Your message dated Sat, 07 Oct 2023 09:59:42 +0000 with message-id <E1qp462-00A4Hl-NO@coccia.debian.org> and subject line Released with 12.2 has caused the Debian Bug report #1052325, regarding bookworm-pu: package systemd/252.17-1~deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1052325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052325 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: bookworm-pu: package systemd/252.17-1~deb12u1
- From: Luca Boccassi <bluca@debian.org>
- Date: Wed, 20 Sep 2023 14:15:03 +0100
- Message-id: <c7c14baa1e1057f5195bfe9ca0ffcec478ab1028.camel@debian.org>
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org at packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-systemd-maintainers@lists.alioth.debian.org Dear Release Team, We would like to upload the latest stable point release of systemd 252 to bookworm-p-u. Stable release branches are maintained upstream with the intention of providing bug fixes only and no compatibility breakages, and with automated non-trivial CI jobs that also cover Debian and Ubuntu. I have already uploaded to p-u. The only fix in this release is for a minor security advisory that affects systemd-boot on arm64/riscv64 on EFI with secure-boot enabled (which debian doesn't provide for sd-boot at all, so only affects local self-signed deployments). Details at: https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c Debdiff attached. No packaging changes. -- Kind regards, Luca Boccassidiff -Nru systemd-252.16/debian/changelog systemd-252.17/debian/changelog --- systemd-252.16/debian/changelog 2023-09-09 02:24:49.000000000 +0100 +++ systemd-252.17/debian/changelog 2023-09-20 13:15:14.000000000 +0100 @@ -1,3 +1,11 @@ +systemd (252.17-1~deb12u1) bookworm; urgency=medium + + * New upstream version 252.17. Fixes minor security issue in arm64 + and riscv64 systemd-boot (EFI) with device tree blobs loading: + https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c + + -- Luca Boccassi <bluca@debian.org> Wed, 20 Sep 2023 13:15:14 +0100 + systemd (252.16-1~deb12u1) bookworm; urgency=medium * New upstream version 252.16 diff -Nru systemd-252.16/src/boot/efi/boot.c systemd-252.17/src/boot/efi/boot.c --- systemd-252.16/src/boot/efi/boot.c 2023-09-09 02:21:12.000000000 +0100 +++ systemd-252.17/src/boot/efi/boot.c 2023-09-20 10:14:24.000000000 +0100 @@ -2402,7 +2402,9 @@ if (err != EFI_SUCCESS) return log_error_status_stall(err, L"Error loading %s: %r", entry->loader, err); - if (entry->devicetree) { + /* DTBs are loaded by the kernel before ExitBootServices, and they can be used to map and assign + * arbitrary memory ranges, so skip it when secure boot is enabled as the DTB here is unverified. */ + if (entry->devicetree && !secure_boot_enabled()) { err = devicetree_install(&dtstate, image_root, entry->devicetree); if (err != EFI_SUCCESS) return log_error_status_stall(err, L"Error loading %s: %r", entry->devicetree, err);Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 1052325-done@bugs.debian.org
- Subject: Released with 12.2
- From: Jonathan Wiltshire <jmw@coccia.debian.org>
- Date: Sat, 07 Oct 2023 09:59:42 +0000
- Message-id: <E1qp462-00A4Hl-NO@coccia.debian.org>
Version: 12.2 The upload requested in this bug has been released as part of 12.2.
--- End Message ---