openSUSE Security Update : systemd (openSUSE-2016-488)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for systemd fixes several issues :

e5e362a udev: exclude MD from block device ownership event locking
8839413 udev: really exclude device-mapper from block device ownership
event locking 66782e6 udev: exclude device-mapper from block device
ownership event locking (bsc#972727) 1386f57 tmpfiles: explicitly set
mode for /run/log faadb74 tmpfiles: don't allow read access to journal
files to users not in systemd-journal 9b1ef37 tmpfiles: don't apply
sgid and executable bit to journal files, only the directories they
are contained in 011c39f tmpfiles: add ability to mask access mode by
pre-existing access mode on files/directories 07e2d60 tmpfiles: get
rid of 'm' lines d504e28 tmpfiles: various modernizations f97250d
systemctl: no need to pass --all if inactive is explicitly requested
in list-units (bsc#967122) 2686573 fstab-generator: fix automount
option and don't start associated mount unit at boot (bsc#970423)
5c1637d login: support more than just power-gpio-key (fate#318444)
(bsc#970860) 2c95ecd logind: add standard gpio power button support
(fate#318444) (bsc#970860) af3eb93 Revert
'log-target-null-instead-kmsg' 555dad4 shorten hostname before
checking for trailing dot (bsc#965897) 522194c Revert 'log: honour the
kernel's quiet cmdline argument' (bsc#963230) cc94e47 transaction:
downgrade warnings about wanted unit which are not found (bsc#960158)
eb3cfb3 Revert 'vhangup-on-all-consoles' 0c28752 remove
WorkingDirectory parameter from emergency, rescue and
console-shell.service (bsc#959886)

- Don't allow read access to journal files to users
(boo#972612 CVE-2014-9770 CVE-2015-8842) Remove the
world read bit from the permissions of (persistent)
archived journals. This was incorrectly set due to
backported commit 18afa5c2a7a6c215. For the same reasons
we also have to fix the permissions of
/run/log/journal/<machine-id> directory to make sure
that regular user won't access to its content.

- spec: remove libudev1 runtime dependencies on udev

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=959886
https://bugzilla.opensuse.org/show_bug.cgi?id=960158
https://bugzilla.opensuse.org/show_bug.cgi?id=963230
https://bugzilla.opensuse.org/show_bug.cgi?id=965897
https://bugzilla.opensuse.org/show_bug.cgi?id=967122
https://bugzilla.opensuse.org/show_bug.cgi?id=970423
https://bugzilla.opensuse.org/show_bug.cgi?id=970860
https://bugzilla.opensuse.org/show_bug.cgi?id=972612
https://bugzilla.opensuse.org/show_bug.cgi?id=972727
https://features.opensuse.org/318444

Solution :

Update the affected systemd packages.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

Family: SuSE Local Security Checks

Nessus Plugin ID: 90594 ()

Bugtraq ID:

CVE ID: CVE-2014-9770
CVE-2015-8842

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now