Vulnerability Discovered In Latest Ubuntu Distributions, Users Advised To Update

Celarent Darii writes: There is a vulnerability in the latest ubuntu distributions due to the DNS resolver included in systemd. The inclusion of the dns resolver was lamented by many on the mailing list, not without cause. All are advised to update their distribution.

Proof that Linux is just as insecure as Windows!

Millions of Windows machines got hit yesterday with NotPetya, so this DNS vulnerability is proof that Linux is just as insecure because millions of Linux machines... didn't.

what a horrible dns resolver

I had nothing but issues and uninstalled it and went back to dnsmasq... not a problem since. I wish they would just quit throwing the kitchen, bathroom, outside sinks into this mess.

Re:what a horrible dns resolver

[aardvarkjoe]

What problem do the systemd guys think that they're solving by adding a half-assed dns resolver to systemd? Is it just because they can't stand to have any software that's not under their direct control?

Re:what a horrible dns resolver

Hossssssst filessssss... Preciousssssssss....

Re:what a horrible dns resolver

[ordinal]

Really half assed - I changed to dnsmasq then changed distro because of the mess DNS is in 17.04 - worst Ubuntu release since switching from Redhat to Ubuntu about 10 years ago and all down to this single issue (and tbh one of the worst issues of breakage of something that previously worked I've seen in nearly 25 years of linux experience).

Changing one of the most critical subsystems seems to have been done with little testing (esp home use not with corporate dns) and lack of attention to bug reports during beta and post release.

Re:what a horrible dns resolver

[najajomo]

"I believe it is that they have by now gotten away with so many bad decisions"

Such as embedding the Google DNS addresses into the make file of the SystemD compile script - yea really. Have these people any idea of the security implications of embedding a fixed IP address into the DNS resolver. For instance disabling the local DNS server, blocking 8.8.8.8 and firing up your own box at 8.8.8.8. What F*****G genius thought of this particular hack. "This setting is hence only used if no other DNS server information is known" ref. If no DNS information is known then that should really mean that no DNS information is known.

Re:what a horrible dns resolver

[gweihir]

Fascinating. It really does not get much more clueless than this.

I'm amazed!

[Vlijmen+Fileer]

No kidding. Do all of you folks see my amazed look? :/
B.t.w. does anybody know if systemd already ships its own OS?

Re:I'm amazed!

[Type44Q]

SystemD's OS is the Intel Management Engine.

Re:I'm amazed!

[HelpTheNewOverlord]

If this bug is present only in Ubuntu, it seems to me that the problem is not in systemd. Can anyone explain to me why it doesn't affect RedHat?

Re: I'm amazed!

Although systemd is developed by a clique of Redhat engineers, Redhat distros themselves are so laughably out of date it's likely we will see them suffer from this vulnerability, just in 5 years time.

Re: Proof that Linux is just as insecure as Window

Finally, the proof! When we arrest Linus, should it be the death sentence or just prison for life?

Poettering strikes again

[guruevi]

I think systemd is a Microsoft plant. It's basically INI files for Linux. Next week he'll upgrade us all to a 'central registry' and you'll need a GUI to edit it.

Re:Poettering strikes again

[F.Ultra]

Because let's pretend that INI files have not been in wide use on Unix for decades?

Re:Poettering strikes again

[F.Ultra]

Some are yes, other are complex turing complete and others follow the INI style. Look i.e at /etc/openal/alsoft.conf, /etc/subversion/config, /etc/couchdb/local.ini, or why not any of the .desktop files in /usr/share/applications/.

INI style are not bad just because MS happened to use them a lot in MS-DOS, AFAIK there isn't even anything that points to MS being the inventors of the format, just that they used them system until they came up with their horrid registry.

Re:Poettering strikes again

[F.Ultra]

If AIX would destroy the universe as we know it if there ever was a single INI style file stored on it then it would have done so decades ago.

Re:Poettering strikes again

[squiggleslash]

I see configuration files with [section] breaks all the time under GNU/Linux. What are you looking at that doesn't? gconf XML files? ;-)

I rather like .ini files, they work, they're easy to navigate, and they're human readable, unlike XML.

Re:Poettering strikes again

[BarbaraHudson]

Go look at x.conf - multiple sections. Try running it without.

Re:Poettering strikes again

[Qzukk]

They're what tell you that you're looking at an INI file.

Re:Poettering strikes again

[ssam]

>what happens when MicroSoft decides to open the lawsuit of the century claiming to be the owners of the INI format and demand retribution? I think they get laughed out of court.

Re:Poettering strikes again

[najajomo]

This following is a reconstruction of what actually took place:

Poettering: Dbus should move to SystemD.

Dbus developers: How do we get Dbus working under SystemD?

Poettering: That's low level stuff, we don't have the skills, besides that's not my problem.
--

See also what SystemD does to /etc/hostname. There are now three different hostnames: static, pretty and transient. ref Again it's a curious decision and understanding the logic behind it fails me.

Re:Poettering strikes again

[F.Ultra]

I guess you only use global variables as well.

Re: Proof that Linux is just as insecure as Window

[Type44Q]

Windows for life.

At least for 14.04, the article is full of crap

Too many people lie to hurt Linux because they're corporate shill or just simply hate freedom. The newest version of systemd that we make available for 14.40 is 229-4ubuntu17. This idiot lies and claims that 231-9ubuntu5 fixes the problem. That version does not exist. The attacks from people like Oracle and Microsoft are getting more desperate. Their constant spew of hate must be working because they're investing more money in paying these people to spew more lies.

Who the hell let the PulseAudio dev near init?

PulseAudio is a flaky disaster as is the developer behind it. But systemd is scaled up full retard. Who, in their right mind, thinks, "Gee, I should plop my own homegrown DNS resolver into my system service startup tool. Nothing could go wrong with that." Let's forget that BIND went through many painful years of vulnerability management.

Re:Who the hell let the PulseAudio dev near init?

Meh. I know you're trolling, but I'm bored and feel like rambling.

I'd avoided PulseAudio for the longest time. I had like over a second of lag for anything I played through it. Nothing I could do to fix it. That was back when we had to use something because OSS would only let one process play sound at a time (unless your card had multiple DSPs) and for most of us that was aRts or ESD. Then ALSA came along with dmix and all was good.

(I've also used JACK, mostly as an effects box for guitar, but if you just want to play sounds from multiple application to one audio sink, using JACK is like deciding you want to destroy an ant hill and using a nuke.)

Well, I found out it could be better. The roommate gave me a demo of PulseAudio running on her system, and I was flabbergasted. It was more capable than Windows 7. Which, I mean, come on. Don't be a dipshit. Windows 7's mixer does a lot of nice stuff like shunting audio between different sinks in real time and per-application volume adjustment. I don't like Windows, but I'm at least a big enough of a man to admit when M$ does something decent.

So yeah, I removed PulseAudio from my "Lennart" section in my /etc/portage/package.mask, turned on the use flag globally, recompiled, and now everything "just works." I even threw out the .asoundrc I'd cooked up since PulseAudio does it all for me now.

Somebody told me a while back that Lennart hasn't touched PulseAudio in a while, so that's probably why. NetworkManager is still a pile of shit. You might have noticed I'm a Gentoo user up there, and I'm very happy with OpenRC. Fuck systemd.

Re:Who the hell let the PulseAudio dev near init?

[gweihir]

Incompetence coupled with extreme arrogance. The same old story all over again, although the morons that decided that systemd is ready for mainstream usage are the truly "special" ones here. There are a lot of incompetent coders out there and the Poettering-cabal was _known_ to be incompetent before, but instead of simply ignoring this broken mess and the cretins behind it, they had to make it the default init-system and apparently now default everything else.

Systemd again???

Systemd is just a piece of crap. It's slow, bloated, broken, and a security hole waiting to be exploited. I propose that all linux distros revert back to init.d and dispose of this garbage code at a microsoft coding camp.

Dare I say it?

[DontBeAMoran]

Here goes: systemd, the cause of all modern Linux problems.

systemd is completely backward in how unix systems are built. You're supposed to have tiny programs do one job and do it well. systemd is a huge monolith that's assimilating everything on its path.

Wait, why does that sound familiar?

Anyone know if the authors of systemd are getting paid by Microsoft, by any chance?

Re:Dare I say it?

The grand irony here is at the same time MS is going in the opposite direction. Many things in Windows are now being handled by " tiny programs do one job and do it well".

Reconfiguring Windows Server via the fancy GUI? It is quite literally a front-end to a bunch of Powershell commands, I shit you not.

Re:Dare I say it?

[Kjella]

I'm not saying that systemd is the answer, but... the old init system worked great if all you ever needed was an init system. That is to say your machine got everything plugged in on boot, always on a wired network and always on AC. The only thing you need the init system for was to get you from cold hardware to a running state, then it could declare "my work here is done" and go into retirement until it was time for shutdown. For some people that's all they need, good for you. Anything dynamic has been a mess. Suspend/resume/hibernate, hot-plugging/unplugging, wired/wireless, connected/not connected to network, AC/battery, power management, docked/undocked, switchable graphics, the list goes on and on.

The track record is not much better when it comes to shared resources like window managers, composited desktops, sound cards etc. that need some kind of mediator like a compositor or sound server. You can of course say that every application should solve this on their own, but the truth is that we know they don't and there's a huge patchwork of solutions that try to make applications play nice, often competing so this application will only work with that system-level service. I can understand that you don't want to support two init systems (SysV, systemd), four sound servers (PulseAudio, ALSA, Jack, OSS), two window managers (X11, Wayland) and so on.

For this you want a modern POSIX, call it an "application execution environment" if you will. A running mediator between the applications and their surroundings, not just at boot but as long as the machine has power. Maybe this could be solved by a hundred small services of various kinds or at least that's its a better solution than one gigantic mess. But to pretend it's all working great is something of an exaggeration, to say the least.

Re:Dare I say it?

[chihowa]

The problem with systemd is the half-assed assimilation of more and more system functions.

• Why does systemd even have its own DNS resolver?
• How many people are working on it and reviewing the code for security issues?
• Why was the whole thing rewritten from scratch instead of just writing a shim for the previously used, reviewed, secure resolvers that exist?

It's not just DNS resolvers, either. I've had issues with systemd's own (very incomplete) SNTP client, which is used instead of more mature and robust clients. Why do they keep reinventing the wheel in such a sloppy way?

Re:Dare I say it?

[rainer_d]

I'm not saying that systemd is the answer, but... the old init system worked great if all you ever needed was an init system. That is to say your machine got everything plugged in on boot, always on a wired network and always on AC. The only thing you need the init system for was to get you from cold hardware to a running state, then it could declare "my work here is done" and go into retirement until it was time for shutdown. For some people that's all they need, good for you. Anything dynamic has been a mess. Suspend/resume/hibernate, hot-plugging/unplugging, wired/wireless, connected/not connected to network, AC/battery, power management, docked/undocked, switchable graphics, the list goes on and on.

I don't need all of that.

When I want a working implementation of that, I just buy a MacBook and run macOS.

Or run Windows, which also exists.

I just need a server that doesn't shit itself between patch-runs, reboots and that doesn't f' up things that worked quite well for a decade (and continue to work quite well on OSs that didn't let an amateur design such a thing (which incidentally is also how Mac OS X got it right: they got people from NeXT and the guy who co-founded the FreeBSD project to head their Unix-y base for a decade)).

Re:Dare I say it?

[epine]

Your entire post is a paean for a two-track solution: a sane, modular solution for servers (already extant), and a convenience solution for mobile devices (if under "convenience" one accepts that some, or many, or most reboots might not be optional).

Slashdot is precisely that forum which caters first of all to the former group.

In 1999, the Japanese firm NTT DoCoMo released the first smartphones to achieve mass adoption within a country. Smartphones became widespread in the late 2000s.

Yeah? Slashdot was founded in 1997. All the better to shit on 1998, and much else from the same "a quick reboot will fix it (for a while)" family tree.

Re:Dare I say it?

[the_humeister]

You're supposed to have tiny programs do one job and do it well.

emacs would like to have a word with you.

What else will I get with the update?

[damn_registrars]

Some time ago I upgraded from 14.04 LTS to 16.04 LTS. Along the way I got some great new features, including:

• A new version of CUPS that randomly crashes without warning or logging
• A power management system that locks configuration files pertaining to my display settings whenever I put my laptop to sleep
• Random obliteration of my .bash_history file

What else can I look forward to if I download this update?

Re:What else will I get with the update?

[fisted]

Yep, and finally their names will be predictable(*)

(*) Predictable for software(**), not for humans.

(**) Provided the software knows all sorts of details, like, where exactly on what bus the NIC is attached, and so on(***).

(***) i.e. essentially unpredictable(****) for software and for humans.

(****) But we refer to it as "predictable(TM)" anyway.

Re:Proof that Linux is just as insecure as Windows

[Walter+White]

Guess again. Ubuntu is the most popular Linux server distro.

http://www.serverwatch.com/col...

Re: Proof that Linux is just as insecure as Window

[Opportunist]

Won't get that past the 8th amendment.

For those keeping track...

[Gravis+Zero]

SystemD has 617 issues open and there is no sign of all issues being resolved this decade.

Re:For those keeping track...

[Gravis+Zero]

That graph is the infant graph of every project

Sure... except that systemd has been around for seven years. It's not maturing because it's always expanding.

They need help.

I agree, they are rudderless boat that runs into other projects and absorbs them. What they need is vision but the project leaders are blind mice in a maze with no finish line. I cannot help them because they will not accept one of their ideas being rejected.

What are YOU doing to help them? There's 617 things you could be working on.

I've been writing a properly designed replacement to dislodge systemd. It's portable, superior but most importantly it follows the UNIX design philosophy. However, I will not be an enabler of those who work on systemd by cleaning up their messes for the next 30 years.

Open source software is evolutionary and systemd too will go the way of the dinosaurs.

Re:For those keeping track...

[gweihir]

We have the most issues! Other projects cannot compete, so sad.

Re:For those keeping track...

[gweihir]

I will certainly not help a project that was fundamentally broken from the start, because its main developers are known incompetents with bad personalities that do not understand the Unix-philosophy at all. If I want to run something made by clueless morons, I just boot Windows, no need to replicate the same lack of understanding on Linux.

Re:For those keeping track...

[gweihir]

That graph is the infant graph of every project

Sure... except that systemd has been around for seven years. It's not maturing because it's always expanding.

And that is just it: They are making one of the worst beginners mistakes. And that they are still beginners after 7 years shows that there is something fundamentally wrong with them. The usual explanation is incompetence coupled with arrogance, and it does seem to fit well here. The incompetence makes them beginners and the arrogance prevents them from learning. In addition, they are also uneducated, as Brooks described the things they are doing wrong about 40 years ago.

Re:For those keeping track...

[CRC'99]

That graph is the infant graph of every project

Sure... except that systemd has been around for seven years. It's not maturing because it's always expanding.

They even made a game about systemd:

http://agar.io/

Re:For those keeping track...

[thegarbz]

Sure... except that systemd has been around for seven years.

And it has been in wide circulation for less than 3. I see you've never worked on a major piece of software before.

Re:For those keeping track...

[thegarbz]

And that they are still beginners after 7 years shows that there is something fundamentally wrong with them.

Why don't you try and code a fundamental part of an OS that is attempting to manage every other part of the OS, then we'll see how long you take.

Re:For those keeping track...

[thegarbz]

Yeah. It's fundamentally broken, that's exactly why the technical committees of all major distributions have adopted it. It's just as fundamentally broken as Windows, the OS that runs the entire world.

Yep they've totally done goofed. How silly of them.

p.s. You're an idiot.

Re:For those keeping track...

[gweihir]

I do not even need to comment on this. You made it amply clear who the idiot here actually is.

Re:For those keeping track...

[gweihir]

Why would I try to do something _this_ stupid?

Re:For those keeping track...

[Gravis+Zero]

Major or minor is irrelevant. What's relevant here is the design or rather the lack thereof. I could argue the specifics but I don't think you have looked at the code. If you actually want to know more about the design of systemd, here's a basic explanation of how it's core works.

Re: Proof that Linux is just as insecure as Windo

fuck beta

/. is pretty predictable

[Opportunist]

When I read the story, I immediately thought "Half the comments will be about Petya, the other half will lament how systemd is the spawn of hell".

I was not disappointed.

Re:Linux might become as insecure as Windows!

The problem isn't with Linux, it's with systemd. I do use a distro that unfortunately uses systemd. I was actually surprised at how fast systemd infected so many distributions when so many people seemed to complain about it. There seemed to be a lot of arguments over at Debian, so much that a group of those involved left to create a fork of Debian. I haven't had any problems with it yet, but I am wary of it, and how it goes against what Linux is.

News?

[sqorbit]

A vulnerability is found, update your system. How is that news? That should just be common practice. When security updates are released for your OS, update it. This is not news. Vulnerabilities are found often in all OSes. And updates are released. Seems to me like the article is attempting to call out Ubuntu rather that actually inform and educate.

Re:News?

It's news because it's a vulnerability in a systemd component and Slashdot loves a good systemd story.

Re:News?

[thegarbz]

A vulnerability is found, update your system. How is that news?

There's three types of vulnerabilities that make the news here:
1) Windows vulnerabilities - because Slashdot loves a good laugh.
2) Linux vulnerabilities - because Slashdot loves freaking out.
3) Systemd vulnerbilities - because Slashdot loves thinking they were right and systemd is evil.

This is a 2 out of 3. I suspect by the morning there will be 900 comments and the Slashdot mobile interface will rate this as the story with the most interest and activity, ... errr I mean the most ad revenue.

Re:News?

[apoc.famine]

the story with the most interest and activity, ... errr I mean the most ad revenue.

Beat me to it. Systemd articles generate page views. We know this, yet here we are, contributing to the dumpster fire.

Oh well

[farlukar]

I had already swapped systemd-resolved for dnsmasq because that works.

lotta that going around lately

[Thud457]

the paradigm of the age is "we don't care what the users/customers/voters think, we're doing it anyway".

Re:lotta that going around lately

[spire3661]

I miss the age of 'User requests are what computers are for!'

Re:lotta that going around lately

[Vlijmen+Fileer]

Indeed.
I have fond memories for example of how Gnome once decided to remake their desktop environment into little more than a wallpaper, and kept it like that, utterly unusable, for what, two years, all in the name of "goodness".
Arrogant turds.

Re:Proof that Linux is just as insecure as Windows

This bug affects 17.04 and 16.10, nothing critical should be running on non LTS releases anyway.

Linus doesn't care

[Drunkulus]

Fed up with systemd, Linus switched his home machine to freebsd last year.

Please, do not use systemd

[what+about]

Switch to slackware, devuan, gentoo...

After all Linux is still a few percentage of desktop, no need to install Debian derivative
We are competent admin, are we not ?

Yes, it is painful to see such a great distro being overtaken by such a crap software.

Live long and prosper

Re:Please, do not use systemd

> Switch to slackware, devuan, [...] no need to install Debian derivative
You do realise that Devuan is advertised as systemd-free Debian, right?

Re:Proof that Linux is just as insecure as Windows

interestingly enough, everyone who argued against systemd has been validated. Systemd is a cancer and should be irradicated from all distributions. Systemd is an active effort to fuck over Linux to be more like Windows. As systemd continues to be used, Linux continues to become as broken, dysfunctional, and unsecure as Windows.

Only the dumb of the dumb actually champion systemd.

Finally... The year of the Linux Desktop

[Oswald+McWeany]

Finally, we may be seeing the year of the Linux Desktop... ...Malware.

Already updated, as usual

[hackel]

Whenever I see one of these vulnerability notices, I always go to to check/update my system, and I always find that my system has installed the fix itself, automatically. Honestly, it's really quite impressive. Nothing like the proprietary worlds. Thanks, Ubuntu, Debian, and the systemd teams!

Reinventing the wheel = reinventing all the bugs

Shitstemd apologists are too stupid to understand that by reinventing all these wheels also means reinventing all the bugs that have been long encountered and fixed in mature and stable code that shitstemd the project wants to reinvent.

It doesn't matter if resolved is not part of the init, or not part of PID 1. It's part of the project and idiot maintainers are including it because they have zero clue about the software they're maintaining. They opted for systemd because unit files are easier to maintain than shell scripts. Fine. Then use JUST the init.

Why the fuck do you have to include everything else, Ubuntu maintainers? What was so damn wrong with all the tried and tested resolving functions that you had to replace it with this steaming turd written by windows noobs who had no money to get into development for Windows, so they opted to take this mentality into Linux.

You idiots think that the "systemd drama" has settled? Think twice. The crapfest and trainwreck has merely STARTED. Next: CVE of epic proportions that owned the entire systemd/linux ecosystem, brought down milions of webservers and ground the Internet to a halt.

Stallman? When you're done eating your toe jam, perhaps you could chime in and defend the GNUserland which is fading away.

Just Ubuntu?

[aglider]

If so, those guys introduced a bug into a working package.
If not, those guy introduced a buggy package in a working environment.
Blame those guys!

Re:Proof that Linux is just as insecure as Windows

[BarbaraHudson]

And they don't just update willy-nilly to the latest distro. You update too quickly, you know you're really a canary in a cage. So the "solution" is to update again? I'd roll back to the previous version of whatever you were using and wait a bit.

But hey, useful fools and all that ...

Re:SystemD is a computer virus

[BarbaraHudson]

I have seen many trolls in my lifetime, but I don't think I've ever seen one as sad and pathetic as this.

You must be new here.

Redhat...

[sys64764]

There's all this whining about systemd and comparing it to Microsoft but comparing Redhat to Microsoft seems more appropriate, no?

Re:Redhat...

[JustNiz]

When I think of Microsoft I think giant anti-competitive sneaky dirty tricks, such as embrace and extend, a.k.a make a new friend, stab him in the back, move into his house, and sleep with his wife.

I'm not seeing anything on the scale of MS's standard playbook going on anywhere in the Linux world.

Yes, News!

[thesupraman]

The news is clear, Shill.

The news here is that systemd, in its usual 'we know better than anyone, even though we have very very little experience' way replaced perfectly functional systems for the most dubious of reasons (usually 'because we want to make them different, and cannot even be bothered raising our reasons with maintainers of existing solutions because then we may need to rationalise what we want'), and went away and implemented a system broken in a way SO foolish that the existing solutions have addressed exactly these issues decades ago.
Not to mention the fact that they have worked hard to try and make it unavoidable that ALL linux solutions will end up with the problems caused by their basic ignorance by making systemd basically indespensible.

Clear enough? Or perhaps you think a trivially exploitable and almost indefensible DNS bug, along with a file system wiping bug (the good old rm ../...) are just minor bumps on the road to nirvana?

Of course the clear and obvious REASON for systemd is a power grab by RedHat to give them control of the Linux 'standard'. It is unfortunate that they cannot see past their own grab at power to see how damaging such an approach is to the robustness of Linux itself -they must turn away, stick their fingers in their ears, and sing 'la la la la, wont happen to us, la la la la' loudly to themselves each time a big windows exploit drops these days.. Because that is the endpoint of the path they are following.

A nothing burger!

[Jerry]

Talk about a "nothing burger" ... this is one!

The fix? Merely a standard "sudo apt upgrade & sudo apt full-upgrade", something most users of Ubuntu & its derivatives do with automatic updates.

This vulnerability doesn't affect Ubuntu LTS

[PhunkySchtuff]

Just be aware that if you're running a LTS version of Ubuntu, it doesn't have this vulnerability.
As per the linked article, this issue affects Ubuntu 17.04 & Ubuntu 16.10. The most recent LTS release is 16.04

Lennart from RedHat _Desktop_ team, rules over eve

[cryptogranny]

Somebody explain to me please, how come that Lennart from RedHat _Desktop_ team, rules over everything?! I just don't get it.