Bugzilla – Bug 1181400
AUDIT-TASK: Evaluate systemd hardenings and get more services to use them
Last modified: 2024-11-04 05:04:50 UTC
Analyze service: systemd-analyze security smartd.service E.g. settings options like NoNewPrivileges in as many services as possible. We could also have this in rpmlint that it warns if you don't have some default set of options and we carry a whitelist for services that really can't have those
originated from DIrk Muellers post on opensuse-factory
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/6IFSI4IE6UVWUYGD6F6P5NV4VS6HIEF4/
I will start to work on this. Will probably turn into a longer project
I'm working on a script that can submit these changes in mass. Documentation: https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
I've sent the first 10 submissions, lets see how this goes
A number of this submissions hit packages which ONLY exist for use within containers in Kubic. The documentation states that "that many of these sandboxing features are gracefully turned off on systems where the underlying security mechanism is not available. For example, ProtectSystem= has no effect if the kernel is built without file system namespacing or if the service manager runs in a container manager that makes file system namespacing unavailable to its payload" Are we sure all of these parameters are safe to use and/or noops when run in containers?
no, we're not (although I would assume that it is safe). I can exclude these packages (I assume coredns) if necessary. I rely on packager testing as I do this for all of Factory and can't test them individually
Take note that ProtectClock= implies a DeviceAllow= line, which implies a device *restriction* for every other device (minus the obvious /dev/null and a few).
Yes I know. In the default list I use PrivateDevices is included, so that's already covered
Great idea but on systems with systemd < 244 this will generate one or more warnings like this to syslog: Unknown key name 'XXX' in section 'Service', ignoring. I've inventoried when newer options were introduced. Ideally any unsupported options could be removed from the patched file during the %prep step. 244 - ProtectKernelLogs 242 - ProtectHostname 239 - PrivateMounts 232 - ProtectKernelModules, ProtectKernelTunables, ProtectControlGroups 231 - RestrictRealtime
thanks for the suggestions. I'm concentrating on Factory for now. I'll check if I can find a way to add statements that modify the patches depending on the build target, but that might be difficult to do for arbitrary packages
> thanks for the suggestions. I'm concentrating on Factory for now. I'll check if I can find a way to add statements that modify the patches depending on the build target, but that might be difficult to do for arbitrary packages Understood - this is probably easier said than done. FWIW here's my hack for this: # Avoid "Unknown key name 'XXX' in section 'Service', ignoring." warnings from systemd on older releases %if 0%{?is_opensuse} && 0%{?sle_version} < 150300 sed -r -i '/^(Protect(Home|Hostname|KernelLogs)|PrivateMounts)=/d' src/unit/fonehome.service %endif
yes it unfortunately is. For now I added it to the FAQ at https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort so that interested maintainers can add it manually
Perfect - thanks.
Hello. I just noticed (a bit late, I admit) "ProtectSystem=full" have broken audit package. What broke ========== # rm -rf /etc/audit/audit.rules # systemctl start auditd.service > Sep 17 19:54:33 cyberdelia systemd[1]: Starting Security Auditing Service... > Sep 17 19:54:33 cyberdelia auditd[18786]: No plugins found, not dispatching events > Sep 17 19:54:33 cyberdelia auditd[18786]: Init complete, auditd 3.0.3 listening for events (startup state enable) > Sep 17 19:54:33 cyberdelia augenrules[18798]: cp: cannot create regular file '/etc/audit/audit.rules': Read-only file system > Sep 17 19:54:33 cyberdelia augenrules[18799]: chmod: cannot access '/etc/audit/audit.rules': No such file or directory > Sep 17 19:54:33 cyberdelia systemd[1]: Started Security Auditing Service. augenrules will try to merge all the rules from all files in /etc/audit/rules.d and put them all into /etc/audit/audit.rules file. Why this wasn't caught earlier ============================== Since the audit spec file will create both files upon installation, my tests didn't caught this. Only when changing the rules and/or /etc/audit/audit.rules is removed that this can be observed. Also since audit-testsuite changes/creates the rules dynamically (through auditctl), this couldn't be observed as well. And it's also surprinsing nobody has reported this earlier. How to fix ========== I'd suggest removing the ProtectSystem directive altogether. (and PrivateDevices=true as well) If that's too blunt, we can consider adding: ReadWritePaths=/etc/audit as an initial measure. But still, considering audit's purpose and design, I'd like to insist on removing the entries mentioned above completely. Please let me know of your thoughts.
Thanks for the detailed writeup. ReadWritePaths=/etc/audit would be my preferred way ff that works. Removing the entries would be only a last resort. Is that okay for you?
(In reply to Johannes Segitz from comment #18) > Thanks for the detailed writeup. > ReadWritePaths=/etc/audit > would be my preferred way ff that works. Removing the entries would be only > a last resort. Is that okay for you? Ok, I'll submit with the v3.0.5 I'm preparing. Just FTR, this assumes users: - won't set log_file to anywhere in /etc - won't try to monitor something in /dev These are hard assumptions, but I've seem some crazy rules around :P
Writing logs to /etc is (hopefully) uncommon, but monitoring /dev could be a real usecase, so PrivateDevices should be dropped. Do you want me to resubmit?
(In reply to Johannes Segitz from comment #20) > Writing logs to /etc is (hopefully) uncommon, but monitoring /dev could be a > real usecase, so PrivateDevices should be dropped. Do you want me to > resubmit? Ok, I'll drop it then. I haven't submitted yet. AFAIK I revoked my last submission from last week. Please confirm.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/920996 Factory / gpsd
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/921079 Factory / gpsd
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/921732 Factory / gpsd
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/923735 Factory / gerbera
Wrt hardening auditd it may make sense to split off the augenrules part into a separate service. The running auditd does not need write permissions on /etc/audit so shouldn't have it either.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/925223 Factory / oidentd
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/925491 Factory / nginx
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/925880 Factory / parkverbot
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/926513 15.2 / hylafax+ https://build.opensuse.org/request/show/926514 15.3 / hylafax+
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/927197 Factory / lighttpd
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/927550 Backports:SLE-15-SP3 / gpsd https://build.opensuse.org/request/show/927551 Backports:SLE-15-SP2 / gpsd https://build.opensuse.org/request/show/927552 15.2 / gpsd
The change in pulseaudio seems problematic, now in openQA, PA couldn't see devices. https://build.opensuse.org/request/show/927428
openSUSE-RU-2021:1421-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1181400,1191571 CVE References: JIRA References: Sources used: openSUSE Leap 15.2 (src): hylafax+-7.0.4-lp152.3.12.1
openSUSE-RU-2021:1447-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1181400,1191571 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): hylafax+-7.0.4-bp152.3.12.1
(In reply to Takashi Iwai from comment #40) sorry for that, PrivateDevices should definitely not be in there. I'll need to do more testing with users services. Thanks for reverting
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/931724 15.3 / gnuhealth
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/932263 Factory / shadow
Hey there, would be happy to have this on 389-ds, as well as some other protections too. I think that it's service file is upstream though, so I'd be happy to coordinate this with them :)
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/933217 Factory / spamassassin
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/934541 Backports:SLE-15-SP4 / shairport-sync
klog.service cannot work. Has anybody even looked at the changes before blindly committing them? ProtectKernelLogs=true ... ExecStart=/bin/sh -c "/bin/dmesg -r > /var/log/boot.msg" m)
Additionally, StandardError=tty StandardOutput=tty is broken by PrivateDevices=true ProtectClock=true So either change Standard{Output,Error} to something different or remove the ProtectClock / PrivateDevices settings from klog.service, please.
(In reply to Stefan Seyfried from comment #54) Have a look at bsc#1193172/sr#934727 Apart from that: You're very welcome in helping testing these changes.
Is there a repo I could add that contains tumbleweed + upcoming hardening changes to test this?
I've noticed that this hardening broken the vtysh operation in frr package: it cant anymore save updated configs. Adding ReadWritePaths=/etc/frr solved the issue.
(In reply to Stefan Seyfried from comment #57) yes :) home:jsegitz:branches:systemdhardening contains all of the upcoming hardenings. I also try to use it for the packages where I have to do manual fixing, but I'm not 100% consistent. I'll try to use only this project from now on
> osc ls home:jsegitz:branches:systemdhardening Server returned an error: HTTP Error 404: Not Found Project not found: home:jsegitz:branches:systemdhardening maybe it is on a different OBS instance?
its a hierarchy, they are subprojects below that. obs ls |grep home:jsegitz:branches:systemdhardening
Yes, but then there is not "one repo to add" but lots of repos to add, which is not really feasible. So I'll wait for the stuff to arrive in factory.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/939443 Factory / sysprof
openSUSE-SU-2021:4018-1: An update that solves two vulnerabilities, contains three features and has four fixes is now available. Category: security (moderate) Bug References: 1152964,1174075,1181400,1188875,1190069,1190896 CVE References: CVE-2021-36386,CVE-2021-39272 JIRA References: SLE-17903,SLE-18059,SLE-18159 Sources used: openSUSE Leap 15.3 (src): fetchmail-6.4.22-20.20.1
SUSE-SU-2021:4018-1: An update that solves two vulnerabilities, contains three features and has four fixes is now available. Category: security (moderate) Bug References: 1152964,1174075,1181400,1188875,1190069,1190896 CVE References: CVE-2021-36386,CVE-2021-39272 JIRA References: SLE-17903,SLE-18059,SLE-18159 Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise Server for SAP 15 (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise Server 15-LTSS (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): fetchmail-6.4.22-20.20.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): fetchmail-6.4.22-20.20.1 SUSE Enterprise Storage 6 (src): fetchmail-6.4.22-20.20.1 SUSE CaaS Platform 4.0 (src): fetchmail-6.4.22-20.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/940718 Factory / sbd
openSUSE-SU-2021:1591-1: An update that solves two vulnerabilities, contains three features and has four fixes is now available. Category: security (moderate) Bug References: 1152964,1174075,1181400,1188875,1190069,1190896 CVE References: CVE-2021-36386,CVE-2021-39272 JIRA References: SLE-17903,SLE-18059,SLE-18159 Sources used: openSUSE Leap 15.2 (src): fetchmail-6.4.22-lp152.6.12.1
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/941864 Factory / parsec
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/943792 Backports:SLE-15-SP3 / prosody
openSUSE-RU-2022:0009-1: An update that has two recommended fixes can now be installed. Category: recommended (important) Bug References: 1181400,1192126 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): ovmf-202008-10.11.1 openSUSE Backports SLE-15-SP3 (src): prosody-0.11.11-bp153.2.9.1
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/945229 Factory / wireguard-tools
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/945357 Factory / watchman
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/945374 Factory / vhostmd
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/945580 15.2 / watchman
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/946942 Backports:SLE-15-SP3 / watchman
openSUSE-SU-2022:0016-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1181400,1194470 CVE References: CVE-2022-21944 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): watchman-4.9.0-bp153.2.3.1
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/948120 Backports:SLE-15-SP3 / lighttpd
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/948944 Backports:SLE-15-SP1 / zabbix https://build.opensuse.org/request/show/948946 Backports:SLE-15-SP2 / zabbix https://build.opensuse.org/request/show/948947 Backports:SLE-15-SP4 / zabbix
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/948969 15.1 / zabbix https://build.opensuse.org/request/show/948975 15.3 / zabbix
the package mbpfan had security hardening added, post hardening the service refused to start, i remarked out the added hardening and service again started normally, i am not sure where the issue arises with hardening added, mbpfan is a must for those of us who have MacBookPro's otherwise linux generally fries the machine https://susepaste.org/64357756
(In reply to Emanuel Castelo from comment #94) > the package mbpfan had security hardening added, post hardening the service > refused to start, i remarked out the added hardening and service again > started normally, i am not sure where the issue arises with hardening added, > mbpfan is a must for those of us who have MacBookPro's otherwise linux > generally fries the machine > > https://susepaste.org/64357756 could you try to comment out the hardening lines one by one and see what breaks it?
(In reply to Marcus Meissner from comment #96) I've opened bsc#1195253 to track this
openSUSE-SU-2022:0024-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1146452,1181400,1194376 CVE References: CVE-2022-22707 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): lighttpd-1.4.64-bp153.2.3.1
Todays lighttpd update for openSUSE Leap 15.3 containing the hardening settings broke access to the users public_html directories. Details see bug 1195465.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/952678 Factory / killerd
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/954122 Backports:SLE-15-SP3 / zabbix
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/954363 Factory / owntone
openSUSE-SU-2022:0036-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1144018,1174253,1181400,1183014,1194681 CVE References: CVE-2020-15803,CVE-2021-27927,CVE-2022-23134 JIRA References: Sources used: openSUSE Leap 15.3 (src): zabbix-4.0.37-lp153.2.3.1
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/955587 15.3 / gnuhealth
SUSE-FU-2022:0599-1: An update that has one feature fix and contains one feature can now be installed. Category: feature (moderate) Bug References: 1181400 CVE References: JIRA References: SLE-22863 Sources used: SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src): golang-github-prometheus-prometheus-2.32.1-4.3.2 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src): golang-github-prometheus-prometheus-2.32.1-4.3.2 SUSE Enterprise Storage 6 (src): golang-github-prometheus-prometheus-2.32.1-4.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-FU-2022:0601-1: An update that has one feature fix and contains one feature can now be installed. Category: feature (moderate) Bug References: 1181400 CVE References: JIRA References: SLE-22863 Sources used: SUSE Manager Tools 15 (src): golang-github-prometheus-prometheus-2.32.1-3.35.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-FU-2022:0600-1: An update that has one feature fix and contains one feature can now be installed. Category: feature (moderate) Bug References: 1181400 CVE References: JIRA References: SLE-22863 Sources used: SUSE Manager Tools 12 (src): golang-github-prometheus-prometheus-2.32.1-1.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-FU-2022:0599-1: An update that has one feature fix and contains one feature can now be installed. Category: feature (moderate) Bug References: 1181400 CVE References: JIRA References: SLE-22863 Sources used: openSUSE Leap 15.4 (src): golang-github-prometheus-prometheus-2.32.1-4.3.2 openSUSE Leap 15.3 (src): golang-github-prometheus-prometheus-2.32.1-4.3.2
openSUSE-RU-2022:0059-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1181400 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): gnuhealth-3.8.0-lp153.4.3.1
openSUSE-SU-2022:0058-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1144018,1181400,1194020,1194215,1194681 CVE References: CVE-2020-15803,CVE-2021-27927,CVE-2021-4126,CVE-2021-44538,CVE-2022-23134 JIRA References: Sources used: openSUSE Leap 15.3 (src): MozillaThunderbird-91.4.1-8.48.1 openSUSE Backports SLE-15-SP3 (src): zabbix-4.0.38-bp153.2.3.1
SUSE-RU-2022:0655-1: An update that has 11 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1042673,1070653,1083705,1089088,1125951,1144062,1179553,1180314,1181400,1187188,786024 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): vsftpd-3.0.5-48.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/959871 Backports:SLE-15-SP3 / minidlna
SUSE-SU-2022:0751-1: An update that fixes 12 vulnerabilities, contains three features is now available. Category: security (moderate) Bug References: 1097531,1181400,1190462,1193357,1194363,1194873,1195625,1195726,1195727,1195728 CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-39226,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-21673,CVE-2022-21702,CVE-2022-21703,CVE-2022-21713 JIRA References: SLE-22863,SLE-23422,SLE-23439 Sources used: SUSE Manager Tools 15-BETA (src): golang-github-prometheus-prometheus-2.32.1-159000.6.24.1, grafana-8.3.5-159000.4.21.1, salt-3004-159000.8.50.1, spacecmd-4.3.7-159000.6.33.1, spacewalk-client-tools-4.3.6-159000.6.39.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-FU-2022:0750-1: An update that solves one vulnerability, contains one feature and has 8 fixes is now available. Category: feature (moderate) Bug References: 1097531,1181400,1190462,1190781,1193357,1193565,1193671,1194363,1195906 CVE References: CVE-2021-45083 JIRA References: SLE-22863 Sources used: SUSE Manager Tools 12-BETA (src): cobbler-2.6.6-52.12.1, golang-github-prometheus-prometheus-2.32.1-4.24.1, mgr-cfg-4.3.4-4.21.1, salt-3000-53.5.1, spacecmd-4.3.7-41.33.1, spacewalk-client-tools-4.3.6-55.39.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Archie Cobbs from comment #14) > # Avoid "Unknown key name 'XXX' in section 'Service', ignoring." warnings > from systemd on older releases > %if 0%{?is_opensuse} && 0%{?sle_version} < 150300 > sed -r -i '/^(Protect(Home|Hostname|KernelLogs)|PrivateMounts)=/d' > src/unit/fonehome.service > %endif I got a customer complaining about these warnings they are getting from their 12-SP5 system for vsftpd... I was playing with the spec file of vsftpd, the statement %if 0%{?is_opensuse} && 0%{?sle_version} < 150300 is never true on 12-SP5.
openSUSE-SU-2022:0079-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1181400,1196814 CVE References: CVE-2022-26505 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): minidlna-1.3.1-bp153.2.3.1
(In reply to Ali Abdallah from comment #122) that is strange. This is intended to be an effort for Factory. I'm surprised to see this being backported to SLE 12. Can you please open a bug for the maintainer? Thanks
(In reply to Johannes Segitz from comment #127) > that is strange. This is intended to be an effort for Factory. I'm surprised > to see this being backported to SLE 12. Can you please open a bug for the > maintainer? Thanks It is already handled in bug 1196918. See the changelog of [1], for some reason the hardening were added to vsftpd on 12-SP5 as well... [1] https://build.suse.de/request/show/263827
SUSE-SU-2022:0872-1: An update that contains security fixes and contains one feature can now be installed. Category: security (important) Bug References: 1181400,1182529 CVE References: JIRA References: SLE-20679 Sources used: SUSE Manager Server 4.1 (src): stunnel-5.62-3.14.1 SUSE Manager Retail Branch Server 4.1 (src): stunnel-5.62-3.14.1 SUSE Manager Proxy 4.1 (src): stunnel-5.62-3.14.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): stunnel-5.62-3.14.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): stunnel-5.62-3.14.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): stunnel-5.62-3.14.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): stunnel-5.62-3.14.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): stunnel-5.62-3.14.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): stunnel-5.62-3.14.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): stunnel-5.62-3.14.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): stunnel-5.62-3.14.1 SUSE Enterprise Storage 7 (src): stunnel-5.62-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0872-1: An update that contains security fixes and contains one feature can now be installed. Category: security (important) Bug References: 1181400,1182529 CVE References: JIRA References: SLE-20679 Sources used: openSUSE Leap 15.4 (src): stunnel-5.62-3.14.1 openSUSE Leap 15.3 (src): stunnel-5.62-3.14.1
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/964031 Backports:SLE-15-SP4 / gpsd
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/966560 15.3 / hylafax+
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/971049 15.3 / xfs
openSUSE-RU-2022:0118-1: An update that has 5 recommended fixes can now be installed. Category: recommended (low) Bug References: 1116053,1159121,1173050,1181400,1198532 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): xfs-1.2.0-lp153.2.3.1
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/972616 Backports:SLE-15-SP4 / sshuttle
SUSE-SU-2022:1396-1: An update that fixes 12 vulnerabilities, contains three features is now available. Category: security (moderate) Bug References: 1181400,1194363,1194873,1194909,1195726,1195727,1195728,1197579 CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-39226,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-21673,CVE-2022-21702,CVE-2022-21703,CVE-2022-21713 JIRA References: SLE-23051,SLE-23422,SLE-23439 Sources used: openSUSE Leap 15.4 (src): prometheus-postgres_exporter-0.10.0-150000.1.3.1, spacecmd-4.2.16-150000.3.77.1 openSUSE Leap 15.3 (src): prometheus-postgres_exporter-0.10.0-150000.1.3.1, rhnlib-4.2.6-150000.3.34.1, spacecmd-4.2.16-150000.3.77.1 SUSE Manager Tools 15 (src): grafana-8.3.5-150000.1.30.1, mgr-cfg-4.2.8-150000.1.24.1, mgr-osad-4.2.8-150000.1.36.1, mgr-push-4.2.5-150000.1.18.2, mgr-virtualization-4.2.4-150000.1.26.1, prometheus-postgres_exporter-0.10.0-150000.1.3.1, rhnlib-4.2.6-150000.3.34.1, spacecmd-4.2.16-150000.3.77.1, spacewalk-client-tools-4.2.18-150000.3.59.1, spacewalk-koan-4.2.6-150000.3.27.1, spacewalk-oscap-4.2.4-150000.3.18.1, suseRegisterInfo-4.2.6-150000.3.21.1 SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src): prometheus-postgres_exporter-0.10.0-150000.1.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/972919 Backports:SLE-15-SP4 / touchegg
SUSE-SU-2022:1484-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1181400,1198234 CVE References: CVE-2022-24765 JIRA References: Sources used: openSUSE Leap 15.4 (src): git-2.35.3-150300.10.12.1 openSUSE Leap 15.3 (src): git-2.35.3-150300.10.12.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): git-2.35.3-150300.10.12.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): git-2.35.3-150300.10.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): git-2.35.3-150300.10.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): git-2.35.3-150300.10.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1531-1: An update that solves 5 vulnerabilities, contains 5 features and has three fixes is now available. Category: security (important) Bug References: 1181400,1190535,1196338,1196704,1197042,1197417,1197579,1197689 CVE References: CVE-2020-22935,CVE-2022-21698,CVE-2022-22934,CVE-2022-22936,CVE-2022-22941 JIRA References: SLE-24077,SLE-24138,SLE-24139,SLE-24238,SLE-24239 Sources used: SUSE Manager Tools 12-BETA (src): golang-github-prometheus-alertmanager-0.23.0-4.9.1, golang-github-prometheus-node_exporter-1.3.0-4.12.1, golang-github-prometheus-prometheus-2.32.1-4.30.1, golang-github-prometheus-promu-0.13.0-4.9.1, mgr-cfg-4.3.6-4.27.1, mgr-osad-4.3.6-4.27.1, mgr-push-4.3.4-4.18.1, mgr-virtualization-4.3.5-4.18.1, rhnlib-4.3.4-24.27.1, salt-3000-53.11.1, spacecmd-4.3.10-41.39.1, spacewalk-client-tools-4.3.9-55.45.1, spacewalk-koan-4.3.5-27.18.1, spacewalk-oscap-4.3.5-22.18.1, suseRegisterInfo-4.3.3-28.21.1, uyuni-common-libs-4.3.4-3.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/974990 Backports:SLE-15-SP4 / sshuttle
SUSE-SU-2022:1545-1: An update that solves 5 vulnerabilities, contains two features and has four fixes is now available. Category: security (important) Bug References: 1181400,1196338,1196704,1197042,1197417,1197533,1197579,1197637,1197689 CVE References: CVE-2022-21698,CVE-2022-22934,CVE-2022-22935,CVE-2022-22936,CVE-2022-22941 JIRA References: SLE-24077,SLE-24145 Sources used: SUSE Manager Tools 15-BETA (src): golang-github-prometheus-alertmanager-0.23.0-159000.6.9.3, golang-github-prometheus-prometheus-2.32.1-159000.6.30.4, mgr-cfg-4.3.6-159000.4.26.1, mgr-osad-4.3.6-159000.4.27.2, mgr-push-4.3.4-159000.4.18.2, mgr-virtualization-4.3.5-159000.4.18.2, rhnlib-4.3.4-159000.6.27.2, salt-3004-159000.8.56.1, spacecmd-4.3.10-159000.6.39.2, spacewalk-client-tools-4.3.9-159000.6.45.2, spacewalk-koan-4.3.5-159000.6.18.1, spacewalk-oscap-4.3.5-159000.6.18.2, suseRegisterInfo-4.3.3-159000.6.21.2, uyuni-common-libs-4.3.4-159000.3.30.2, uyuni-proxy-systemd-services-4.3.2-159000.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/975223 15.3 / orthanc
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/977602 Backports:SLE-15-SP3 / varnish
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/977679 Backports:SLE-15-SP3 / hostapd
openSUSE-RU-2022:0137-1: An update that has one recommended fix can now be installed. Category: recommended (low) Bug References: 1181400 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): orthanc-1.10.1-lp153.2.3.1
openSUSE-SU-2022:0148-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1181400,1188470,1195188 CVE References: CVE-2021-36740,CVE-2022-23959 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): varnish-7.1.0-bp153.2.3.1
openSUSE-RU-2022:0152-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1181400,1192959 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): hostapd-2.10-bp153.3.3.1
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/983452 Backports:SLE-12-SP5 / supervisor
SUSE-SU-2022:2139-1: An update that solves one vulnerability, contains one feature and has one errata is now available. Category: security (important) Bug References: 1181400,1196338 CVE References: CVE-2022-21698 JIRA References: SLE-24077 Sources used: openSUSE Leap 15.4 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1 openSUSE Leap 15.3 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1 SUSE Manager Tools 15 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1 SUSE Enterprise Storage 6 (src): golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2134-1: An update that fixes 13 vulnerabilities, contains 5 features is now available. Category: security (important) Bug References: 1181223,1181400,1190462,1190535,1193600,1194873,1195726,1195727,1195728,1196338,1196704,1197507,1197689 CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-39226,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-21673,CVE-2022-21698,CVE-2022-21702,CVE-2022-21703,CVE-2022-21713 JIRA References: SLE-23422,SLE-23439,SLE-24077,SLE-24238,SLE-24239 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 SUSE OpenStack Cloud Crowbar 8 (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 SUSE OpenStack Cloud 9 (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 SUSE OpenStack Cloud 8 (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 SUSE Manager Tools 12 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1, golang-github-prometheus-alertmanager-0.23.0-1.12.3, golang-github-prometheus-node_exporter-1.3.0-1.15.3, grafana-8.3.5-1.30.3, mgr-cfg-4.3.6-1.27.4, mgr-custom-info-4.3.3-1.18.1, mgr-daemon-4.3.4-1.32.3, mgr-osad-4.3.6-1.39.4, mgr-push-4.3.4-1.21.4, mgr-virtualization-4.3.5-1.29.3, prometheus-blackbox_exporter-0.19.0-1.8.2, prometheus-postgres_exporter-0.10.0-1.8.2, python-hwdata-2.3.5-12.9.1, rhnlib-4.3.4-21.43.3, spacecmd-4.3.11-38.103.3, spacewalk-client-tools-4.3.9-52.71.3, spacewalk-koan-4.3.5-24.33.3, spacewalk-oscap-4.3.5-19.27.1, spacewalk-remote-utils-4.3.3-24.24.3, supportutils-plugin-salt-1.2.0-6.16.1, supportutils-plugin-susemanager-client-4.3.2-6.24.1, suseRegisterInfo-4.3.3-25.27.3, uyuni-common-libs-4.3.4-1.21.3 SUSE Linux Enterprise Server for SAP 12-SP4 (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 SUSE Linux Enterprise Server for SAP 12-SP3 (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 SUSE Linux Enterprise Server 12-SP5 (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 SUSE Linux Enterprise Server 12-SP4-LTSS (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 SUSE Linux Enterprise Server 12-SP3-LTSS (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 SUSE Linux Enterprise Server 12-SP3-BCL (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 HPE Helion Openstack 8 (src): golang-github-prometheus-node_exporter-1.3.0-1.15.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/984580 Backports:SLE-15-SP3 / systemd-zram-service
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/993692 Backports:SLE-12-SP4+Backports:SLE-15-SP3+Backports:SLE-15-SP4 / exim
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/994400 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / proftpd
openSUSE-RU-2022:10093-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1181400 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): proftpd-1.3.7e-bp154.3.3.1 openSUSE Backports SLE-15-SP3 (src): proftpd-1.3.7e-bp153.2.3.1
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/998676 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / minetest
nginx failed due to permission problem. Undoing automatic additions and restarting made it great again: 6700K:~ # systemctl cat nginx.service # /etc/systemd/system/nginx.service [Unit] Description=The nginx HTTP and reverse proxy server After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] PIDFile=/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t ExecStart=/usr/sbin/nginx -g "daemon off;" ExecReload=/bin/kill -s HUP $MAINPID KillSignal=SIGQUIT TimeoutStopSec=5 KillMode=mixed PrivateTmp=true [Install] WantedBy=multi-user.target 6700K:~ #
SUSE-SU-2022:3457-1: An update that solves one vulnerability, contains two features and has 6 fixes is now available. Category: security (important) Bug References: 1021387,1052900,1181400,1187678,1187686,786024,971784 CVE References: CVE-2021-3618 JIRA References: PM-3322,SLE-23896 Sources used: openSUSE Leap 15.3 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Manager Server 4.1 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Manager Retail Branch Server 4.1 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Manager Proxy 4.1 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): vsftpd-3.0.5-150200.12.9.1 SUSE Enterprise Storage 7 (src): vsftpd-3.0.5-150200.12.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3458-1: An update that solves one vulnerability, contains two features and has 6 fixes is now available. Category: security (important) Bug References: 1021387,1052900,1181400,1187678,1187686,786024,971784 CVE References: CVE-2021-3618 JIRA References: PM-3322,SLE-23895 Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server for SAP 15 (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server 15-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Enterprise Storage 6 (src): vsftpd-3.0.5-150000.7.19.1 SUSE CaaS Platform 4.0 (src): vsftpd-3.0.5-150000.7.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/1007846 Backports:SLE-15-SP3 / orthanc
(In reply to Karl Mistelberger from comment #179) would you be willing to share your config? I don't see these issues you're seeing
openSUSE-SU-2022:10144-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1181400 CVE References: CVE-2022-2119,CVE-2022-2120 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): gdcm-3.0.19-bp153.2.8.1, orthanc-1.11.2-bp153.2.13.1, orthanc-gdcm-1.5-bp153.2.6.1, orthanc-webviewer-2.8-bp153.2.3.1
SUSE-SU-2022:4073-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1181400,1194119,1196972 CVE References: CVE-2021-45710,CVE-2022-24713 JIRA References: Sources used: openSUSE Leap 15.3 (src): sccache-0.3.0~git5.14a4b8b-150300.7.9.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): sccache-0.3.0~git5.14a4b8b-150300.7.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/1040260 Factory / avahi
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/1045668 Factory / openwsman
SUSE-SU-2023:0002-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1180966,1181400,1185182,1204319 CVE References: JIRA References: Sources used: openSUSE Leap 15.4 (src): sbd-1.5.1+20221128.8ec8e01-150400.3.3.1 SUSE Linux Enterprise High Availability 15-SP4 (src): sbd-1.5.1+20221128.8ec8e01-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2023:0001-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1181400,1193141,1202423 CVE References: CVE-2022-35978 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): minetest-5.6.0-bp154.2.3.5 openSUSE Backports SLE-15-SP3 (src): minetest-5.6.0-bp153.2.3.1
tinc stopped working when the hardening was applid in https://build.opensuse.org/request/show/1056357 Journal: ... Jan 12 15:19:15 muckefuck tincd[23111]: tincd 1.0.36 starting, debug level 0 Jan 12 15:19:15 muckefuck tincd[23111]: Could not open /dev/net/tun: No such file or directory Jan 12 15:19:15 muckefuck tincd[23111]: Terminating ... Setting PrivateDevices=false DeviceAllow=/dev/net/tun r,w makes tinc happy again but is it secure?
I had a look at /proc while the service was set to: PrivateDevices=false DeviceAllow=/dev/net/tun r,w and it looked fully populated to me. Any Ideas why this is? I interpreted the systemd doc for DeviceAllow and DevicePolicy so that if DeviceAllow is present, only the standard pseudo devices like in DevicePolicy=closed and the ones named in DeviceAllow should be present.
(In reply to Christian Prause from comment #204) > I had a look at /proc while the service was set to: > > PrivateDevices=false > DeviceAllow=/dev/net/tun r,w > > and it looked fully populated to me. > > Any Ideas why this is? > > I interpreted the systemd doc for DeviceAllow and DevicePolicy so that if > DeviceAllow is present, only the standard pseudo devices like in > DevicePolicy=closed and the ones named in DeviceAllow should be present. The idea is to sandbox only the processes/services started from that particular unit. So if you look at resources that that unit protects from, e.g., a shell or another service unit, the contents will differ.
I tried to figure a safe configuration that would allow tinc to access /dev/net/tun and have a feeling that DevicePolicy=auto (the default) does not work as advertised. Here is what I did: Replaced ExecStart to be able to see what is visible in /dev ExecStart=bash -c 'find /dev -maxdepth 1 -printf " %%P" ;/usr/sbin/tincd -n %i -D' Here a couple of permutations of DeviceAllow, PrivateDevices and DevicePolicy With the current Package this show that /dev contains: stderr stdout stdin fd core tty urandom random full zero null log hugepages mqueue shm char ptmx pts No net/tun PrivateDevices=true +DeviceAllow=/dev/net/tun /dev fully populated inc /dev/net/tun ------ -PrivateDevices=true +DevicePolicy=closed /dev fully populated inc /dev/net/tun ------ -PrivateDevices=true +DevicePolicy=closed +DeviceAllow=/dev/net/tun /dev fully populated inc /dev/net/tun ------ -PrivateDevices=true +DevicePolicy=auto +DeviceAllow=/dev/net/tun /dev fully populated inc /dev/net/tun ------ -PrivateDevices=true +DevicePolicy=strict Failed to set up standard input: Operation not permitted
Thanks for the report. PrivateDevices is a confusing setting. What you need (and what I will submit shortly) is: DeviceAllow=/dev/net/tun rwm DevicePolicy=closed You will then have other devices in /dev/, but you can't use them. Give ExecStart=bash -c 'find /dev; head /dev/mem; /usr/sbin/tincd -n %i -D' a try. You'll see /dev populated, but with the settings above the head command will fail. Without them it will work
Thanks for the clarification. I was confused by this (and did not know about eBPF. Johannes Segitz I saw your Package update request and revoked mine. Thanks!
SUSE-SU-2023:0140-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1181400,1206836 CVE References: CVE-2023-22643 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP3 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Enterprise Storage 7.1 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Enterprise Storage 7 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE Enterprise Storage 6 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 SUSE CaaS Platform 4.0 (src): libzypp-plugin-appdata-1.0.1+git.20180426-150100.8.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Notice that this breaks "locate" unexpectedly. Elesar:~ # locate snd-hda-intel Elesar:~ # find /lib/modules -type f -name snd-hda-intel\* /lib/modules/5.14.21-150400.24.41-default/kernel/sound/pci/hda/snd-hda-intel.ko.zst /lib/modules/5.14.21-150400.24.38-default/kernel/sound/pci/hda/snd-hda-intel.ko.zst Elesar:~ # We thought that the new kernel was missing modules. <https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/VAVGAYLAWYL3R7Y6U7IEQZOOKF56W3SX/>
(In reply to Carlos Robinson from comment #211) > Notice that this breaks "locate" unexpectedly. not only locate. I just revert most of them locally, especially as they also creep into Leap and SLES15 m( I do not even bother to report these anymore...
(In reply to seife@novell.slipkontur.de from comment #212) > (In reply to Carlos Robinson from comment #211) > > Notice that this breaks "locate" unexpectedly. > > not only locate. > I just revert most of them locally, especially as they also creep into Leap and SLES15 m( > > I do not even bother to report these anymore... The plan was that package maintainers review and test the hardenings. This seems to have failed in a lot of cases and maintainers simply accepted the changes blindly. Still we would be happy when you report all the cases, ideally in individual bugs assigned to the package maintainer and with security-team@suse.de in CC. We will take care of each problem even if it takes time.
(In reply to carlos.e.r@opensuse.org from comment #211) > Notice that this breaks "locate" unexpectedly. > > Elesar:~ # locate snd-hda-intel > Elesar:~ # find /lib/modules -type f -name snd-hda-intel\* > /lib/modules/5.14.21-150400.24.41-default/kernel/sound/pci/hda/snd-hda-intel.ko.zst > /lib/modules/5.14.21-150400.24.38-default/kernel/sound/pci/hda/snd-hda-intel.ko.zst > Elesar:~ # > > > We thought that the new kernel was missing modules. The problem seems to stem from the "ProtectKernelModules" hardening in /usr/lib/systemd/system/mlocate.service. From `man systemd.exec`: also /usr/lib/modules is made inaccessible So the issue is limited to finding kernel modules. Removing the "ProtectKernelModules" line should fix things.
> Still we would be happy when you report all the cases, ideally in individual > bugs assigned to the package maintainer and with security-team@suse.de in CC. > We will take care of each problem even if it takes time. Done. bug 1207884
(In reply to Stefan Seyfried from comment #212) > (In reply to Carlos Robinson from comment #211) > > Notice that this breaks "locate" unexpectedly. > > not only locate. > I just revert most of them locally, especially as they also creep into Leap > and SLES15 m( > > I do not even bother to report these anymore... Do you have a list? So that we users know which things we should also handle, instead of being surprised when something doesn't work.
I'll submit a fix. And I'm also interested in any additional issues so we can fix them.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/1067381 Factory / veyon
SUSE-SU-2023:2185-1: An update that solves three vulnerabilities, contains two features and has three fixes can now be installed. Category: security (important) Bug References: 1181400, 1197284, 1203185, 1208060, 1208064, 1208965 CVE References: CVE-2022-27191, CVE-2022-27664, CVE-2022-46146 Jira References: MSQA-663, MSQA-665 Sources used: SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): prometheus-postgres_exporter-0.10.1-1.6.2, golang-github-prometheus-node_exporter-1.5.0-1.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This round is done. I plan to do another round, but with a different approach and will open a new bug for this
SUSE-SU-2023:3526-1: An update that solves four vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1181400, 1194119, 1196972, 1208553, 1212407 CVE References: CVE-2021-45710, CVE-2022-24713, CVE-2022-31394, CVE-2023-1521 Sources used: openSUSE Leap 15.4 (src): sccache-0.4.2~3-150400.3.3.1 openSUSE Leap 15.5 (src): sccache-0.4.2~3-150400.3.3.1 Development Tools Module 15-SP4 (src): sccache-0.4.2~3-150400.3.3.1 Development Tools Module 15-SP5 (src): sccache-0.4.2~3-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2024:0029-1: An update that contains three features and has three fixes can now be installed. Category: recommended (moderate) Bug References: 1181400, 1206044, 1214364 Jira References: PED-6416, PED-6434, PED-6435 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): net-snmp-5.9.4-14.3.1 SUSE Linux Enterprise Server 12 SP5 (src): net-snmp-5.9.4-14.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): net-snmp-5.9.4-14.3.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): net-snmp-5.9.4-14.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2024:0131-1: An update that contains one feature and has two fixes can now be installed. Category: recommended (moderate) Bug References: 1181400, 1215229 Jira References: PED-7338 Sources used: openSUSE Leap 15.5 (src): python-sanlock-3.8.5-150000.4.6.1, sanlock-3.8.5-150000.4.6.1 Server Applications Module 15-SP5 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise Real Time 15 SP4 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): sanlock-3.8.5-150000.4.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): sanlock-3.8.5-150000.4.6.1 SUSE Manager Proxy 4.3 (src): sanlock-3.8.5-150000.4.6.1 SUSE Manager Retail Branch Server 4.3 (src): sanlock-3.8.5-150000.4.6.1 SUSE Manager Server 4.3 (src): sanlock-3.8.5-150000.4.6.1 SUSE Enterprise Storage 7.1 (src): sanlock-3.8.5-150000.4.6.1 SUSE CaaS Platform 4.0 (src): sanlock-3.8.5-150000.4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/1180707 Factory / munin
SUSE-FU-2024:2078-1: An update that solves five vulnerabilities, contains one feature and has five fixes can now be installed. Category: feature (important) Bug References: 1181400, 1185075, 1186203, 1187818, 1187819, 1199431, 1205267, 1216582, 1219532, 1222591 CVE References: CVE-2021-22116, CVE-2021-32718, CVE-2021-32719, CVE-2022-31008, CVE-2023-46118 Jira References: PED-8414 Maintenance Incident: [SUSE:Maintenance:34194](https://smelt.suse.de/incident/34194/) Sources used: openSUSE Leap 15.3 (src): erlang26-26.2.1-150300.7.5.1, elixir115-1.15.7-150300.7.5.1 openSUSE Leap 15.6 (src): erlang26-26.2.1-150300.7.5.1, elixir115-1.15.7-150300.7.5.1, rabbitmq-server313-3.13.1-150600.13.5.3 Server Applications Module 15-SP6 (src): erlang26-26.2.1-150300.7.5.1, rabbitmq-server313-3.13.1-150600.13.5.3, elixir115-1.15.7-150300.7.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/1187597 Backports:SLE-15-SP6 / exim
SUSE-SU-2024:3656-1: An update that solves 11 vulnerabilities and has five security fixes can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243656-1 Category: security (moderate) Bug References: 1095184, 1118897, 1118898, 1118899, 1121850, 1174951, 1181400, 1183703, 1199031, 1208270, 1208297, 1210138, 1213229, 1217070, 1217950, 1218150 CVE References: CVE-2018-16873, CVE-2018-16874, CVE-2018-16875, CVE-2018-16886, CVE-2020-15106, CVE-2020-15112, CVE-2021-28235, CVE-2022-41723, CVE-2023-29406, CVE-2023-47108, CVE-2023-48795 Maintenance Incident: [SUSE:Maintenance:36071](https://smelt.suse.de/incident/36071/) Sources used: openSUSE Leap 15.5 (src): etcd-3.5.12-150000.7.6.1 openSUSE Leap 15.6 (src): etcd-3.5.12-150000.7.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1181400) was mentioned in https://build.opensuse.org/request/show/1219728 Backports:SLE-15-SP5 / mosquitto
openSUSE-SU-2024:0346-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1181400,1190048,1190101,1214918,1215864,1215865,1232635,1232636 CVE References: CVE-2020-13849,CVE-2021-34434,CVE-2023-0809,CVE-2023-28366,CVE-2023-3592,CVE-2024-10525,CVE-2024-3935 JIRA References: Sources used: openSUSE Backports SLE-15-SP6 (src): mosquitto-2.0.20-bp156.2.3.1 openSUSE Backports SLE-15-SP5 (src): mosquitto-2.0.20-bp155.3.3.1