UbuntuUpdates.org

Package "systemd-standalone-tmpfiles"

Name: systemd-standalone-tmpfiles

Description:

standalone tmpfiles binary for use in non-systemd systems
Latest version: 255.4-1ubuntu8.16
Release: noble (24.04)
Level: security
Repository: universe
Head package: systemd
Homepage: https://www.freedesktop.org/wiki/Software/systemd

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "systemd-standalone-tmpfiles"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "systemd-standalone-tmpfiles" in Noble

Repository Area Version
base universe 255.4-1ubuntu8
updates universe 255.4-1ubuntu8.16

Changelog

Version: 255.4-1ubuntu8.16 2026-06-08 16:07:51 UTC

  systemd (255.4-1ubuntu8.16) noble-security; urgency=medium

  * SECURITY UPDATE: escape-to-host via malformed optional config file
    - debian/patches/CVE-2026-40226-1.patch: nspawn: apply BindUser/Ephemeral
      from settings file only if trusted in src/nspawn/nspawn.c.
    - debian/patches/CVE-2026-40226-2.patch: nspawn: normalize pivot_root paths
      in src/nspawn/nspawn-mount.c.
    - CVE-2026-40226

 -- Marc Deslauriers <email address hidden> Fri, 05 Jun 2026 11:36:29 -0400
Source diff to previous version
CVE-2026-40226 In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

Version: 255.4-1ubuntu8.14 2026-03-24 02:08:06 UTC

  systemd (255.4-1ubuntu8.14) noble-security; urgency=medium

  * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd
    - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves
      a leading slash in place
    - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag
    - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()
    - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently
  * SECURITY UPDATE: Local root execution via malicious hardware devices
    - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch
    - d/p/udev-fix-review-mixup.patch
    - No CVE number

 -- Nick Rosbrook <email address hidden> Fri, 13 Mar 2026 12:48:42 -0400
Source diff to previous version

Version: 255.4-1ubuntu8.8 2025-06-09 16:07:27 UTC

  systemd (255.4-1ubuntu8.8) noble-security; urgency=medium

  * SECURITY UPDATE: race condition in systemd-coredump
    - debian/patches/CVE_2025_4598_1.patch: coredump: get rid of
      _META_MANDATORY_MAX.
    - debian/patches/CVE_2025_4598_2.patch: coredump: use %d in kernel core
      pattern.
    - debian/patches/CVE_2025_4598_3.patch: coredump: also stop forwarding
      non-dumpable processes.
    - debian/patches/CVE_2025_4598_4.patch: coredump: get rid of a bogus
      assertion.
    - CVE-2025-4598
  * this update does not include the changes from 255.4-1ubuntu8.7 as included in noble-proposed

 -- Octavio Galland <email address hidden> Wed, 04 Jun 2025 09:24:15 -0300
CVE-2025-4598 A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to


About   -   Send Feedback to @ubuntu_updates