Releases: liske/needrestart
Releases · liske/needrestart
3.8
Security
- [Core] CVE-2024-48991: Prevent race condition on /proc/$PID/exec evaluation.
(responsibly reported by Qualys) - [Interp] CVE-2024-11003: Drop usage of Module::ScanDeps to prevent LPE.
(responsibly reported by Qualys) - [Interp] CVE-2024-48990: Do not set PYTHONPATH environment variable to prevent a LPE.
(responsibly reported by Qualys) - [Interp] CVE-2024-48992: Do not set RUBYLIB environment variable to prevent a LPE.
(responsibly reported by Qualys)
Features
Changes
- [Core] Refactor device number comparison to be independent of leading zeros.
(closes #286) - [Interp] Enable ruby check for versioned ruby binary names.
(suggested by Qualys) - [Interp] Chdir into empty directory to prevent python parsing arbitrary files.
(motivated by Qualys)
Fixes
- [VM] Fix spelling mistake.
(github pull request #309 by @fritz-fritz) - [Core] Make OpenMetrics output prometheus compatible.
(github pull request #311 by Gabriel Filion @lelutin) - [uCode] Fix error handling logic being dependent on debug level.
(github pull request #313 by Aristarkh Zagorodnikov @onyxmaster) - [Core] Fix "Use of uninitialized value $sdev in right bitshift".
(github pull request #314 by Aristarkh Zagorodnikov @onyxmaster)
This release contains some critical security fixes in the interpreter module.
While the default configuration was vulnerable it is possible to migitate
the issues by disabling the interpeter heuristic: $nrconf{interpscan} = 0;
All CVEs received a CVSS core of:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]
Qualys Security Advisory:
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
Many thanks to the Qualys Security Advisory team and Mark Esler from the
Ubuntu Security Team for the responsible disclosure, reviewing patches and
coordinating the disclosure of these security issues.
3.7
Features
- [Interp] Add optional persistent cache support for perl scanning.
(github pull request #282 by Jean-Marc Saffroy @saffroy) - [Core] Add OpenMetrics time series output.
(github pull request #308 by Gabriel Filion @lelutin)
Changes
- [Core] Replace
which
bycommand -v
.
(github pull request #254 by @a1346054) - [Core] Ignore USBGuard.
(github pull request #257 by Christoph Anton Mitterer @calestyo) - [Core] Do not ignore dhclient but prevent restart ifup automaticly.
(github pull request #262 by @anarcat) - [Core] Add greetd to the list of restart exclusions.
(github pull request #266 by Iván Zaera @ivan-zaera) - [Core] Support dbus replacements.
(github pull request #276 by @Vladimir-csp) - [Core] Apply override_rc deterministically.
(github pull request #280 by Corey Hickey @bugfood) - [uCode] Test vendor id before check for Intel ucode.
(github pull request #284 by FRITZ|FRITZ @fritz-fritz) - [uCode] Fix AMD ucode checking in non-debug mode.
(github pull request #288 by @anarcat) - [uCode] Mark unavailable ucode as CURRENT.
(github pull request #290 by @anarcat) - [Kernel] Increase read size for version strings.
(github pull request #293 by @jaycci) - [README] Add RPi5 details.
(github pull request #298 by @Opa-) - [README] Add RPi1 details.
(github pull request #304 by @juadde) - [uCode] Add an option to print uCode hints w/o acknowledgement.
(github pull request #307 by Adam @adsr)
Fixes
- [README] Prevent shell expansion in example.
(github pull request #252 by David Taylor @dtaylor84) - [Core] Fix VM detection regression introduced in f54d85c.
(github pull request #248 by @zxyrepf) - [uCode] Fix uninitialized value regression.
(github pull request #273 by Stefan Bühler @stbuehler) - [uCode] Fix AMD uCode check in non-debug mode.
(github pull request #278 by Jan-Philipp Litza @jplitza) - [CONT] Fix always ignoring lxc/lxd instances.
(github issue #245 by Mitsuya Shibata @m-shibata) - [Core] Fix shellcheck issues.
(github issue #300 by Eisuke Kawashima @e-kwsm) - [Kernel] Fix kernel version detection for kernel images >= 6.0.
(github issue #245 by Stefan Bühler @tik-stbuehler)
v3.6
Security
- [Interp] CVE-2022-30688: Anchor interpreter regex to prevent local privilege escalation.
(responsibly reported by Jakub Wilk)
DSA 5137-1 | USN-5426-1
Features
- [Core] Add support for runit.
(Debian Bug#972685 by Lorenzo Puliti plorenzo@disroot.org) - [VM] Add support to detect outdated VM processes (i.e. qemu).
(github pull request #216 by )Christian Ehrhardt @cpaelzer)
Changes
- [Cont] Improve LXD container support.
(github pull request #188 by James TD Smith @ahktenzero) - [Cont] Update cgroup regex for LXC 4.0.
(github pull request #215 by James TD Smith @ahktenzero) - [Cont] Support cgroup v2 for docker.
(github pull request #234 by Markus Frosch @lazyfrosch) - [Cont] Support cgroup v2 for LXC/LXD.
(github pull request #238 by Trent Lloyd @lathiat) - [Core] Support cgroup v2 for services and user sessions.
- [Core] Support systemd manager restart on Ubuntu 20.04+.
(github pull request #195 by Lars Kollstedt @LarsKollstedt) - [Core] Do not restart bluetooth.service by default.
(github pull request #209 by Erik Tews @eriktews) - [Core] Do not restart elogind by default.
(github issue #205 by @HumanG33k) - [Core] Output user sessions in batch mode.
(github pull request #232 by @anarcat) - [Core] Use ImVirt for virtualization detection if not running on systemd.
(Debian Bug#984789 by Patrik Schindler poc@pocnet.net) - [Interp] Add tolerance when checking script file ctimes to avoid false positives.
(github pull request #233 by Corey Hickey @bugfood) - [Kernel] Replace strings(1) by GNU grep to drop binutils dependency.
(Debian Bug#986507 by Trent W. Buck trentbuck@gmail.com)
Fixes
- [Core] Fix comment for default value of
skip_mapfiles
.
(github pull request #179 by @iasdeoupxe) - [Interp] Fix detection for ruby script started from relative paths.
(github pull request #182 by Alexander Neumann @rtpt-alex) - [Core] Fix typos.
(github pull request #189 by @wwuck)
(github pull request #193 by Stefan Weil @stweil) - [Core] Fix verbose/verbosity confusion in needrestart.conf.
(github pull request #197 by Jan-Philipp Litza @jplitza) - [Core] Ignore memfd files like used by nvidia's binary drivers.
(github pull request #200 by Jan Visser @starquake) - [Core] Ignore all memfd mappings.
(Debian Bug#972685 by Michail Bachmann m.bachmann@cms.hu-berlin.de) - [Core] Ignore Java Native Access mappings.
(github issue #142 by @nirgal)
(github issue #185 by Ivan Zaera @izaera) - [Core] nagios: Do not print perfdata data in unkown state.
(github pull request #222 by Lorenz @RincewindsHat) - [uCode] Fix 'uninitialized value' on AMD.
(github pull request #226 by Christian Garbs @mmitch)
Misc
- Minor cleanups (whitespaces, shellcheck, ...).
(github pull request #217 by @a1346054) - Update README.batch.md.
(github pull request #219 by Stavros Ntentos @stdedos) - Add icinga2 example config.
(github pull request #223 by Lorenz @RincewindsHat) - [uCode] Fix lsinitrd example.
(github pull request #240 by Corey Hickey @bugfood)
Full Changelog: v3.5...v3.6
3.5
Features
- [uCode] Check for pending AMD microcode updates (experimental).
(Debian Bug#886611 by Paul Wise pabs@debian.org)
(github issue #150 by Tom Reynolds @tomreyn and Mark Wagie @yochananmarqos)
Changes
- [Core] Add network.service to blacklist.
(github pull request #145 by Marc Dequènes (Duck) @duck-rh) - [uCode] Check microcode revision of each individual CPUs.
- [Kernel] Support kernel image filename filtering required for Raspbian.
(github issue #146 by @takichikawa)
(github issue #155 by Fenhl @fenhl and Christian @git-developer) - [uCode] Support local override for iucode_tool call.
(github issue #148 by @mphilipps and Marc Dequènes (Duck) @duck-rh) - [notify] Add app name to notify-send call.
(github issue #76 by @Vladimir-csp)
Fixes
- [Core] Do not restart networking.service.
(Debian Bug#922725 by Timo Sigurdsson public_timo.s@silentcreek.de). - [Core] Fix typo in man page for env variable DEBIAN_FRONT(END).
(Debian Bug#922864 by Lee Garrett debian@rocketjump.eu)
(Debian Bug#923853 by Petter Reinholdtsen pere@hungry.com) - [Interp] Restore cwd when skipping processes with unavailable cwd.
(github issue #147 by Stavros Ntentos @stdedos) - [Core] Remove leading zero before testing in map_files.
(Debian Bug#928225 by Alexander Galanin al@galanin.nnov.ru) - [Core] Fix typos in ex/needrestart.conf.
(github pull request #163 by Simon Brand @brandsimon) - [UI] Don't fail when terminal has zero columns width.
(github pull request #167 by @libnoon) - [Core] Ignore mapped files not found on filesystem (stat) to suppress
chroot false positives.
(github issue #158 by @mphilipps)
(github issue #152 by Ivan Kurnosov @zerkms and @djl) - [Core] Supress warnings from Proc::ProcessTable.
(github issue #170 by @mphilipps) - [CONT] Fix docker detection on CentOS 7.
(github issue #165 by Christian Ruppert @idl0r) - [notify] Fix notify-send not working with dbus-user-session.
(github issue #76 by @Vladimir-csp) - [Core] Ignore mapped files in temporary directories.
(Debian Bug#925408 by Donald Pellegrino donald.a.pellegrino@gmail.com)
3.4
Changes:
-
Features:
- [L10n] Add Czech localization.
(github pull request #131 by @p-bo)
(github pull request #132 by @p-bo)
(github pull request #133 by @p-bo) - [Core] Add FRR to override.
(github pull request #138 by David Lamparter @eqvinox) - [Core] Detect if run inside a container or vm using systemd.
(github issue #139 by Tobby @tobby88) - [Core] Skip needrestart in apt hook if system is shutting down.
(Debian Bug#914753 by Balint Reczey balint.reczey@canonical.com)
- [L10n] Add Czech localization.
-
Changes:
- [Core] Do restart systemd-journald (again).
(see also Debian Bug#771122, #771254 and #898818)
(Debian Bug#898818 by Mathieu Parent sathieu@debian.org)
- [Core] Do restart systemd-journald (again).
-
Fixes:
- [uCode] Ignore broken microcode files (required for CentOS).
(github issue #123 by Marc Dequènes (Duck) @duck-rh) - [uCode] Parse output of old iucode-tool 1.5.
(github pull request #127 by Lutz Heermann @LuHee) - [uCode] Prevent microcode false positives for BIOS updates.
(Debian Bug#906958 by Maik Zumstrull maik@zumstrull.net) - [uCode] Handle microcode updates for multiple CPUs in initramfs.
(Debian Bug#907372 by Paul Wise pabs@debian.org) - [Core] Ignore temporary mappings of elasticsearch.
(github issue #134 by Georg @teadur) - [Core] Do not restart oneshot services from systemd-cron.
(Debian Bug#917073 by Antti Salmela asalmela@iki.fi)
- [uCode] Ignore broken microcode files (required for CentOS).
3.3
ChangeLog
- Fixes:
- [Core] Configuration file is ignored.
(Debian Bug#901999 by Andreas Schmidt pi-c@arcor.de)
(Debian Bug#902031 by Axel Beckert abe@debian.org)
(Debian Bug#902049 by Jon nuxi@vault24.org)
(github issue #121 by Sven Hartge @shartge) - [Interp] Supress uninitalized value if abs_path fails.
(github issue #120 by Craig Andrews @candrews)
- [Core] Configuration file is ignored.
3.2
ChangeLog
-
Changes:
- [Kernel] Include /boot/kernel* while looking for linux
kernel images (required for Gentoo)
(Gentoo Bug 654958 by Klaus Ethgen)
(github pull request #113 by Craig Andrews @candrews) - [Core] Do not restart ModemManager by default.
(github pull request #119 by @bodqhrohro)
- [Kernel] Include /boot/kernel* while looking for linux
-
Fixes:
- [UI] Do not call GetTerminalSize if STDOUT is not a tty.
(github pull request #110 by Michael Scherer @mscherer) - [uCode] Filter microcode for CPU signature and flags.
(github issue #112 by @mgondium)
(Debian Bug#900298 by Francois Mescam fmescam@sd-123993.dedibox.fr) - [uCode] Assigning ucodehints a false value disables ucode
checks.
(github issue #115 by Johannes Kampmeyer @xschlef) - [Hooks] Ignore non-executable init scripts.
(github issue #116 by Marc Dequènes (Duck) @duck-rh) - [L10n] Fix typo in Russian localization.
(github pull request #118 by @bodqhrohro) - [UI] Do not leak fd into restarted services.
(Debian Bug#893152 by Stephen Rothwell debbugs@rothwell.id.au)
- [UI] Do not call GetTerminalSize if STDOUT is not a tty.
3.1
ChangeLog
-
Changes:
- [uCode] Handle microcode upgrades in early boot initrd images,
required at least on Arch Linux.
(github issue #106 by @Wuestengecko)
- [uCode] Handle microcode upgrades in early boot initrd images,
-
Fixes:
- [uCode] Fix uninitialized value in batch mode.
(Debian Bug#891923 by Bob Proulx <bob@proulx.com>)
(github issue #105 by Evgenii Terechkov @evgkrsk) - [uCode] Fix completely broken microcode update detection.
(github issue #108 by @Wuestengecko) - [UI] Fix microcode revision placeholders in NeedRestart::UI::stdio.
- [uCode] Fix uninitialized value in batch mode.
3.0
Changes:
- Features:
- [Core] Possible to suspend needrestart in apt-get hook using
the NEEDRESTART_SUSPEND environment variable.
(github issue #71 by Ludovic Gasc @GMLudo et. al.) - [Core] Possible to override the configured restart mode using
the NEEDRESTART_MODE environment variable.
(Debian Bug#866105 by Marc Haber mh+debian-bugs@zugschlus.de) - [uCode] Check for pending Intel microcode updates.
(Debian Bug#886445 by Paul Wise pabs@debian.org)
- [Core] Possible to suspend needrestart in apt-get hook using
- Changes:
- [Core] Do not try to restart service units with RefuseManualStop=yes.
(github issue #75 by Marc Dequènes @duck-rh) - [Kernel] Try to adopt RPM's version sorting to get most recent kernel.
(github issue #73 by Maximilian Gaß @mxey) - [Core] Tune blacklist_mappings default setting to match on deleted maps.
- [UI] Respect verbosity in UI::stdio, just like UI::Debconf.
(github pull request #88 by @guillaume-uH57J9) - [Core] Improve output formating.
(github issue #84 by Stavros Ntentos @stdedos) - [Core] Improve container detection to skip kernel and microcode checks.
- [Core] Do not try to restart service units with RefuseManualStop=yes.
- Fixes:
- [Core] Makefile: Fix installation of restart.d/ scripts.
(Debian Bug#851866 by Sven Hartge sven@svenhartge.de) - [Core] Fix warning in Perl 5.20.x, not triggered in 5.24.x
in needrestart.conf (Oil Runtime Compiler's JIT files).
(patch by Patrick Matthäi (Debian)) - [Core] Do not restart oneshot services.
(Debian Bug#862840 by Alan Jenkins alan.christopher.jenkins@gmail.com) - [Core] Ignore rc-local.service.
(Debian Bug#852864 by Paul Wise pabs@debian.org) - [Core] Do not restart libvirt by default.
(github issue #69 by Craig Andrews @candrews) - [Interp/Perl] Add missing cwd restore before a return.
(github issues #55 and #70 Craig Andrews @candrews and Stefan Bühler @stbuehler) - [Core] README.md: Fix spelling.
(github issue #74 by Edward Betts @EdwardBetts) - [Core] Add bird to override.
(github issue #78 by Björn Lässig @Farom) - [Interp/(Perl|Python)] Use absolute paths used to search the package
of a script file.
(github issue #79 by Christopher Odenbach @odenbach) - [Hook] Use rpm -q --filesbypkg rather than rpmquery.
(github issue #81 by Sven Hartge @shartge) - [CONT] Detect docker container ns running not on systemd.
- [CONT] Ignore processes running inside docker containers.
(github issue #80 by Christopher Odenbach @odenbach) - [Core] Ignore special filename mappings used by recent versions of
KDE plasmashell.
(github issue #65 by @GoTeamAnt)
(Debian Bug#879091 by Paul Wise pabs@debian.org) - [Core] Fix handling of library mappings if target does not exist.
(github issue #58 by @pigen)
(Debian Bug#878700 by Richard Hector richard@walnut.gen.nz) - [Hook] Fix handling of multiarch packages.
(github issue #56 by @mayasd) - [Interp] Ignore interpreter processes with unreachable root fs (i.e.
in different mnt ns).
(github issue #72 by Stefan Bühler @stbuehler) - [Core] Add missing unnamed device major numbers (fix for OpenVZ).
(Debian Bug#876452 by Piotr Pańczyk piotr.panczyk@assecobs.pl) - [UI] Do not call GetTerminalSize() if STDOUT is not a TTY.
(Debian Bug#859387 by by Paul Wise pabs@debian.org)
(github issues #85 and #86 by @guillaume-uH57J9) - [UI] Fix switch from interactive to list mode if debconf is run
noninteractive.
(Debian Bug#876459 by Piotr Pańczyk piotr.panczyk@assecobs.pl) - [man] Add documentation on restart mode if run non-interactive.
(Debian Bug#842512 by Antoine Beaupré anarcat@debian.org) - [Core] Ignore some Java false positives (JNA, JFFI).
(github pull request #89 by Maximilian Gaß @mxey)
(github issue #60 by @ge-fa) - [Core] Output NRPE message "root needed" on stdout.
(github pull request #91 by @nirgal) - [Core] Use override_cont when querying containers.
(github pull request #94 by Nigel Kukard @nkukard) - [Core] Do not restart docker by default.
- [Core] Fix typo in man page.
(Debian Bug#885448 by Paul Wise pabs@debian.org) - [Interp] Fix perl warning if cwd is unreachable.
(github issue #99 by @glitsj16) - [Hook] Replace remaining calls of rpmquery by rpm.
(github issue #100 by Matthias Hörmann @taladar) - [Core] Fix additional unit detection in dbus restart handler.
(github issue #104 by Alexander Barton @alexbarton)
- [Core] Makefile: Fix installation of restart.d/ scripts.
2.11
- Features:
- [Core] Allow special treatment to restart services (i.e. dbus).
(github issue #44 by @Vladimir-csp) - [Cont] Support restarting LXD-based LXC containers.
(github issue #26 by James Johnston @JohnstonJ) - [Core] New config option to enforce legacy session detection if systemd
is used without PAM integration.
(github issue #52 by @micw and Eric S. @Korni22)
- [Core] Allow special treatment to restart services (i.e. dbus).
- Fixes:
- [Core] Fix default config type for override_* settings.
(github issue #47 by @mphilipps) - [Kernel] Ignore initrd filenames while looking for kernel image files.
(github issue #49 by Evgenii Terechkov @evgkrsk) - [Kernel] Strip .img from version string when deducting the kernel
version from filename.
(github issue #49 by Evgenii Terechkov @evgkrsk) - [Core] Fix wrong regex quotation in default configuration file.
(Debian Bug#844283 by Paul Wise pabs@debian.org) - [Core] Add display-manager 'lxdm' to override.
(Debian Bug#845996 by Rodrigo Campos rodrigo@sdfg.com.ar) - [Interp] Make paths when searching source files relative to the root
path of the process.
(github issue #54 by Tomasz Kontusz @ktosiek)
- [Core] Fix default config type for override_* settings.