Launchpad CVE tracker

CVE 2019-15718

In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.

Related bugs and status

CVE-2019-15718 (Candidate) is related to these bugs:

Bug #1845337: Disco autopkgtest @ armhf fails root-unittests -> test-execute -> exec-dynamicuser-statedir.service

		In	Importance	Status
1845337	Disco autopkgtest @ armhf fails root-unittests -> test-execute -> exec-dynamicuser-statedir.service	systemd (Ubuntu)	Undecided	Fix Released
1845337	Disco autopkgtest @ armhf fails root-unittests -> test-execute -> exec-dynamicuser-statedir.service	systemd (Ubuntu Disco)	Undecided	Fix Released
1845337	Disco autopkgtest @ armhf fails root-unittests -> test-execute -> exec-dynamicuser-statedir.service	qemu (Ubuntu)	Undecided	Invalid
1845337	Disco autopkgtest @ armhf fails root-unittests -> test-execute -> exec-dynamicuser-statedir.service	qemu (Ubuntu Disco)	Undecided	Invalid

Bug #1845637: Drop setting fs.protected_regular and fs.protected_fifos from sysctl defaults shipped by systemd

Summary				In	Importance	Status
	1845637	Drop setting fs.protected_regular and fs.protected_fifos from sysctl defaults shipped by systemd		systemd (Ubuntu)	Undecided	Fix Released
	1845637	Drop setting fs.protected_regular and fs.protected_fifos from sysctl defaults shipped by systemd		linux (Ubuntu)	Undecided	Confirmed

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2019-15718

References