CVE-2018-1049

NameCVE-2018-1049
DescriptionIn systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1580-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
systemd (PTS)jessie215-17+deb8u7vulnerable
jessie (security)215-17+deb8u8fixed
stretch232-25+deb9u6vulnerable
buster239-13fixed
sid239-15fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
systemdsource(unstable)234-1medium
systemdsourcejessie215-17+deb8u8mediumDLA-1580-1

Notes

[stretch] - systemd <postponed> (Minor issue, can either be included in future DSA or point release)
[wheezy] - systemd <postponed> (Minor issue, can be fixed along in next DLA)
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1709649
https://github.com/systemd/systemd/pull/5916
https://github.com/systemd/systemd/commit/e7d54bf58789545a9eb0b3964233defa0b007318

Search for package or bug name: Reporting problems