[sf-lug] systemd and memory corruption...

Todd Hawley celticdm at gmail.com
Tue Jan 22 09:36:21 PST 2019 

 I'm glad I'm on this list, if for no other reason than to find out what an
apparent piece of crap systemd is. And to think,
some were touting this a year or so agoas a "great, new thing."Vulns and
other major issues? Ummm no, I'll pass. :p

-th

On Tue, Jan 22, 2019 at 8:51 AM Ken Shaffer <kenshaffer80 at gmail.com> wrote:

> Maybe the week you lost contact, Bobbie.  Ubuntu patches were out Jan 11,
> and Rick commented.
> Just to repeat the vulnerabilities and fixed package from the earlier Jan
> 11 post:
>
> systemd (237-3ubuntu10.11) bionic-security; urgency=medium
>
>   * SECURITY UPDATE: memory corruption in journald via attacker controlled
> alloca
>     - debian/patches/CVE-2018-16864.patch: journald: do not store the iovec
>       entry for process commandline on the stack
>     - CVE-2018-16864
>   * SECURITY UPDATE: memory corruption in journald via attacker controlled
> alloca
>     - debian/patches/CVE-2018-16865_1.patch: journald: set a limit on the
>       number of fields (1k)
>     - debian/patches/CVE-2018-16865_2.patch: journal-remote: set a limit
> on the
>       number of fields in a message
>     - CVE-2018-16865
>   * SECURITY UPDATE: out-of-bounds read in journald
>     - debian/patches/CVE-2018-16866.patch: journal: fix
> syslog_parse_identifier()
>     - CVE-2018-16866
>
> Ken
>
> On Tue, Jan 22, 2019 at 8:27 AM Bobbie Sellers <
> bliss-sf4ever at dslextreme.com> wrote:
>
>> Hi LUGers,
>>
>>     Well some of knew in our hearts that systemd was
>> an evil scheme.  ;^)    I found this on the Usenet in a
>> Linux newsgroup, comp.os.linux.misc.  ;^|
>>
>>
>> <https://www.bleepingcomputer.com/news/security/linux-systemd-affected-by-memory-corruption-vulnerabilities-no-patches-yet/>
>> <https://www.bleepingcomputer.com/news/security/linux-systemd-affected-by-memory-corruption-vulnerabilities-no-patches-yet/>
>>
>>     I haven't had time to read the full article at the site.
>>     Rick can probably comment better than I on the article
>> and its assertions.
>>
>>     Bobbie Sellers
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> SF-LUG is at http://www.sf-lug.org/
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> SF-LUG is at http://www.sf-lug.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20190122/97005456/attachment.html>

More information about the sf-lug mailing list