From 6da1afda972b492e496ba688e965d8a027850c31 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 29 Sep 2025 13:33:01 +0200 Subject: [PATCH] systemd-257-15 Resolves: RHEL-112203,RHEL-113920,RHEL-114414 --- ...p-drop-RestrictSUIDSGID-option-38640.patch | 34 +++ ...ertion-of-padding-in-merged-sections.patch | 42 +++ ...nit.dependency_generation-counter-an.patch | 249 ++++++++++++++++++ ...IT_FOREACH_DEPENDENCY_SAFE-at-severa.patch | 72 +++++ systemd.spec | 12 +- 5 files changed, 408 insertions(+), 1 deletion(-) create mode 100644 0444-coredump-drop-RestrictSUIDSGID-option-38640.patch create mode 100644 0445-ukify-fix-insertion-of-padding-in-merged-sections.patch create mode 100644 0446-core-introduce-Unit.dependency_generation-counter-an.patch create mode 100644 0447-core-unit-use-UNIT_FOREACH_DEPENDENCY_SAFE-at-severa.patch diff --git a/0444-coredump-drop-RestrictSUIDSGID-option-38640.patch b/0444-coredump-drop-RestrictSUIDSGID-option-38640.patch new file mode 100644 index 0000000..bcf5823 --- /dev/null +++ b/0444-coredump-drop-RestrictSUIDSGID-option-38640.patch @@ -0,0 +1,34 @@ +From 764786b83c0729765ed529bf1169cf08fb2e9912 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 20 Aug 2025 12:42:30 +0200 +Subject: [PATCH] coredump: drop RestrictSUIDSGID= option (#38640) + +systemd-coredump sandbox already has ProtectSystem=strict hence all non +API filesystems are made read-only, thus RestrictSUIDSGID= doesn't buy +us much. + +On top of that systemd-coredump's EnterNamespace= feature requires +openat2() to work correctly and that is implicitly blocked by +RestrictSUIDSGID=. + +Follow-up for 8f8148cb08bf9f2c0e1f7fe6a5e6eb383115957b + +(cherry picked from commit fb56da5b6eb80f4400ea7241fa98d90d245d7fde) + +Resolves: RHEL-113920 +--- + units/systemd-coredump@.service.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in +index c74dc7a5a1..f492c826fe 100644 +--- a/units/systemd-coredump@.service.in ++++ b/units/systemd-coredump@.service.in +@@ -36,7 +36,6 @@ ProtectKernelLogs=yes + ProtectSystem=strict + RestrictAddressFamilies=AF_UNIX + RestrictRealtime=yes +-RestrictSUIDSGID=yes + RuntimeMaxSec=5min + StateDirectory=systemd/coredump + SystemCallArchitectures=native diff --git a/0445-ukify-fix-insertion-of-padding-in-merged-sections.patch b/0445-ukify-fix-insertion-of-padding-in-merged-sections.patch new file mode 100644 index 0000000..1d427c4 --- /dev/null +++ b/0445-ukify-fix-insertion-of-padding-in-merged-sections.patch @@ -0,0 +1,42 @@ +From f604524da21e84048887e36a9e910b25835cb17c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 19 Aug 2025 11:02:44 +0200 +Subject: [PATCH] ukify: fix insertion of padding in merged sections + +The padding was done to expand the new section contents to the expected size of +the new section. And this then would be used for the content in the existing +section. The new section cannot be larger than the old section, but it can be +smaller. If the new section was smaller, then we'd not write enough padding and +the output file would be corrupted. + +This was observed in CI when the .sbat section in the stub was padded to 1k. +The UKI with an .sbat section that was merged and was fairly short would hit +this scenario and be corrupted. + +(cherry picked from commit ec1d031f3de02f84beca89e2b402d085fba62be4) + +Resolves: RHEL-114414 +--- + src/ukify/ukify.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py +index a868a5b778..9205012567 100755 +--- a/src/ukify/ukify.py ++++ b/src/ukify/ukify.py +@@ -956,14 +956,13 @@ def pe_add_sections(uki: UKI, output: str) -> None: + if new_section.Misc_VirtualSize > s.SizeOfRawData: + raise PEError(f'Not enough space in existing section {section.name} to append new data.') + +- padding = bytes(new_section.SizeOfRawData - new_section.Misc_VirtualSize) ++ padding = bytes(s.SizeOfRawData - new_section.Misc_VirtualSize) + pe.__data__ = ( + pe.__data__[: s.PointerToRawData] + + data + + padding + + pe.__data__[pe.sections[i + 1].PointerToRawData :] + ) +- s.SizeOfRawData = new_section.SizeOfRawData + s.Misc_VirtualSize = new_section.Misc_VirtualSize + break + else: diff --git a/0446-core-introduce-Unit.dependency_generation-counter-an.patch b/0446-core-introduce-Unit.dependency_generation-counter-an.patch new file mode 100644 index 0000000..3709251 --- /dev/null +++ b/0446-core-introduce-Unit.dependency_generation-counter-an.patch @@ -0,0 +1,249 @@ +From 9a97574845363386036c9f8bc83b271e80844999 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 May 2025 12:34:35 +0900 +Subject: [PATCH] core: introduce Unit.dependency_generation counter and + restart loop when dependency is updated in the loop + +When starting unit A, a dependent unit B may be loaded if it is not +loaded yet, and the dependencies in unit A may be updated. +As Hashmap does not allow a new entry to be added in a loop, we need to +restart loop in such case. + +Fixes a bug introduced by cda667722c2218cf1a0185284d2a87f8a25f1b2d. +Fixes #36031. + +(cherry picked from commit b7777d08846033859c5b734317fbbbfcca4cafcb) + +Resolves: RHEL-112203 +--- + src/core/transaction.c | 18 +++++++++--------- + src/core/unit.c | 10 ++++++++++ + src/core/unit.h | 31 ++++++++++++++++++++++++++----- + 3 files changed, 45 insertions(+), 14 deletions(-) + +diff --git a/src/core/transaction.c b/src/core/transaction.c +index bec96a67af..705ed0c50f 100644 +--- a/src/core/transaction.c ++++ b/src/core/transaction.c +@@ -894,7 +894,7 @@ void transaction_add_propagate_reload_jobs( + assert(tr); + assert(unit); + +- UNIT_FOREACH_DEPENDENCY(dep, unit, UNIT_ATOM_PROPAGATES_RELOAD_TO) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(dep, unit, UNIT_ATOM_PROPAGATES_RELOAD_TO) { + _cleanup_(sd_bus_error_free) sd_bus_error e = SD_BUS_ERROR_NULL; + + nt = job_type_collapse(JOB_TRY_RELOAD, dep); +@@ -1043,7 +1043,7 @@ int transaction_add_job_and_dependencies( + + /* Finally, recursively add in all dependencies. */ + if (IN_SET(type, JOB_START, JOB_RESTART)) { +- UNIT_FOREACH_DEPENDENCY(dep, ret->unit, UNIT_ATOM_PULL_IN_START) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(dep, ret->unit, UNIT_ATOM_PULL_IN_START) { + r = transaction_add_job_and_dependencies(tr, JOB_START, dep, ret, TRANSACTION_MATTERS | (flags & TRANSACTION_IGNORE_ORDER), e); + if (r < 0) { + if (r != -EBADR) /* job type not applicable */ +@@ -1053,7 +1053,7 @@ int transaction_add_job_and_dependencies( + } + } + +- UNIT_FOREACH_DEPENDENCY(dep, ret->unit, UNIT_ATOM_PULL_IN_START_IGNORED) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(dep, ret->unit, UNIT_ATOM_PULL_IN_START_IGNORED) { + r = transaction_add_job_and_dependencies(tr, JOB_START, dep, ret, flags & TRANSACTION_IGNORE_ORDER, e); + if (r < 0) { + /* unit masked, job type not applicable and unit not found are not considered +@@ -1066,7 +1066,7 @@ int transaction_add_job_and_dependencies( + } + } + +- UNIT_FOREACH_DEPENDENCY(dep, ret->unit, UNIT_ATOM_PULL_IN_VERIFY) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(dep, ret->unit, UNIT_ATOM_PULL_IN_VERIFY) { + r = transaction_add_job_and_dependencies(tr, JOB_VERIFY_ACTIVE, dep, ret, TRANSACTION_MATTERS | (flags & TRANSACTION_IGNORE_ORDER), e); + if (r < 0) { + if (r != -EBADR) /* job type not applicable */ +@@ -1076,7 +1076,7 @@ int transaction_add_job_and_dependencies( + } + } + +- UNIT_FOREACH_DEPENDENCY(dep, ret->unit, UNIT_ATOM_PULL_IN_STOP) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(dep, ret->unit, UNIT_ATOM_PULL_IN_STOP) { + r = transaction_add_job_and_dependencies(tr, JOB_STOP, dep, ret, TRANSACTION_MATTERS | TRANSACTION_CONFLICTS | (flags & TRANSACTION_IGNORE_ORDER), e); + if (r < 0) { + if (r != -EBADR) /* job type not applicable */ +@@ -1086,7 +1086,7 @@ int transaction_add_job_and_dependencies( + } + } + +- UNIT_FOREACH_DEPENDENCY(dep, ret->unit, UNIT_ATOM_PULL_IN_STOP_IGNORED) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(dep, ret->unit, UNIT_ATOM_PULL_IN_STOP_IGNORED) { + r = transaction_add_job_and_dependencies(tr, JOB_STOP, dep, ret, flags & TRANSACTION_IGNORE_ORDER, e); + if (r < 0) { + log_unit_warning(dep, +@@ -1100,7 +1100,7 @@ int transaction_add_job_and_dependencies( + if (IN_SET(type, JOB_RESTART, JOB_STOP) || (type == JOB_START && FLAGS_SET(flags, TRANSACTION_PROPAGATE_START_AS_RESTART))) { + bool is_stop = type == JOB_STOP; + +- UNIT_FOREACH_DEPENDENCY(dep, ret->unit, UNIT_ATOM_PROPAGATE_STOP) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(dep, ret->unit, UNIT_ATOM_PROPAGATE_STOP) { + /* We propagate RESTART only as TRY_RESTART, in order not to start dependencies that + * are not around. */ + JobType nt; +@@ -1122,7 +1122,7 @@ int transaction_add_job_and_dependencies( + * all other dependencies are processed, i.e. we're the anchor job or already in the recursion + * that handles it. */ + if (!by || FLAGS_SET(flags, TRANSACTION_PROCESS_PROPAGATE_STOP_GRACEFUL)) +- UNIT_FOREACH_DEPENDENCY(dep, ret->unit, UNIT_ATOM_PROPAGATE_STOP_GRACEFUL) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(dep, ret->unit, UNIT_ATOM_PROPAGATE_STOP_GRACEFUL) { + JobType nt; + Job *j; + +@@ -1220,7 +1220,7 @@ int transaction_add_triggering_jobs(Transaction *tr, Unit *u) { + assert(tr); + assert(u); + +- UNIT_FOREACH_DEPENDENCY(trigger, u, UNIT_ATOM_TRIGGERED_BY) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(trigger, u, UNIT_ATOM_TRIGGERED_BY) { + _cleanup_(sd_bus_error_free) sd_bus_error e = SD_BUS_ERROR_NULL; + + /* No need to stop inactive jobs */ +diff --git a/src/core/unit.c b/src/core/unit.c +index d36f860de9..631fa2f198 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -636,12 +636,14 @@ static void unit_clear_dependencies(Unit *u) { + hashmap_remove(other_deps, u); + + unit_add_to_gc_queue(other); ++ other->dependency_generation++; + } + + hashmap_free(deps); + } + + u->dependencies = hashmap_free(u->dependencies); ++ u->dependency_generation++; + } + + static void unit_remove_transient(Unit *u) { +@@ -1092,6 +1094,9 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { + } + + other->dependencies = hashmap_free(other->dependencies); ++ ++ u->dependency_generation++; ++ other->dependency_generation++; + } + + int unit_merge(Unit *u, Unit *other) { +@@ -3114,6 +3119,7 @@ static int unit_add_dependency_impl( + return r; + + flags = NOTIFY_DEPENDENCY_UPDATE_FROM; ++ u->dependency_generation++; + } + + if (other_info.data != other_info_old.data) { +@@ -3130,6 +3136,7 @@ static int unit_add_dependency_impl( + } + + flags |= NOTIFY_DEPENDENCY_UPDATE_TO; ++ other->dependency_generation++; + } + + return flags; +@@ -5565,6 +5572,9 @@ void unit_remove_dependencies(Unit *u, UnitDependencyMask mask) { + /* The unit 'other' may not be wanted by the unit 'u'. */ + unit_submit_to_stop_when_unneeded_queue(other); + ++ u->dependency_generation++; ++ other->dependency_generation++; ++ + done = false; + break; + } +diff --git a/src/core/unit.h b/src/core/unit.h +index d24658ed9b..b6f47c76d6 100644 +--- a/src/core/unit.h ++++ b/src/core/unit.h +@@ -227,6 +227,7 @@ typedef struct Unit { + * and whose value encodes why the dependency exists, using the UnitDependencyInfo type. i.e. a + * Hashmap(UnitDependency → Hashmap(Unit* → UnitDependencyInfo)) */ + Hashmap *dependencies; ++ uint64_t dependency_generation; + + /* Similar, for RequiresMountsFor= and WantsMountsFor= path dependencies. The key is the path, the + * value the UnitDependencyInfo type */ +@@ -1154,27 +1155,44 @@ CollectMode collect_mode_from_string(const char *s) _pure_; + typedef struct UnitForEachDependencyData { + /* Stores state for the FOREACH macro below for iterating through all deps that have any of the + * specified dependency atom bits set */ ++ const Unit *unit; + UnitDependencyAtom match_atom; + Hashmap *by_type, *by_unit; + void *current_type; + Iterator by_type_iterator, by_unit_iterator; + Unit **current_unit; ++ uint64_t generation; ++ unsigned n_restart; ++ bool restart_on_generation_change; + } UnitForEachDependencyData; + ++/* Let's not restart the loop infinitely. */ ++#define MAX_FOREACH_DEPENDENCY_RESTART 100000 ++ + /* Iterates through all dependencies that have a specific atom in the dependency type set. This tries to be + * smart: if the atom is unique, we'll directly go to right entry. Otherwise we'll iterate through the + * per-dependency type hashmap and match all dep that have the right atom set. */ +-#define _UNIT_FOREACH_DEPENDENCY(other, u, ma, data) \ ++#define _UNIT_FOREACH_DEPENDENCY(other, u, ma, restart, data) \ + for (UnitForEachDependencyData data = { \ ++ .unit = (u), \ + .match_atom = (ma), \ +- .by_type = (u)->dependencies, \ +- .by_type_iterator = ITERATOR_FIRST, \ + .current_unit = &(other), \ ++ .restart_on_generation_change = (restart), \ + }; \ + ({ \ + UnitDependency _dt = _UNIT_DEPENDENCY_INVALID; \ + bool _found; \ + \ ++ if (data.generation == 0 || \ ++ (data.restart_on_generation_change && \ ++ data.generation != data.unit->dependency_generation)) { \ ++ data.generation = data.unit->dependency_generation; \ ++ data.by_type = data.unit->dependencies; \ ++ data.by_type_iterator = ITERATOR_FIRST; \ ++ assert_se(data.n_restart++ < MAX_FOREACH_DEPENDENCY_RESTART); \ ++ } else \ ++ assert(data.generation == data.unit->dependency_generation); \ ++ \ + if (data.by_type && ITERATOR_IS_FIRST(data.by_type_iterator)) { \ + _dt = unit_dependency_from_unique_atom(data.match_atom); \ + if (_dt >= 0) { \ +@@ -1187,12 +1205,13 @@ typedef struct UnitForEachDependencyData { + if (_dt < 0) \ + _found = hashmap_iterate(data.by_type, \ + &data.by_type_iterator, \ +- (void**)&(data.by_unit), \ ++ (void**) &(data.by_unit), \ + (const void**) &(data.current_type)); \ + _found; \ + }); ) \ + if ((unit_dependency_to_atom(UNIT_DEPENDENCY_FROM_PTR(data.current_type)) & data.match_atom) != 0) \ + for (data.by_unit_iterator = ITERATOR_FIRST; \ ++ data.generation == data.unit->dependency_generation && \ + hashmap_iterate(data.by_unit, \ + &data.by_unit_iterator, \ + NULL, \ +@@ -1200,7 +1219,9 @@ typedef struct UnitForEachDependencyData { + + /* Note: this matches deps that have *any* of the atoms specified in match_atom set */ + #define UNIT_FOREACH_DEPENDENCY(other, u, match_atom) \ +- _UNIT_FOREACH_DEPENDENCY(other, u, match_atom, UNIQ_T(data, UNIQ)) ++ _UNIT_FOREACH_DEPENDENCY(other, u, match_atom, false, UNIQ_T(data, UNIQ)) ++#define UNIT_FOREACH_DEPENDENCY_SAFE(other, u, match_atom) \ ++ _UNIT_FOREACH_DEPENDENCY(other, u, match_atom, true, UNIQ_T(data, UNIQ)) + + #define _LOG_CONTEXT_PUSH_UNIT(unit, u, c) \ + const Unit *u = (unit); \ diff --git a/0447-core-unit-use-UNIT_FOREACH_DEPENDENCY_SAFE-at-severa.patch b/0447-core-unit-use-UNIT_FOREACH_DEPENDENCY_SAFE-at-severa.patch new file mode 100644 index 0000000..23ecaec --- /dev/null +++ b/0447-core-unit-use-UNIT_FOREACH_DEPENDENCY_SAFE-at-severa.patch @@ -0,0 +1,72 @@ +From 41635f7ce09244e8311f31082df0b1b21d117c29 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 22 Aug 2025 02:06:43 +0900 +Subject: [PATCH] core/unit: use UNIT_FOREACH_DEPENDENCY_SAFE() at several more + places + +manager_add_job() -> transaction_add_job_and_dependencies() may update +dependencies when a unit is not loaded yet. Hence, we need to restart +dependency loop in that case. + +Follow-up for b7777d08846033859c5b734317fbbbfcca4cafcb (#37465). +Fixes #38676. + +(cherry picked from commit 64fc4917b9149ffe6defaf5ceaf3236324537a3f) + +Resolves: RHEL-112203 +--- + src/core/unit.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index 631fa2f198..01e4d3a64f 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -2219,17 +2219,17 @@ static void retroactively_start_dependencies(Unit *u) { + assert(u); + assert(UNIT_IS_ACTIVE_OR_ACTIVATING(unit_active_state(u))); + +- UNIT_FOREACH_DEPENDENCY(other, u, UNIT_ATOM_RETROACTIVE_START_REPLACE) /* Requires= + BindsTo= */ ++ UNIT_FOREACH_DEPENDENCY_SAFE(other, u, UNIT_ATOM_RETROACTIVE_START_REPLACE) /* Requires= + BindsTo= */ + if (!unit_has_dependency(u, UNIT_ATOM_AFTER, other) && + !UNIT_IS_ACTIVE_OR_ACTIVATING(unit_active_state(other))) + (void) manager_add_job(u->manager, JOB_START, other, JOB_REPLACE, /* error = */ NULL, /* ret = */ NULL); + +- UNIT_FOREACH_DEPENDENCY(other, u, UNIT_ATOM_RETROACTIVE_START_FAIL) /* Wants= */ ++ UNIT_FOREACH_DEPENDENCY_SAFE(other, u, UNIT_ATOM_RETROACTIVE_START_FAIL) /* Wants= */ + if (!unit_has_dependency(u, UNIT_ATOM_AFTER, other) && + !UNIT_IS_ACTIVE_OR_ACTIVATING(unit_active_state(other))) + (void) manager_add_job(u->manager, JOB_START, other, JOB_FAIL, /* error = */ NULL, /* ret = */ NULL); + +- UNIT_FOREACH_DEPENDENCY(other, u, UNIT_ATOM_RETROACTIVE_STOP_ON_START) /* Conflicts= (and inverse) */ ++ UNIT_FOREACH_DEPENDENCY_SAFE(other, u, UNIT_ATOM_RETROACTIVE_STOP_ON_START) /* Conflicts= (and inverse) */ + if (!UNIT_IS_INACTIVE_OR_DEACTIVATING(unit_active_state(other))) + (void) manager_add_job(u->manager, JOB_STOP, other, JOB_REPLACE, /* error = */ NULL, /* ret = */ NULL); + } +@@ -2241,7 +2241,7 @@ static void retroactively_stop_dependencies(Unit *u) { + assert(UNIT_IS_INACTIVE_OR_DEACTIVATING(unit_active_state(u))); + + /* Pull down units which are bound to us recursively if enabled */ +- UNIT_FOREACH_DEPENDENCY(other, u, UNIT_ATOM_RETROACTIVE_STOP_ON_STOP) /* BoundBy= */ ++ UNIT_FOREACH_DEPENDENCY_SAFE(other, u, UNIT_ATOM_RETROACTIVE_STOP_ON_STOP) /* BoundBy= */ + if (!UNIT_IS_INACTIVE_OR_DEACTIVATING(unit_active_state(other))) + (void) manager_add_job(u->manager, JOB_STOP, other, JOB_REPLACE, /* error = */ NULL, /* ret = */ NULL); + } +@@ -2268,7 +2268,7 @@ void unit_start_on_termination_deps(Unit *u, UnitDependencyAtom atom) { + assert(dependency_name); + + Unit *other; +- UNIT_FOREACH_DEPENDENCY(other, u, atom) { ++ UNIT_FOREACH_DEPENDENCY_SAFE(other, u, atom) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + + if (n_jobs == 0) +@@ -2291,7 +2291,7 @@ void unit_trigger_notify(Unit *u) { + + assert(u); + +- UNIT_FOREACH_DEPENDENCY(other, u, UNIT_ATOM_TRIGGERED_BY) ++ UNIT_FOREACH_DEPENDENCY_SAFE(other, u, UNIT_ATOM_TRIGGERED_BY) + if (UNIT_VTABLE(other)->trigger_notify) + UNIT_VTABLE(other)->trigger_notify(other, u); + } diff --git a/systemd.spec b/systemd.spec index 3b4b7aa..03f21f7 100644 --- a/systemd.spec +++ b/systemd.spec @@ -48,7 +48,7 @@ Url: https://systemd.io # Allow users to specify the version and release when building the rpm by # setting the %%version_override and %%release_override macros. Version: %{?version_override}%{!?version_override:257} -Release: 14%{?dist} +Release: 15%{?dist} %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?) @@ -553,6 +553,10 @@ Patch0440: 0440-TEST-17-drop-unnecessary-PATH-setting.patch Patch0441: 0441-chase-check-the-result-is-a-directory-or-regular-fil.patch Patch0442: 0442-bootctl-stop-printing-Stub-Boot-loader-set-partition.patch Patch0443: 0443-ukify-rstrip-and-escape-binary-null-characters-from-.patch +Patch0444: 0444-coredump-drop-RestrictSUIDSGID-option-38640.patch +Patch0445: 0445-ukify-fix-insertion-of-padding-in-merged-sections.patch +Patch0446: 0446-core-introduce-Unit.dependency_generation-counter-an.patch +Patch0447: 0447-core-unit-use-UNIT_FOREACH_DEPENDENCY_SAFE-at-severa.patch # Downstream-only patches (9000–9999) %endif @@ -1499,6 +1503,12 @@ rm -f .file-list-* rm -f %{name}.lang %changelog +* Mon Sep 29 2025 systemd maintenance team - 257-15 +- coredump: drop RestrictSUIDSGID= option (#38640) (RHEL-113920) +- ukify: fix insertion of padding in merged sections (RHEL-114414) +- core: introduce Unit.dependency_generation counter and restart loop when dependency is updated in the loop (RHEL-112203) +- core/unit: use UNIT_FOREACH_DEPENDENCY_SAFE() at several more places (RHEL-112203) + * Mon Sep 15 2025 systemd maintenance team - 257-14 - test: add test case for AddDependencyUnitFiles assert (RHEL-108257) - TEST-17: drop unnecessary $PATH setting (RHEL-108242)