Version 256.17

- Fixes for systemd itself, systemd-networkd, systemd-ssh-generator,
  systemd-fstab-generator, bootctl, systemd-repart, systemd-vmspawn,
  the shared library code, udev rules, resolvectl, shell completions,
  documentation
- Update of the hardware database

changelog

@@ -1,3 +1,134 @@
+* Thu May 29 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.15-1
+- Version 256.15
+- Fix for local information disclosure in systemd-coredump (CVE-2025-4598)
+- Various other fixes
+
+* Thu May 15 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.13-1
+- Version 256.13
+- Various small fixes in multiple components
+
+* Fri Mar 07 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.12-1
+- Version 256.12
+- Fixes for systemd itself, sd-boot, systemd-resolved, systemd-id128,
+  systemd-networkd, systemd-logind, systemd-tmpfiles, systemd-vmspawn,
+  systemd-userdb, udev, ukify, systemctl, homectl, fido2 code,
+  virtualization detection, internal shared library, shell completions,
+  documentation.
+- Hardware database is updated
+- Adds new DNSSEC anchor key for systemd-resolved
+- Adds new Fedora keys for systemd-importd
+- Adds a Georgian mapping to the keymap list
+
+* Fri Mar 07 2025 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.11-4
+- Make sure we pull in libbpf >= 2:1.4.7 if libbpf is installed
+
+* Fri Mar 07 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.11-2
+- Move some files into subpackages
+- systemd-ac-power is moved to systemd-udev
+- portablectl and importctl are moved to systemd-container (rhbz#2345551)
+
+* Wed Jan 08 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.11-1
+- Version 256.11
+- Fixes for assertion crashes and memory access issues in pid1 and systemd-
+  machined, and other fixes for systemd-repart, systemd-resolved, systemd-
+  stdio-bridge, sd-device, hibernation, and the hardware database.
+
+* Sat Jan 04 2025 Orion Poplawski <orion@nwra.com> - 256.10-2
+- Disable unmerged-bin taint for F41 (rhbz#2334525)
+
+* Sat Dec 21 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.10-1
+- Version 256.10
+- Fixes for man pages, shell completion, logging, systemd-networkd,
+  systemd-resolved, systemctl edit.
+
+* Tue Dec 03 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.9-3
+- Recommend qemu-kvm-core instead of qemu-kvm (rhbz#2329979)
+
+* Fri Nov 29 2024 David Tardon <dtardon@redhat.com> - 256.9-2
+- Use %%systemd_preun in systemd-resolved
+
+* Fri Nov 29 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.9-1
+- Version 256.9
+- Resolves rhbz#2329211
+
+* Tue Nov 19 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.8-2
+- Pull in qemu from systemd-container
+
+* Thu Nov 14 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.8-1
+- Version 256.8
+- Improvements to logging, documentation, systemd, systemd-repart, systemd-
+  networkd, systemd-network-generator, systemd-nspawn, systemd-resolved,
+  systemd-run, systemd-dissect, systemd-pcrlock, systemd-logind, systemd-
+  bsod, udev, ukify
+- Resolves #2323323: system will boot to cgroup v2 automatically unless
+  overriden
+- Resolves #2321268: freezing of user processes is disabled
+- Hardware database is updated
+
+* Thu Nov 14 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.7-2
+- Disable freezing of user sessions (rhbz#2321268)
+
+* Fri Oct 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.7-1
+- Version 256.7
+- Various small fixes in many components
+- Documentation updates
+
+* Tue Sep 24 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.6-3
+- Move yum/dnf protection removal config file under /usr
+
+* Thu Sep 12 2024 Matteo Croce <teknoraver@meta.com> - 256.6-1
+- Version 256.6
+
+* Thu Aug 29 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-6
+- Always build ukify package
+
+* Wed Aug 28 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-5
+- Do not use patch to modify systemd-user pam config file
+
+* Wed Aug 28 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-4
+- Drop %%upstream conditionalization for patches
+
+* Tue Aug 27 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-3
+- Only make python3-pillow Recommends on Fedora
+
+* Sat Aug 24 2024 Davide Cavalca <dcavalca@fedoraproject.org> - 256.5-2
+- Do not require grubby on CentOS Stream 9
+
+* Tue Aug 20 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.5-1
+- Version 256.5
+- Includes the patches for the kernel change with kernel threads in leaf
+  cgroups (https://github.com/systemd/systemd/pull/33885)
+- Various smaller fixes
+
+* Tue Aug 20 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.4-4
+- Disable integration of userdb in sshd
+
+* Mon Jul 29 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.4-3
+- Backport patch to only read /proc/cmdline when not in container
+
+* Mon Jul 29 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.4-2
+- Backport upstream patch to try more initrd variants in
+  90-loaderentry.install
+
+* Thu Jul 25 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.4-1
+- Version 256.4
+- Hardware db update
+- Minor fixes for systemd-udevd and varlink protocol
+
+* Tue Jul 23 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.3-3
+- Update tmpfiles --destroy-data patch
+
+* Tue Jul 23 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.3-1
+- Version 256.3
+- A bunch of fixes for systemd (pid1)
+- Various upgrades related to running tests in mkosi
+
+* Sat Jul 20 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.2-17
+- Simplify BFQ scheduler enablement
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 256.2-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
 * Wed Jul 17 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.2-9
 - Backport udma buffer access patch (rhbz#2298422)
 

sources

@@ -1 +1 @@
-SHA512 (systemd-256.7.tar.gz) = 2ff3805a7d97780a716b23ddeea3722a85aba6326ecee527e53e9d35510a0ffa5ec0bf0cdbf8f3409bb9c6832406916f63eb7e8305db5f67c284e5590c642422
+SHA512 (systemd-256.17.tar.gz) = c0f5d82f1220c69e8dc136e796ed9594bd9357450320c077a4c36151585508dfef58e16452ee64af7c32b90861a22996e9d567d76d71c15ce2136f96194f2be2

split-files.py

@@ -137,10 +137,20 @@ for file in files(buildroot):
 
     elif re.search(r'''mymachines|
                        machinectl|
+                       importctl|
+                       portablectl|
                        systemd-nspawn|
+                       systemd\.nspawn|
                        systemd-vmspawn|
+                       systemd-dissect|
                        import-pubring.gpg|
-                       systemd-(machined|import|pull)|
+                       systemd-machined|
+                       systemd-import|
+                       systemd-export|
+                       systemd-pull|
+                       systemd-mountfsd|
+                       systemd-mountwork|
+                       systemd-nsresource|
                        /machine.slice|
                        /machines.target|
                        var-lib-machines.mount|
@@ -173,6 +183,7 @@ for file in files(buildroot):
 
     elif re.search(r'''udev(?!\.pc)|
                        hwdb|
+                       ac-power|
                        bootctl|
                        boot-update|
                        bless-boot|

systemd-unmerged-bin.patch

@@ -0,0 +1,16 @@
+diff -up systemd-256.10/src/core/taint.c.unmerged-bin systemd-256.10/src/core/taint.c
+--- systemd-256.10/src/core/taint.c.unmerged-bin	2024-12-20 12:47:26.000000000 -0700
++++ systemd-256.10/src/core/taint.c	2025-01-04 12:12:51.478892350 -0700
+@@ -45,10 +45,10 @@ char* taint_string(void) {
+                 stage[n++] = "unmerged-usr";
+ 
+         /* Note that the check is different from default_PATH(), as we want to taint on uncanonical symlinks
+-         * too. */
++         * too.
+         if (readlink_malloc("/usr/sbin", &usr_sbin) < 0 || !PATH_IN_SET(usr_sbin, "bin", "/usr/bin"))
+                 stage[n++] = "unmerged-bin";
+-
++         */
+         if (readlink_malloc("/var/run", &var_run) < 0 || !PATH_IN_SET(var_run, "../run", "/run"))
+                 stage[n++] = "var-run-bad";
+ 

systemd.spec

@@ -47,7 +47,7 @@ Name:           systemd
 Url:            https://systemd.io
 # Allow users to specify the version and release when building the rpm by 
 # setting the %%version_override and %%release_override macros.
-Version:        %{?version_override}%{!?version_override:256.7}
+Version:        %{?version_override}%{!?version_override:256.17}
 Release:        %autorelease
 
 %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?)
@@ -57,12 +57,14 @@ License:        LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later
 Summary:        System and Service Manager
 
 # download tarballs with "spectool -g systemd.spec"
-%if %{defined branch}
+# packit will always rewrite the first Source0 it finds, ignoring any conditionals so list
+# the fallback source that's used if neither %%branch nor %%commit are defined first.
+%if %{undefined branch} && %{undefined commit}
+Source0:        https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz
+%elif %{defined branch}
 Source0:        https://github.com/systemd/systemd/archive/refs/heads/%{branch}.tar.gz
 %elif %{defined commit}
 Source0:        https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
-%else
-Source0:        https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz
 %endif
 # This file must be available before %%prep.
 # It is generated during systemd build and can be found in build/src/core/.
@@ -124,6 +126,9 @@ Patch0491:      https://github.com/systemd/systemd/pull/30846.patch
 # Soft-disable tmpfiles --purge until a good use case comes up.
 Patch0492:      0001-tmpfiles-make-purge-hard-to-mis-use.patch
 
+# Remove the unmerged-bin taint for F41, this will be done in F42
+Patch0500:      systemd-unmerged-bin.patch
+
 %ifarch %{ix86} x86_64 aarch64 riscv64
 %global want_bootloader 1
 %endif
@@ -251,6 +256,7 @@ Requires:       %{name}-libs%{_isa} = %{version}-%{release}
 %{?fedora:Recommends:     %{name}-resolved = %{version}-%{release}}
 Recommends:     diffutils
 Requires:       (util-linux-core or util-linux)
+Requires:       (libbpf >= 2:1.4.7 if libbpf)
 Provides:       /bin/systemctl
 Provides:       /sbin/shutdown
 Provides:       syslog
@@ -492,7 +498,7 @@ Requires:       (systemd-boot if %{shrink:(
 )})
 Requires:       python3dist(pefile)
 %if 0%{?fedora}
-Requires:       python3dist(zstd)
+Requires:       python3dist(zstandard)
 %endif
 Requires:       python3dist(cryptography)
 %if 0%{?fedora}
@@ -543,7 +549,11 @@ Requires:       %{name}%{_isa} = %{version}-%{release}
 Requires(post):   systemd%{_isa} = %{version}-%{release}
 Requires(preun):  systemd%{_isa} = %{version}-%{release}
 Requires(postun): systemd%{_isa} = %{version}-%{release}
-# obsolete parent package so that dnf will install new subpackage on upgrade (#1260394)
+# For systemd-vmspawn which uses qemu:
+Recommends:     qemu-kvm-core
+Recommends:     qemu-device-display-virtio-gpu
+Recommends:     qemu-device-display-virtio-vga
+# Obsolete parent package so that dnf will install new subpackage on upgrade (#1260394)
 Obsoletes:      %{name} < 229-5
 # Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040)
 Suggests:       libcurl-minimal
@@ -1022,6 +1032,15 @@ mv %{buildroot}/usr/lib/tmpfiles.d/20-systemd-userdb.conf{,.example}
 
 install -m 0644 -t %{buildroot}%{_prefix}/lib/pam.d/ %{SOURCE26}
 
+# Disable freezing of user sessions while we're working out the details.
+mkdir -p %{buildroot}/usr/lib/systemd/system/service.d/
+cat >>%{buildroot}/usr/lib/systemd/system/service.d/50-keep-warm.conf <<EOF
+# Disable freezing of user sessions to work around kernel bugs.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=2321268
+[Service]
+Environment=SYSTEMD_SLEEP_FREEZE_USER_SESSIONS=0
+EOF
+
 %find_lang %{name}
 
 # Split files in build root into rpms
@@ -1185,10 +1204,8 @@ fi
 %systemd_post systemd-resolved.service
 
 %preun resolved
+%systemd_preun systemd-resolved.service
 if [ $1 -eq 0 ] ; then
-        systemctl disable --quiet \
-                systemd-resolved.service \
-                >/dev/null || :
         if [ -L /etc/resolv.conf ] && \
             realpath /etc/resolv.conf | grep ^/run/systemd/resolve/; then
                 rm -f /etc/resolv.conf # no longer useful