From secunia security advisory at $URL:
The weakness is caused due to the systemd-logind component insecurely creating a X11 session file (/run/user/<username>/X11/display) and can be exploited to create a symlink inside arbitrary directories.
The weakness is reported in versions prior to 39.
Update to version 39 or later.
I see two solutions here. Either:
a) mask older systemd versions (=> all systemd versions in tree will be hard-masked for one reason or other),
b) backport a patch.
Could you point to a specific commit in systemd git?
From Novell's bug tracker (https://bugzilla.novell.com/show_bug.cgi?id=747154):
(In reply to comment #1)
> Could you point to a specific commit in systemd git?
Btw, this issue is fixed in systemd-39.
I guess you can backport it in our ~arch version.
Ah, it's in logind. I guess that would make only our -37 & -38 vulnerable.
Will it be enough to drop the offending versions?
Great, thank you. Closing noglsa.