Fixes a vulnerability in the systemd PAM module which insecurely uses
the environment and lacks seat verification permitting spoofing an
active session to PolicyKit.
CVE-2019-3842
- Skip tests which can't work in containers.
- Add missing rsyslog test dependency.
- e2scrub_reap.service fails in containers, ignore (filed as #926138)
- Relax pgrep pattern for gdm, as there's no wayland session in
containers.
Apparently Conflicts= are not a reliable mechanism to ensure alternative
NTP implementations take precedence over systemd-timesyncd.
This reverts commit b2ced99893.
Closes: #902026
When removing duplicate directories from the systemd package, sort the
list of directories in reverse order so we properly delete nested
directories.
Running debdiff shows the following result:
Files in first .deb but not in second
-------------------------------------
drwxr-xr-x root/root /etc/udev/
drwxr-xr-x root/root /usr/lib/systemd/tests/
drwxr-xr-x root/root /usr/lib/systemd/tests/testdata/
Those empty directories clearly do not belong into systemd package.
A fixed systemd-shim package which works with newer versions of systemd
is unlikely to happen given that the systemd-shim package has been
removed from the archive. Drop the alternative dependency from
libpam-systemd accordingly.
The previous commit added an udev dependency to the latest dpkg. This
broke backportability and upstream CI.
As this is only necessary with SysV init, add an alternative to
systemd-sysv.
Gbp-Dch: Ignore
Fixes a race condition during startup under SysV init.
Add versioned dependency on dpkg (>= 1.19.3) to ensure that a version
of start-stop-daemon which supports --notify-await is installed.
Closes: #908796
Otherwise we'll catch some
Failed to resolve group 'render': Connection timed out
messages that happen in earlier boots during VM setup, before the
"render" group is created.
Fixes https://github.com/systemd/systemd/issues/11875
This test exposes a race condition when running in LXC, see issue #11848
for details. Until that is understood and fixed, skip the test as it's
not a recent regression.
Use their $AUTOPKGTEST_* equivalents.
These were introduced in autopkgtest 4.0 (June 2016), and all our CI
systems use a much newer version.
Gbp-Dch: Short
When running tests for upstream PRs, this test often fails with
checking for connection timeouts
systemd-udevd[1228]: Failed to resolve group 'render': Connection timed out
Which is not the kind of timeout the test is looking for. Create the
group in the test to avoid this.
We explicitly don't create the group in systemd.postinst as we revert
the patch that introduces the group into the udev rules.
Some systemd versions have DynamicUser=yes in systemd-timesyncd.service.
adduser does not consider these high UIDs as system user and fails,
which caused package installation failures.
This allows alternate logind implementations such as elogind, without
having to recompile every dependant package -- as long as the client API
remains compatible.
These new virtual packages got policy-approved in #917431.
Closes: #915407
This avoids accessing/modifying
memory outside of the allocated stack region by sending specially
crafted D-Bus messages with very large object paths.
Vulnerability discovered by Chris Coulson <chris.coulson@canonical.com>,
patch provided by Riccardo Schirone <rschiron@redhat.com>.
CVE-2019-6454
