) bionic; urgency=medium
* Revert "Skip test-bpf in autopkgtest, currently is failing."
This reverts commit 75cf986e450e062a3d5780d1976e9efef41e6c4c.
* Fix test-bpf test case on ubuntu.
* Skip rename tests in containers, crude fix for now.
-- Dimitri John Ledkov <email address hidden> Mon, 13 Nov 2017 00:06:42 +0000
-
systemd (235-2ubuntu2) bionic; urgency=medium
* Fix test-functions failing with Ubuntu units.
* tests: switch to using ext4 by default, instead of ext3.
* Skip test-bpf in autopkgtest, currently is failing.
-- Dimitri John Ledkov <email address hidden> Mon, 06 Nov 2017 18:33:39 +0000
-
systemd (235-2ubuntu1) bionic; urgency=medium
[ Dimitri John Ledkov ]
* Merge 235-2 from debian:
- Drop all upstream cherry-picks
- Drop test-copy dh_strip size override, fixed upstream
* Remaining delta from Debian:
- ship dhclient enter hook for dhclient integration with resolved
- ship resolvconf integration via stub-resolv.conf
- ship s390x virtio interface names migration
- do not disable systemd-resolved upon libnss-resolve removal
- do not remote fs in containers, for non-degrated boot
- CVE-2017-15908 in resolved fix loop on packets with pseudo dns types
- Unlink invocation id key, upon chown failure in containers
- Change default to UseDomains by default
- Do not treat failure to set Nice= setting as error in containers
- Add a condition to systemd-journald-audit.socet to not start in
containers (fails)
- Build without any built-in/fallback DNS server setting
- Enable resolved by default
- Update autopkgtests for reliability/raciness, and testing for typical
defaults
- Always upgrade udev, when running adt tests
- Skip test-execute on armhf
* Fix up write_persistent_net_s390x for nullglob
* Ship systemd sysctl settings.
Patch systemd's default sysctl settings to drop things that are set
elsewhere already. The promote secondary IP addresses is required for
networkd to successfully renew DHCP leases with a change of an IP address.
Set default package scheduler to Fair Queue CoDel. (LP: #1721223)
[ Michael Biebl ]
* Install modprobe configuration file to /lib/modprobe.d.
Otherwise it is not read by kmod. (Closes: #879191)
systemd (235-2) unstable; urgency=medium
* Revert "tests: when running a manager object in a test, migrate to private
cgroup subroot first"
This was causing test suite failures when running inside a chroot.
systemd (235-1) unstable; urgency=medium
[ Michael Biebl ]
* New upstream version 235
- cryptsetup-generator: use remote-cryptsetup.target when _netdev is
present (Closes: #852534)
- tmpfiles: change btmp mode 0600 → 0660 (Closes: #870638)
- networkd: For IPv6 addresses do not treat IFA_F_DEPRECATED as not ready
(Closes: #869995)
- exec-util,conf-files: skip non-executable files in execute_directories()
(Closes: #867902)
- man: update udevadm -y/--sysname-match documentation (Closes: #865081)
- tmpfiles: silently ignore any path that passes through autofs
(Closes: #805553)
- shared: end string with % if one was found at the end of a expandible
string (Closes: #865450)
* Refresh patches
* Bump Build-Depends on libmount-dev to (>= 2.30)
* Install new modprobe.d config file
* Bump Standards-Version to 4.1.1
[ Martin Pitt ]
* Merge logind-kill-off autopkgtest into logind test.
This was horribly inefficient as a separate test (from commit
6bd0dab41e), as that cost two VM resets plus accompanying boots; and
this does not change any state thus does not require this kind of
isolation.
systemd (234-3) unstable; urgency=medium
[ Martin Pitt ]
* Various fixes for the upstream autopkgtest.
[ Felipe Sateler ]
* Add fdisk to the dependencies of the upstream autopkgtest.
The upstream autopkgtest uses sfdisk, which is now in the non-essential
fdisk package. (Closes: #872119)
* Disable nss-systemd on udeb builds
* Correctly disable resolved on udeb builds
* Help fix collisions in libsystemd-shared symbols by versioning them.
Backport upstream patch to version the symbols provided in the private
library, so that they cannot confuse unversioned pam modules or libraries
linked into them. (Closes: #873708)
[ Dimitri John Ledkov ]
* Cherrypick upstream networkd-test.py assertion/check fixes.
This resolves ADT test suite failures, when running tests under lxc/lxd
providers.
* Cherrypick arm* seccomp fixes.
This should resolve ADT test failures, on arm64, when running as root.
* Disable KillUserProcesses, yet again, with meson this time.
* initramfs-tools: trigger udevadm add actions with subsystems first.
This updates the initramfs-tools init-top udev script to trigger udevadm
actions with type specified. This mimics the systemd-udev-trigger.service.
Without type specified only devices are triggered, but triggering
subsystems may also be required and should happen before triggering the
devices. This is the case for example on s390x with zdev generated udev
rules. (LP: #1713536)
[ Michael Biebl ]
* (Re)add --quiet flag to addgroup calls.
This is now safe with adduser having been fixed to no longer suppress
fatal error messages if --quiet is used. (Closes: #837871)
* Switch back to default GCC (Closes: #873661)
* Drop systemd-timesyncd.service.d/disable-with-time-daemon.conf.
All major NTP implementations ship a native service file nowadays with a
Conflicts=systemd-timesyncd.service so this drop-in is no longer
necessary. (Closes: #873185)
systemd (234-2.3) unstable; urgency=high
* Non-maintainer upload.
* Also switch to g++-6 temporarily (needed for some tests):
- Add g++-6 to Build-Depends
- Export CXX = g++-6
systemd (234-2.2) unstable; urgency=high
* Non-maintainer upload.
* Switch to gcc-6 on all architectures, working around an FTBFS on mips64el,
apparently due to a gcc-7 bug (See: #871514):
- Add gcc-6 to Build-Depends in debian/control
- Export CC = gcc-6 in debian/rules
systemd (234-2.1) unstable; urgency=high
* Non-maintainer upload.
* Fix missing 60-input-id.rules in udev-udeb, which breaks the graphical
version of the Debian Installer, as no key presses or mouse events get
processed (Closes: #872598).
systemd (234-2ubuntu12.1) artful-security; urgency=medium
* SECURITY UPDATE: remote DoS in resolve (LP: #1725351)
- debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo
dns types in src/resolve/resolved-dns-packet.c.
- CVE-2017-15908
-- Dimitri John Ledkov <email address hidden> Mon, 30 Oct 2017 17:20:54 +0000
-
systemd (234-2ubuntu13) bionic; urgency=medium
* SECURITY UPDATE: remote DoS in resolve (LP: #1725351)
- debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo
dns types in src/resolve/resolved-dns-packet.c.
- CVE-2017-15908
-- Marc Deslauriers <email address hidden> Mon, 30 Oct 2017 07:49:56 -0400
-
systemd (234-2ubuntu12) artful; urgency=medium
[ Dimitri John Ledkov ]
* debian/rules: do not strip test-copy.
This insures test-copy is large enough for test-copy tests to pass.
(LP: #1721203)
[ Michael Biebl ]
* Drop systemd-timesyncd.service.d/disable-with-time-daemon.conf.
All major NTP implementations ship a native service file nowadays with a
Conflicts=systemd-timesyncd.service so this drop-in is no longer
necessary. (Closes: #873185) (LP: #1721204)
-- Dimitri John Ledkov <email address hidden> Wed, 04 Oct 2017 13:28:34 +0100
