[El-errata] ELSA-2016-2610 Moderate: Oracle Linux 7 systemd security and bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Nov 10 11:16:47 PST 2016 

Oracle Linux Security Advisory ELSA-2016-2610

http://linux.oracle.com/errata/ELSA-2016-2610.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
libgudev1-219-30.0.1.el7_3.3.i686.rpm
libgudev1-219-30.0.1.el7_3.3.x86_64.rpm
libgudev1-devel-219-30.0.1.el7_3.3.i686.rpm
libgudev1-devel-219-30.0.1.el7_3.3.x86_64.rpm
systemd-219-30.0.1.el7_3.3.x86_64.rpm
systemd-devel-219-30.0.1.el7_3.3.i686.rpm
systemd-devel-219-30.0.1.el7_3.3.x86_64.rpm
systemd-journal-gateway-219-30.0.1.el7_3.3.x86_64.rpm
systemd-libs-219-30.0.1.el7_3.3.i686.rpm
systemd-libs-219-30.0.1.el7_3.3.x86_64.rpm
systemd-networkd-219-30.0.1.el7_3.3.x86_64.rpm
systemd-python-219-30.0.1.el7_3.3.x86_64.rpm
systemd-resolved-219-30.0.1.el7_3.3.i686.rpm
systemd-resolved-219-30.0.1.el7_3.3.x86_64.rpm
systemd-sysv-219-30.0.1.el7_3.3.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/systemd-219-30.0.1.el7_3.3.src.rpm



Description of changes:

[219-30.0.1.3]
- set "RemoveIPC=no" in logind.conf as default for OL7.2 [22224874]
- allow dm remove ioctl to co-operate with UEK3 (Vaughan Cao) [Orabug: 
18467469]
- add hv dynamic memory support (Jerry Snitselaar) [Orabug: 18621475]
- rules: load sg module (#1223340)
- run: drop mistakenly committed test code (#1220272)
- cgroup: downgrade log messages when we cannot write to cgroup trees 
that are mounted read-only (#1220298)
- Revert "conditionalize hardening away on s390(x)"
- Revert "units: fix BindsTo= logic when applied relative to services 
with Type=oneshot" (#1203803)
- shared/install: avoid prematurely rejecting "missing" units (#1199981)
- core: fix enabling units via their absolute paths (#1199981)

[219-30.3]
- mtd_probe: add include for stdint (#1381573)

[219-30.2]
- manager: 219 needs u->id in log_unit_debug (#1381573)

[219-30.1]
- If the notification message length is 0, ignore the message (#4237) 
(#1381573)
- systemctl: suppress errors with "show" for nonexistent units and 
properties (#1380686)
- 40-redhat.rules: disable auto-online of hot-plugged memory on IBM z 
Systems (#1381123)
- pid1: don't return any error in manager_dispatch_notify_fd() (#4240) 
(#1381573)
- pid1: process zero-length notification messages again (#1381573)
- pid1: more informative error message for ignored notifications (#1381573)

[219-30]
- systemctl,pid1: do not warn about missing install info with "preset" 
(#1373950)
- systemctl/core: ignore masked units in preset-all (#1375097)
- shared/install: handle dangling aliases as an explicit case, report 
nicely (#1375097)
- shared/install: ignore unit symlinks when doing preset-all (#1375097)
- 40-redhat.rules: don't hoplug memory on s390x (#1370161)

[219-29]
- fix gcc warnings about uninitialized variables (#1318994)
- journalctl: rework code that checks whether we have access to 
/var/log/journal (#1318994)
- journalctl: Improve boot ID lookup (#1318994)
- journalctl: only have a single exit path from main() (#1318994)
- journalctl: free all command line argument objects (#1318994)
- journalctl: rename boot_id_t to BootId (#1318994)
- util: introduce CMSG_FOREACH() macro and make use of it everywhere 
(#1318994)
- journald: don't employ inner loop for reading from incoming sockets 
(#1318994)
- journald: fix count of object meta fields (#1318994)
- journal-cat: return a correct error, not -1 (#1318994)
- journalctl: introduce short options for --since and --until (#1318994)
- journal: s/Envalid/Invalid/ (#1318994)
- journald: dispatch SIGTERM/SIGINT with a low priority (#1318994)
- lz4: fix size check which had no chance of working on big-endian 
(#1318994)
- journal: normalize priority of logging sources (#1318994)
- Fix miscalculated buffer size and uses of size-unlimited sprintf() 
function. (#1318994)
- journal: Drop monotonicity check when appending to journal file (#1318994)
- journalctl: unify how we free boot id lists a bit (#1318994)
- journalctl: don't trust the per-field entry tables when looking for 
boot IDs (#1318994)
- units: remove udev control socket when systemd stops the socket unit 
(#49) (#1370133)
- logind: don't assert if the slice is missing (#1371437)
- core: enable transient unit support for slice units (#1370299)
- sd-bus: bump message queue size (#1371205)
- install: fix disable when /etc/systemd/system is a symlink (#1285996)
- rules: add NVMe rules (#3136) (#1274651)
- rules: introduce disk/by-id (model_serial) symlinks for NVMe drives 
(#3974) (#1274651)
- rules: fix for possible whitespace in the "model" attribute (#1274651)

[219-27]
- tmpfiles: enforce ordering when executing lines (#1365870)
- Introduce bus_unit_check_load_state() helper (#1256858)
- core: use bus_unit_check_load_state() in 
transaction_add_job_and_dependencies() (#1256858)
- udev/path_id: correct segmentation fault due to missing NULL check 
(#1365556)
- rules: load sg driver also when scsi_target appears (#45) (#1322773)

[219-26]
- install: do not crash when processing empty (masked) unit file (#1159308)
- Revert "install: fix disable via unit file path" (#1348208)
- systemctl: allow disable on the unit file path, but warn about it 
(#3806) (#1348208)

[219-25]
- units: increase watchdog timeout to 3min for all our services (#1267707)
- core: bump net.unix.max_dgram_qlen really early during boot (#1267707)
- core: fix priority ordering in notify-handling (#1267707)
- tests: fix personality tests on ppc64 and aarch64 (#1361049)
- systemctl: consider service running only when it is in active or 
reloading state (#3874) (#1362461)

[219-24]
- manager: don't skip sigchld handler for main and control pid for 
services (#3738) (#1342173)

[219-23]
- udevadm: explicitly relabel /etc/udev/hwdb.bin after rename (#1350756)
- systemctl: return diffrent error code if service exist or not (#3385) 
(#1047466)
- systemctl: Replace init script error codes with enum (#3400) (#1047466)
- systemctl: rework "systemctl status" a bit (#1047466)
- journal-verify: don't hit SIGFPE when determining progress (#1350232)
- journal: avoid mapping empty data and field hash tables (#1350232)
- journal: when verifying journal files, handle empty ones nicely (#1350232)
- journal: explain the error when we find a non-DATA object that is 
compressed (#1350232)
- journalctl: properly detect empty journal files (#1350232)
- journal: uppercase first character in verify error messages (#1350232)
- journalctl: make sure 'journalctl -f -t unmatched' blocks (#1350232)
- journalctl: don't print -- No entries -- in quiet mode (#1350232)
- sd-event: expose the event loop iteration counter via 
sd_event_get_iteration() (#1342173)
- manager: Only invoke a single sigchld per unit within a cleanup cycle 
(#1342173)
- manager: Fixing a debug printf formatting mistake (#1342173)
- core: support IEC suffixes for RLIMIT stuff (#1351415)
- core: accept time units for time-based resource limits (#1351415)
- time-util: add parse_time(), which is like parse_sec() but allows 
specification of default time unit if none is specified (#1351415)
- core: support <soft:hard> ranges for RLIMIT options (#1351415)
- core: fix rlimit parsing (#1351415)
- core: dump rlim_cur too (#1351415)
- install: fix disable via unit file path (#1348208)

[219-22]
- nspawn: when connected to pipes for stdin/stdout, pass them as-is to 
PID 1 (#1307080)
- mount: remove obsolete -n (#1339721)
- core: don't log job status message in case job was effectively NOP 
(#3199) (#1280014)
- core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification 
(#1305608)
- logind: process session/inhibitor fds at higher priority (#1305608)
- Teach bus_append_unit_property_assignment() about 'Delegate' property 
(#1337922)
- sd-netlink: fix deep recursion in message destruction (#1330593)
- add REMOTE_ADDR and REMOTE_PORT for Accept=yes (#1341154)
- core: don't dispatch load queue when setting Slice= for transient 
units (#1343904)
- run: make --slice= work in conjunction with --scope (#1343904)
- myhostname: fix timeout if ipv6 is disabled (#1330973)
- readahead: do not increase nr_requests for root fs block device (#1314559)
- manager: reduce complexity of unit_gc_sweep (#3507) (#1344556)
- hwdb: selinuxify a bit (#3460) (#1343648)

[219-21]
- path_id: reintroduce by-path links for virtio block devices (#952567)
- journal: fix error handling when compressing journal objects (#1292447)
- journal: irrelevant coding style fixes (#1292447)
- install: follow unit file symlinks in /usr, but not /etc when looking 
for [Install] data (#1159308)
- core: look for instance when processing template name (#1159308)
- core: improve error message when starting template without instance 
(#1142369)
- man/tmpfiles.d: add note about permissions and ownership of symlinks 
(#1296288)
- tmpfiles: don't follow symlinks when adjusting ACLs, fille attributes, 
access modes or ownership (#1296288)
- udev: filter out non-sensically high onboard indexes reported by the 
kernel (#1230210)
- test-execute: add tests for RuntimeDirectory (#1324826)
- core: fix group ownership when Group is set (#1324826)
- fstab-generator: cescape device name in root-fsck service (#1306126)
- core: add new RandomSec= setting for time units (#1305279)
- core: rename Random* to RandomizedDelay* (#1305279)
- journal-remote: change owner of /var/log/journal/remote and create 
/var/lib/systemd/journal-upload (#1327303)
- Add Seal option in the configuration file for journald-remote (#1329233)
- tests: fix make check failure (#1159308)
- device: make sure to not ignore re-plugged device (#1332606)
- device: Ensure we have sysfs path before comparing. (#1332606)
- core: fix memory leak on set-default, enable, disable etc (#1331667)
- nspawn: fix minor memory leak (#1331667)
- basic: fix error/memleak in socket-util (#1331667)
- core: fix memory leak in manager_run_generators() (#1331667)
- modules-load: fix memory leak (#1331667)
- core: fix memory leak on failed preset-all (#1331667)
- sd-bus: fix memory leak in test-bus-chat (#1331667)
- core: fix memory leak in transient units (#1331667)
- bus: fix leak in error path (#1331667)
- shared/logs-show: fix memleak in add_matches_for_unit (#1331667)
- logind: introduce LockedHint and SetLockedHint (#3238) (#1335499)
- import: use the old curl api (#1284974)
- importd: drop dkr support (#1284974)
- import: add support for gpg2 for verifying imported images (#1284974)

[219-20]
- run: synchronously wait until the scope unit we create is started 
(#1272368)
- device: rework how we enter tentative state (#1283579)
- core: Do not bind a mount unit to a device, if it was from mountinfo 
(#1283579)
- logind: set RemoveIPC=no by default (#1284588)
- sysv-generator: follow symlinks in /etc/rc.d/init.d (#1285492)
- sysv-generator test: always log to console (#1279034)
- man: RemoveIPC is set to no on rhel (#1284588)
- Avoid /tmp being mounted as tmpfs without the user's will (#1298109)
- test sysv-generator: Check for network-online.target. (#1279034)
- arm/aarch64: detect-virt: check dmi (#1278165)
- detect-virt: dmi: look for KVM (#1278165)
- Revert "journald: turn ForwardToSyslog= off by default" (#1285642)
- terminal-util: when resetting terminals, don't wait for carrier (#1266745)
- basic/terminal-util: introduce SYSTEMD_COLORS environment variable 
(#1247963)
- ask-password: don't abort when message is missing (#1261136)
- sysv-generator: do not join dependencies on one line, split them 
(#1288600)
- udev: fibre channel: fix NPIV support (#1266934)
- ata_id: unreverse WWN identifier (#1273306)
- Fixup WWN bytes for big-endian systems (#1273306)
- sd-journal: introduce has_runtime_files and has_persistent_files 
(#1082179)
- journalctl: improve error messages when the specified boot is not 
found (#1082179)
- journalctl: show friendly info when using -b on runtime journal only 
(#1082179)
- journalctl: make "journalctl /dev/sda" work (#947636)
- journalctl: add match for the current boot when called with devpath 
(#947636)
- man: clarify what happens when journalctl is called with devpath (#947636)
- core: downgrade warning about duplicate device names (#1296249)
- udev: downgrade a few warnings to debug messages (#1289461)
- man: LEVEL in systemd-analyze set-log level is not optional (#1268336)
- Revert "udev: fibre channel: fix NPIV support" (#1266934)
- udev: path-id: fibre channel NPIV - use fc_vport's port_name (#1266934)
- systemctl: is-active/failed should return 0 if at least one unit is in 
given state (#1254650)
- rules: set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only 
with ADD event (#1312011)
- s390: add personality support (#1300344)
- socket_address_listen - do not rely on errno (#1316452)

More information about the El-errata mailing list