seccomp: drop mincore() from @system-service syscall filter group

[thirdparty/systemd.git] / NEWS

diff --git a/NEWS b/NEWS
index 9b43907fcba9cad43f53e92ba9b34e6a0a19d5be..c76b571d2baf10a942a5459991b3e7b554331571 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,51 @@
 systemd System and Service Manager
 
+CHANGES WITH 241 in spe:
+
+        * The default locale can now be configured at compile time. Otherwise,
+          a suitable default will be selected automatically (one of C.UTF-8,
+          en_US.UTF-8, and C).
+
+        * The version string shown by systemd and other tools now includes the
+          git commit hash when built from git. An override may be specified
+          during compilation, which is intended to be used by distributions to
+          include the package release information.
+
+        * systemd-cat can now filter standard input and standard error streams
+          for different syslog priorities using the new --stderr-priority=
+          option.
+
+        * systemd-journald and systemd-journal-remote reject entries which
+          contain too many fields (CVE-2018-16865) and set limits on the
+          process' command line length (CVE-2018-16864).
+
+        * $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd
+          again.
+
+        * kernel-install script now optionally takes a path to an initrd file,
+          and passes it to all plugins.
+
+        * The mincore() system call has been dropped from the @system-service
+          system call filter group, as it is pretty exotic and may potentially
+          used for side-channel attacks.
+
+        * -fPIE is dropped from compiler and linker options. Please specify
+          -Db_pie=true option to meson to build position-independent
+          executables. Note that the meson option is supported since meson-0.49.
+
+        * The fs.protected_regular and fs.protected_fifos sysctls, which were
+          added in Linux 4.19 to make some data spoofing attacks harder, are
+          now enabled by default. While this will hopefully improve the
+          security of most installations, it is technically a backwards
+          incompatible change; to disable these sysctls again, place the
+          following lines in /etc/sysctl.d/60-protected.conf or a similar file:
+
+              fs.protected_regular = 0
+              fs.protected_fifos = 0
+
+          Note that the similar hardlink and symlink protection has been
+          enabled since v199, and may be disabled likewise.
+
 CHANGES WITH 240:
 
         * NoNewPrivileges=yes has been set for all long-running services
@@ -455,6 +501,17 @@ CHANGES WITH 240:
           notified about this userspace breakage quickly, but they chose to
           ignore it.
 
+        * PermissionsStartOnly= setting is deprecated (but is still supported
+          for backwards compatibility). The same functionality is provided by
+          the more flexible "+", "!", and "!!" prefixes to ExecStart= and other
+          commands.
+
+        * $DBUS_SESSION_BUS_ADDRESS environment variable is not set by
+          pam_systemd anymore.
+
+        * The requirements to build systemd is bumped to meson-0.46 and
+          python-3.5.
+
         Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander
         Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson,
         Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov,