https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt
We need to check whether or not unattended upgrades are fixing this automatically.
241-7~deb10u8 is the fixed version for buster,
232-25+deb9u13 is fixed version in stretch
A simple upgrade should resolve the issue once packages are available:
# apt-get install systemd systemd-sysv udev libudev1 libsystemd0 libpam-systemd libnss-systemd
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Andrew | T287004 CVE CVE-2021-33910 (systemd crash) on Cloud VPS | |||
| Resolved | MoritzMuehlenhoff | T287036 Figure out a patched backport of systemd 241 for stretch |
I've confirmed that newly-built VMs get the latest version of systemd, thanks to cloud-init doing an upgrade at build time.
Rolling out manually on Toolforge k8s nodes (buster and somewhat user-accessible):
taavi@tools-clushmaster-02:~ $ clush -w "@k8s" "sudo DEBIAN_FRONTEND=noninteractive apt-get -q -y --assume-no -o DPkg::Options::="--force-confdef" -o DPkg::Options::="--force-confold" install systemd systemd-sysv udev libudev1 libsystemd0 libpam-systemd libnss-systemd"
Also deployed by hand on the Buster bastions.
root@abogott-puppetclient:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster root@abogott-puppetclient:~# dpkg --list | grep systemd ii dbus-user-session 1.12.20-0+deb10u1 amd64 simple interprocess messaging system (systemd --user integration) ii libnss-systemd:amd64 241-7~deb10u7 amd64 nss module providing dynamic user and group name resolution ii libpam-systemd:amd64 241-7~deb10u7 amd64 system and service manager - PAM module ii libsystemd0:amd64 241-7~deb10u7 amd64 systemd utility library ii systemd 241-7~deb10u7 amd64 system and service manager ii systemd-sysv 241-7~deb10u7 amd64 system and service manager - SysV links
But after a forced run of unattended-upgrades:
root@abogott-puppetclient:~# dpkg --list | grep systemd ii dbus-user-session 1.12.20-0+deb10u1 amd64 simple interprocess messaging system (systemd --user integration) ii libnss-systemd:amd64 241-7~deb10u8 amd64 nss module providing dynamic user and group name resolution ii libpam-systemd:amd64 241-7~deb10u8 amd64 system and service manager - PAM module ii libsystemd0:amd64 241-7~deb10u8 amd64 systemd utility library ii systemd 241-7~deb10u8 amd64 system and service manager ii systemd-sysv 241-7~deb10u8
So probably we don't need to do anything for this but let's check back in 24 hours.
Mentioned in SAL (#wikimedia-cloud) [2021-07-20T18:42:35Z] <majavah> deploying systemd security tools on toolforge public stretch machines T287004
Unattended-upgrades seems to have done its job, checked tools and deployment-prep and everything had updated except the bastions which have backported systemd and a subtask
Should we close this or are there still toolforge edge cases that require package building?