Debian 10225 Published by

Updated systemd packages has been released for Debian GNU/Linux 7 Extended LTS to address two vulnerabilities in the systemd components systemd-tmpfiles and pam_systemd.so



Package: systemd
Version: 44-11+deb7u7
Related CVE: CVE-2017-18078 CVE-2019-3842
Two vulnerabilities have been addressed in the systemd components systemd-tmpfiles and pam_systemd.so.

CVE-2017-18078: systemd-tmpfiles in systemd attempted to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allowed local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacked write access.

CVE-2019-3842: It was discovered that pam_systemd did not properly sanitize the environment before using the XDG_SEAT variable. It was possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allowed for commands to be checked against polkit policies using the “allow_active” element rather than “allow_any”.

For Debian 7 Wheezy, these problems have been fixed in version 44-11+deb7u7.

We recommend that you upgrade your systemd packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
  Systemd Security Update for Debian 7 ELTS