Detections
Analytics

Oracle Linux 8 : systemd (ELSA-2020-4553)

low Nessus Plugin ID 142800

Language:

Synopsis

The remote Oracle Linux host is missing a security update.

Description

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-4553 advisory.

 [239-40.0.1]
 - backport upstream pstore tmpfiles patch [Orabug: 31420486]
 - udev rules: fix memory hot add and remove [Orabug: 31310273]
 - fix to enable systemd-pstore.service [Orabug: 30951066]
 - journal: change support URL shown in the catalog entries [Orabug: 30853009]
 - fix to generate systemd-pstore.service file [Orabug: 30230056]
 - fix _netdev is missing for iscsi entry in /etc/fstab ([email protected]) [Orabug: 25897792]
 - set 'RemoveIPC=no' in logind.conf as default for OL7.2 [Orabug: 22224874]
 - allow dm remove ioctl to co-operate with UEK3 (Vaughan Cao) [Orabug: 18467469]
 - add hv dynamic memory support (Jerry Snitselaar) [Orabug: 18621475]
 - Backport upstream patches for the new systemd-pstore tool (Eric DeVolder) [OraBug: 30230056]

 [239-40]
 - units: add generic boot-complete.target (#1872243)
 - man: document new 'boot-complete.target' unit (#1872243)
 - core: make sure to restore the control command id, too (#1829867)

 [239-39]
 - device: make sure we emit PropertiesChanged signal once we set sysfs (#1793533)
 - device: dont emit PropetiesChanged needlessly (#1793533)

 [239-38]
 - spec: fix rpm verification (#1702300)

 [239-37]
 - spec: dont package /etc/systemd/system/dbus-org.freedesktop.resolve1.service (#1844465)

 [239-36]
 - core: dont consider SERVICE_SKIP_CONDITION for abnormal or failure restarts (#1737283)
 - selinux: do preprocessor check only in selinux-access.c (#1830861)
 - basic/cgroup-util: introduce cg_get_keyed_attribute_full() (#1830861)
 - shared: add generic logic for waiting for a unit to enter some state (#1830861)
 - shared: fix assert call (#1830861)
 - shared: Dont try calling NULL callback in bus_wait_for_units_clear (#1830861)
 - shared: add NULL callback check in one more place (#1830861)
 - core: introduce support for cgroup freezer (#1830861)
 - core/cgroup: fix return value of unit_cgorup_freezer_action() (#1830861)
 - core: fix the return value in order to make sure we dont dipatch method return too early (#1830861)
 - test: add test for cgroup v2 freezer support (#1830861)
 - fix mis-merge (#1848421)
 - tests: sleep a bit and give kernel time to perform the action after manual freeze/thaw (#1848421)

 [239-35]
 - spec: fix rpm verification (#1702300)

 [239-34]
 - spec: fix rpm verification (#1702300)

 [239-33]
 - tmpfiles: fix crash with NULL in arg_root and other fixes and tests (#1836024)
 - sulogin-shell: Use force if SYSTEMD_SULOGIN_FORCE set (#1625929)
 - resolvconf: fixes for the compatibility interface (#1835594)
 - mount: dont add Requires for tmp.mount (#1748840)
 - core: coldplug possible nop_job (#1829798)
 - core: add IODeviceLatencyTargetSec (#1831519)
 - time-util: Introduce parse_sec_def_infinity (#1770379)
 - cgroup: use structured initialization (#1770379)
 - core: add CPUQuotaPeriodSec= (#1770379)
 - core: downgrade CPUQuotaPeriodSec= clamping logs to debug (#1770379)
 - sd-bus: avoid magic number in SASL length calculation (#1838081)
 - sd-bus: fix SASL reply to empty AUTH (#1838081)
 - sd-bus: skip sending formatted UIDs via SASL (#1838081)
 - core: add MemoryMin (#1763435)
 - core: introduce cgroup_add_device_allow() (#1763435)
 - test: remove support for suffix in get_testdata_dir() (#1763435)
 - cgroup: Implement default propagation of MemoryLow with DefaultMemoryLow (#1763435)
 - cgroup: Create UNIT_DEFINE_ANCESTOR_MEMORY_LOOKUP (#1763435)
 - unit: Add DefaultMemoryMin (#1763435)
 - cgroup: Polish hierarchically aware protection docs a bit (#1763435)
 - cgroup: Readd some plumbing for DefaultMemoryMin (#1763435)
 - cgroup: Support 0-value for memory protection directives (#1763435)
 - cgroup: Test that its possible to set memory protection to 0 again (#1763435)
 - cgroup: Check ancestor memory min for unified memory config (#1763435)
 - cgroup: Respect DefaultMemoryMin when setting memory.min (#1763435)
 - cgroup: Mark memory protections as explicitly set in transient units (#1763435)
 - meson: allow setting the version string during configuration (#1804252)

 [239-32]
 - pid1: fix DefaultTasksMax initialization (#1809037)
 - cgroup: make sure that cpuset is supported on cgroup v2 and disabled with v1 (#1808940)
 - test: introduce TEST-36-NUMAPOLICY (#1808940)
 - test: replace 'tail -f' with journal cursor which should be... (#1808940)
 - test: support MPOL_LOCAL matching in unpatched strace versions (#1808940)
 - test: make sure the strace process is indeed dead (#1808940)
 - test: skip the test on systems without NUMA support (#1808940)
 - test: give strace some time to initialize (#1808940)
 - test: add a simple sanity check for systems without NUMA support (#1808940)
 - test: drop the missed || exit 1 expression (#1808940)
 - test: replace cursor file with a plain cursor (#1808940)
 - cryptsetup: Treat key file errors as a failed password attempt (#1763155)
 - swap: finish the secondary swap units jobs if deactivation of the primary swap unit fails (#1749622)
 - resolved: Recover missing PrivateTmp=yes and ProtectSystem=strict (#1810869)
 - bus_open leak sd_event_source when udevadm trigger (#1798504)
 - core: rework StopWhenUnneeded= logic (#1798046)
 - pid1: fix the names of AllowedCPUs= and AllowedMemoryNodes= (#1818054)
 - core: fix re-realization of cgroup siblings (#1818054)
 - basic: use comma as separator in cpuset cgroup cpu ranges (#1818054)
 - core: transition to FINAL_SIGTERM state after ExecStopPost= (#1766479)
 - sd-journal: close journal files that were deleted by journald before weve setup inotify watch (#1796128)
 - sd-journal: remove the dead code and actually fix #14695 (#1796128)
 - udev: downgrade message when we fail to set inotify watch up (#1808051)
 - logind: check PolicyKit before allowing VT switch (#1797679)
 - test: do not use global variable to pass error (#1823767)
 - test: install libraries required by tests (#1823767)
 - test: introduce install_zoneinfo() (#1823767)
 - test: replace duplicated Makefile by symbolic link (#1823767)
 - test: add paths of keymaps in install_keymaps() (#1823767)
 - test: make install_keymaps() optionally install more keymaps (#1823767)
 - test-fs-util: skip some tests when running in unprivileged container (#1823767)
 - test-process-util: skip several verifications when running in unprivileged container (#1823767)
 - test-execute: also check python3 is installed or not (#1823767)
 - test-execute: skip several tests when running in container (#1823767)
 - test: introduce test_is_running_from_builddir() (#1823767)
 - test: make test-catalog relocatable (#1823767)
 - test: parallelize tasks in TEST-24-UNIT-TESTS (#1823767)
 - test: try to determine QEMU_SMP dynamically (#1823767)
 - test: store coredumps in journal (#1823767)
 - pid1: add new kernel cmdline arg systemd.cpu_affinity= (#1812894)
 - udev-rules: make tape-changers also apprear in /dev/tape/by-path/ (#1820112)
 - man: be clearer that .timer time expressions need to be reset to override them (#1816908)
 - Add support for opening files for appending (#1809175)
 - nspawn: move payload to sub-cgroup first, then sync cgroup trees (#1837094)
 - core: move unit_status_emit_starting_stopping_reloading() and related calls to job.c (#1737283)
 - job: when a job was skipped due to a failed condition, log about it (#1737283)
 - core: split out all logic that updates a Job on a units unit_notify() invocation (#1737283)
 - core: make log messages about units entering a 'failed' state recognizable (#1737283)
 - core: log a recognizable message when a unit succeeds, too (#1737283)
 - tests: always use the right vtable wrapper calls (#1737283)
 - test-execute: allow filtering test cases by pattern (#1737283)
 - test-execute: provide custom failure message (#1737283)
 - core: ExecCondition= for services (#1737283)
 - Drop support for lz4 < 1.3.0 (#1843871)
 - test-compress: add test for short decompress_startswith calls (#1843871)
 - journal: adapt for new improved LZ4_decompress_safe_partial() (#1843871)
 - fuzz-compress: add fuzzer for compression and decompression (#1843871)
 - seccomp: fix __NR__sysctl usage (#1843871)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2020-4553.html

Plugin Details

Severity: Low

ID: 142800

File Name: oraclelinux_ELSA-2020-4553.nasl

Version: 1.5

Type: local

Agent: unix

Published: 11/12/2020

Updated: 11/1/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2019-20386

CVSS v3

Risk Factor: Low

Base Score: 2.4

Temporal Score: 2.1

Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:systemd-pam, p-cpe:/a:oracle:linux:systemd-journal-remote, p-cpe:/a:oracle:linux:systemd-container, p-cpe:/a:oracle:linux:systemd-devel, cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:systemd-udev, p-cpe:/a:oracle:linux:systemd-tests, p-cpe:/a:oracle:linux:systemd, p-cpe:/a:oracle:linux:systemd-libs

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 11/10/2020

Vulnerability Publication Date: 1/21/2020

Reference Information

CVE: CVE-2019-20386