[El-errata] ELSA-2025-22660 Moderate: Oracle Linux 9 systemd security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Dec 5 13:17:03 UTC 2025 

Oracle Linux Security Advisory ELSA-2025-22660

http://linux.oracle.com/errata/ELSA-2025-22660.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
rhel-net-naming-sysattrs-252-55.0.3.el9_7.7.noarch.rpm
systemd-252-55.0.3.el9_7.7.i686.rpm
systemd-252-55.0.3.el9_7.7.x86_64.rpm
systemd-boot-unsigned-252-55.0.3.el9_7.7.x86_64.rpm
systemd-container-252-55.0.3.el9_7.7.i686.rpm
systemd-container-252-55.0.3.el9_7.7.x86_64.rpm
systemd-devel-252-55.0.3.el9_7.7.i686.rpm
systemd-devel-252-55.0.3.el9_7.7.x86_64.rpm
systemd-journal-remote-252-55.0.3.el9_7.7.x86_64.rpm
systemd-libs-252-55.0.3.el9_7.7.i686.rpm
systemd-libs-252-55.0.3.el9_7.7.x86_64.rpm
systemd-oomd-252-55.0.3.el9_7.7.x86_64.rpm
systemd-pam-252-55.0.3.el9_7.7.x86_64.rpm
systemd-resolved-252-55.0.3.el9_7.7.x86_64.rpm
systemd-rpm-macros-252-55.0.3.el9_7.7.noarch.rpm
systemd-udev-252-55.0.3.el9_7.7.x86_64.rpm
systemd-ukify-252-55.0.3.el9_7.7.noarch.rpm

aarch64:
rhel-net-naming-sysattrs-252-55.0.3.el9_7.7.noarch.rpm
systemd-252-55.0.3.el9_7.7.aarch64.rpm
systemd-boot-unsigned-252-55.0.3.el9_7.7.aarch64.rpm
systemd-container-252-55.0.3.el9_7.7.aarch64.rpm
systemd-devel-252-55.0.3.el9_7.7.aarch64.rpm
systemd-journal-remote-252-55.0.3.el9_7.7.aarch64.rpm
systemd-libs-252-55.0.3.el9_7.7.aarch64.rpm
systemd-oomd-252-55.0.3.el9_7.7.aarch64.rpm
systemd-pam-252-55.0.3.el9_7.7.aarch64.rpm
systemd-resolved-252-55.0.3.el9_7.7.aarch64.rpm
systemd-rpm-macros-252-55.0.3.el9_7.7.noarch.rpm
systemd-udev-252-55.0.3.el9_7.7.aarch64.rpm
systemd-ukify-252-55.0.3.el9_7.7.noarch.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/systemd-252-55.0.3.el9_7.7.src.rpm

Related CVEs:

CVE-2025-4598




Description of changes:

[252-55.0.3.7]
- serialize: don't allocate 1M on the stack just like that [LINUX-16166]
- Route logs from container mapped uids to the system journal [Orabug: 38135007]
- Drop delay when nspawn fails to reset loginuid [Orabug: 37793135]
- Improve logging for api bus connection and subscribers [Orabug: 38040980]
- Defer processing of timeout events in sd-bus api [Orabug: 38064217]
- coredump: use %d in kernel core pattern - CVE-2025-4598
- Add bus description to sd-bus outgoing sockets [Orabug: 37347576]
- Add log messages about daemon-reload requester and duration [Orabug: 37347576]
- Reverted back to previous Tony Lam patch [Orabug: 25897792] until issue with [Orabug: 36564551] is resolved.
- drop IN_ATTRIB from parent directory inotify watches [Orabug: 37118224]
- 1A) Fix local-fs and remote-fs targets during system boot (replaces old Orabug: 25897792) [Orabug: 36269319]
- 1B) Add "systemd-fstab-generator-reload-targets.service" file [Orabug: 36269319]
- 1C) Add required rpms for correct kickstart/systemd functionality within systemd.spec [Orabug: 36269319]
- 1D) Important: Review 1001-systemd-fstab-generator-reload-targets.patch for important build details/steps [Orabug: 36269319]
- Due to a new [Orabug: 36564551] filed on April 29 2024, reverting from back to
- previous Tony Lam patch [Orabug: 25897792] until issue with [Orabug: 36564551] is resolved.
- drop IN_ATTRIB from parent directory inotify watches [Orabug: 37118224]
- Reverted back to previous Tony Lam patch [Orabug: 25897792] until issue with [Orabug: 36564551] is resolved.
- Re-Added 1001-Fix-missing-netdev-for-iscsi-entry-in-fstab.patch [Orabug: 25897792]
- Backport upstream pstore dmesg fix [Orabug: 34868110]
- Remove upstream references  [Orabug: 33995357]
- Disable unprivileged BPF by default [Orabug: 32870980]
- udev rules: fix memory hot add and remove [Orabug: 31310273]
- set "RemoveIPC=no" in logind.conf as default for OL7.2 [Orabug: 22224874]
- allow dm remove ioctl to co-operate with UEK3 [Orabug: 18467469]
- shutdown: get only active md arrays. [Orabug: 34467234]
- Wait for an extra configurable time before udevd kills a worker [Orabug: 36017407]
- Removed unneeded patches from the systemd.spec
- 1A) 1004-orabug34272490-0001-core-device-ignore-DEVICE_FOUND_UDEV-bit-on-switchin.patch [Orabug: 34272490]
- 1B) 1005-orabug34272490-0002-core-device-drop-unnecessary-condition.patch [Orabug: 34272490]
- 1C) 1007-orabug34868110-pstore-fixes-for-dmesg.txt-reconstruction.patch [Orabug: 34868110]
- Removed the following, associated with [Orabug: 36269319]:
- 2A) Remove 1001-systemd-fstab-generator-reload-targets.patch
- 2B) Remove Fix local-fs and remote-fs targets during system boot [Orabug: 36269319]
- 2C) Remove "systemd-fstab-generator-reload-targets.service" file [Orabug: 36269319]
- 2D) Remove required rpms for correct kickstart/systemd functionality within systemd.spec [Orabug: 36269319]
- 2E) Remove Important: Review 1001-systemd-fstab-generator-reload-targets.patch for important build details/steps [Orabug: 36269319]

[252-55.7]
- core: fix array size in unit_log_resources() (RHEL-132120)

[252-55.6]
- timer: rebase last_trigger timestamp if needed (RHEL-127022)

[252-55.5]
- test: rename TEST-53-ISSUE-16347 to TEST-53-TIMER (RHEL-127022)
- test: restarting elapsed timer shouldn't trigger the corresponding service (RHEL-127022)
- test: check the next elapse timer timestamp after deserialization (RHEL-127022)
- timer: don't run service immediately after restart of a timer (RHEL-127022)
- test: store and compare just the property value (RHEL-127022)
- timer: rebase the next elapse timestamp only if timer didn't already run (RHEL-127022)
- coredump: handle ENOBUFS and EMSGSIZE the same way (RHEL-126114)

[252-55.4]
- cryptsetup: Add optional support for linking volume key in keyring. (RHEL-118294)
- cryptsetup: fix typo (RHEL-118294)
- cryptsetup: HAVE_CRYPT_SET_KEYRING_TO_LINK is always defined (RHEL-118294)
- basic: add PIDFS magic (#31709) (RHEL-118294)
- time-util: make USEC_TIMESTAMP_FORMATTABLE_MAX for 32bit system off by one day (RHEL-118294)
- coredump: make check that all argv[] meta data fields are passed strict (RHEL-104138)
- coredump: restore compatibility with older patterns (RHEL-104138)
- coredump: use %d in kernel core pattern (RHEL-104138)
- pidref: add structure that can reference a pid via both pidfd and pid_t (RHEL-104138)
- fd-util: introduce parse_fd() (RHEL-104138)
- coredump: add support for new %F PIDFD specifier (RHEL-104138)

[252-55.2]
- Revert "test-time-util: disable failing tests" (RHEL-110954)
- test: use get_timezones() to iterate all known timezones (RHEL-110954)
- test-time-util: do not fail on DST change (RHEL-110954)
- test-time-util: suppress timestamp conversion failures for Africa/Khartoum timezone (RHEL-110954)
- test-time-util: do more suppression of time zone checks (RHEL-110954)
- test-time-util: fix truncation of usec to sec (RHEL-110954)
- test: unset TZ before timezone-sensitive unit tests are run (RHEL-110954)
- meson: extend timeout for test-time-util (RHEL-110954)
- time-util: use DEFINE_STRING_TABLE_LOOKUP_TO_STRING() macro (RHEL-110954)
- time-util: align string table (RHEL-110954)
- time-util: rename variables (RHEL-110954)
- time-util: add assertions (RHEL-110954)
- time-util: drop redundant else (RHEL-110954)
- time-util: do not use strdupa() (RHEL-110954)
- time-util: use result from startswith_no_case() (RHEL-110954)
- time-util: use usec_add() and usec_sub_unsigned() (RHEL-110954)
- time-util: shorten code a bit (RHEL-110954)
- time-util: rename variables (RHEL-110954)
- time-util: drop unnecessary assignment of timezone name (RHEL-110954)
- time-util: make parse_timestamp() use the RFC-822/ISO 8601 standard timezone spec (RHEL-110954)
- time-util: fix typo (RHEL-110954)
- ci: bump the tools tree to F42 (RHEL-110954)

[252-55.1]
- meson: /etc/systemd/network is also used by udevd (RHEL-111611)
- test: add tests for format_timestamp() and parse_timestamp() with various timezone (RHEL-110954)
- test-time-util: disable failing tests (RHEL-110954)
- test: test parse_timestamp() in various timezone (RHEL-110954)
- systemctl: logind: add missing asserts (RHEL-110954)
- systemctl: logind: make logind_schedule_shutdown accept action as param (RHEL-110954)
- systemctl: add option --when for scheduled shutdown (RHEL-110954)
- test-time-util: add test cases to invalidate "show" and "cancel" (RHEL-110954)
- sd-bus: make bus_add_match_full accept timeout (RHEL-111630)
- core/unit: add get_timeout_start_usec in UnitVTable and define it for service (RHEL-111630)
- core/unit: increase the NameOwnerChanged/GetNameOwner timeout to the unit's start timeout (RHEL-111630)
- core,sd-bus: drop empty lines between function call and error check (RHEL-111630)
- core: do not disconnect from bus when failed to install signal match (RHEL-111630)
- dbus: stash the subscriber list when we disconenct from the bus (RHEL-111630)
- manager: s/deserialized_subscribed/subscribed_as_strv (RHEL-111630)
- bus-util: do not reset the count returned by sd_bus_track_count_name() (RHEL-111630)
- core/manager: restore bus track deserialization cleanup in manager_reload() (RHEL-111630)
- core/manager: drop duplicate bus track deserialization (RHEL-111630)
- sd-bus/bus-track: use install_callback in sd_bus_track_add_name() (RHEL-111630)

More information about the El-errata mailing list