CVE-2018-15686

NameCVE-2018-15686
DescriptionA vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs912005

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
systemd (PTS)jessie215-17+deb8u7vulnerable
stretch232-25+deb9u6vulnerable
buster, sid239-11vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
systemdsource(unstable)(unfixed)912005

Notes

[stretch] - systemd <no-dsa> (Minor issue)
https://bugs.chromium.org/p/project-zero/issues/detail?id=1687
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796402
https://github.com/systemd/systemd/pull/10519

Search for package or bug name: Reporting problems