openSUSE Security Update : systemd (openSUSE-2016-488)

low Nessus Plugin ID 90594

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for systemd fixes several issues :

e5e362a udev: exclude MD from block device ownership event locking 8839413 udev: really exclude device-mapper from block device ownership event locking 66782e6 udev: exclude device-mapper from block device ownership event locking (bsc#972727) 1386f57 tmpfiles: explicitly set mode for /run/log faadb74 tmpfiles: don't allow read access to journal files to users not in systemd-journal 9b1ef37 tmpfiles: don't apply sgid and executable bit to journal files, only the directories they are contained in 011c39f tmpfiles: add ability to mask access mode by pre-existing access mode on files/directories 07e2d60 tmpfiles: get rid of 'm' lines d504e28 tmpfiles: various modernizations f97250d systemctl: no need to pass --all if inactive is explicitly requested in list-units (bsc#967122) 2686573 fstab-generator: fix automount option and don't start associated mount unit at boot (bsc#970423) 5c1637d login: support more than just power-gpio-key (fate#318444) (bsc#970860) 2c95ecd logind: add standard gpio power button support (fate#318444) (bsc#970860) af3eb93 Revert 'log-target-null-instead-kmsg' 555dad4 shorten hostname before checking for trailing dot (bsc#965897) 522194c Revert 'log: honour the kernel's quiet cmdline argument' (bsc#963230) cc94e47 transaction:
downgrade warnings about wanted unit which are not found (bsc#960158) eb3cfb3 Revert 'vhangup-on-all-consoles' 0c28752 remove WorkingDirectory parameter from emergency, rescue and console-shell.service (bsc#959886)

- Don't allow read access to journal files to users (boo#972612 CVE-2014-9770 CVE-2015-8842) Remove the world read bit from the permissions of (persistent) archived journals. This was incorrectly set due to backported commit 18afa5c2a7a6c215. For the same reasons we also have to fix the permissions of /run/log/journal/<machine-id> directory to make sure that regular user won't access to its content.

- spec: remove libudev1 runtime dependencies on udev

Solution

Update the affected systemd packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=959886

https://bugzilla.opensuse.org/show_bug.cgi?id=960158

https://bugzilla.opensuse.org/show_bug.cgi?id=963230

https://bugzilla.opensuse.org/show_bug.cgi?id=965897

https://bugzilla.opensuse.org/show_bug.cgi?id=967122

https://bugzilla.opensuse.org/show_bug.cgi?id=970423

https://bugzilla.opensuse.org/show_bug.cgi?id=970860

https://bugzilla.opensuse.org/show_bug.cgi?id=972612

https://bugzilla.opensuse.org/show_bug.cgi?id=972727

https://features.opensuse.org/

Plugin Details

Severity: Low

ID: 90594

File Name: openSUSE-2016-488.nasl

Version: 2.6

Type: local

Agent: unix

Published: 4/20/2016

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Low

Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.3

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libgudev-1_0-0, p-cpe:/a:novell:opensuse:libgudev-1_0-0-32bit, p-cpe:/a:novell:opensuse:libgudev-1_0-0-debuginfo, p-cpe:/a:novell:opensuse:libgudev-1_0-0-debuginfo-32bit, p-cpe:/a:novell:opensuse:libgudev-1_0-devel, p-cpe:/a:novell:opensuse:libudev-devel, p-cpe:/a:novell:opensuse:libudev-mini-devel, p-cpe:/a:novell:opensuse:libudev-mini1, p-cpe:/a:novell:opensuse:libudev-mini1-debuginfo, p-cpe:/a:novell:opensuse:libudev1, p-cpe:/a:novell:opensuse:libudev1-32bit, p-cpe:/a:novell:opensuse:libudev1-debuginfo, p-cpe:/a:novell:opensuse:libudev1-debuginfo-32bit, p-cpe:/a:novell:opensuse:nss-myhostname, p-cpe:/a:novell:opensuse:nss-myhostname-32bit, p-cpe:/a:novell:opensuse:nss-myhostname-debuginfo, p-cpe:/a:novell:opensuse:nss-myhostname-debuginfo-32bit, p-cpe:/a:novell:opensuse:systemd, p-cpe:/a:novell:opensuse:systemd-32bit, p-cpe:/a:novell:opensuse:systemd-bash-completion, p-cpe:/a:novell:opensuse:systemd-debuginfo, p-cpe:/a:novell:opensuse:systemd-debuginfo-32bit, p-cpe:/a:novell:opensuse:systemd-debugsource, p-cpe:/a:novell:opensuse:systemd-devel, p-cpe:/a:novell:opensuse:systemd-journal-gateway, p-cpe:/a:novell:opensuse:systemd-journal-gateway-debuginfo, p-cpe:/a:novell:opensuse:systemd-logger, p-cpe:/a:novell:opensuse:systemd-mini, p-cpe:/a:novell:opensuse:systemd-mini-debuginfo, p-cpe:/a:novell:opensuse:systemd-mini-debugsource, p-cpe:/a:novell:opensuse:systemd-mini-devel, p-cpe:/a:novell:opensuse:systemd-mini-sysvinit, p-cpe:/a:novell:opensuse:systemd-sysvinit, p-cpe:/a:novell:opensuse:typelib-1_0-gudev-1_0, p-cpe:/a:novell:opensuse:udev, p-cpe:/a:novell:opensuse:udev-debuginfo, p-cpe:/a:novell:opensuse:udev-mini, p-cpe:/a:novell:opensuse:udev-mini-debuginfo, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 4/19/2016

Reference Information

CVE: CVE-2014-9770, CVE-2015-8842