[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1762-1] systemd security update

Package        : systemd
Version        : 215-17+deb8u12
CVE ID         : CVE-2017-18078 CVE-2019-3842

Two vulnerabilities have been addressed in the systemd components
systemd-tmpfiles and pam_systemd.so.


    systemd-tmpfiles in systemd attempted to support ownership/permission
    changes on hardlinked files even if the fs.protected_hardlinks sysctl
    is turned off, which allowed local users to bypass intended access
    restrictions via vectors involving a hard link to a file for which
    the user lacked write access.


    It was discovered that pam_systemd did not properly sanitize the
    environment before using the XDG_SEAT variable. It was possible for
    an attacker, in some particular configurations, to set a XDG_SEAT
    environment variable which allowed for commands to be checked against
    polkit policies using the "allow_active" element rather than

For Debian 8 "Jessie", these problems have been fixed in version

We recommend that you upgrade your systemd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: signature.asc
Description: PGP signature

Reply to: