Greetings Mark, greetings.

Mark Hindley - 10.05.26, 17:05:02 CEST:
> On Fri, May 08, 2026 at 01:38:59PM +0100, Mark Hindley wrote:
> > I have managed to remove or disable all of the new additions,
> > specifically nss-elogind, nss-userdb and varlinkctl. As far as I can
> > see the only real addition is sd-varlink(3) which is now part of the
> > libsystemd0 257 API (hence the API bump you originally noticed).
>
> Having looked further, I would prefer that we could have noop stube for
> sd-varlink and sd-json: https://github.com/elogind/elogind/issues/345

I did not yet take time to respond further to your very nice explanation
on "elogind, seatd and alternatives" – thank you for it!

However given that I can get away with replacing libsystemd0 with
libelogind0 on my server VMs as well and then enjoy some nice fixing of
vulnerabilities I tend to agree. I did not know I can do this before I
read your explanation.

-----------------------------------------------------------------------

*** Fixed vulnerabilities

CVE-2026-29111
<https://security-tracker.debian.org/tracker/CVE-2026-29111>
- libsystemd0

CVE-2026-40225
<https://security-tracker.debian.org/tracker/CVE-2026-40225>
- libsystemd0

CVE-2026-40226
<https://security-tracker.debian.org/tracker/CVE-2026-40226>
- libsystemd0

CVE-2026-40228
<https://security-tracker.debian.org/tracker/CVE-2026-40228>
- libsystemd0

CVE-2026-4105
<https://security-tracker.debian.org/tracker/CVE-2026-4105>
- libsystemd0

-----------------------------------------------------------------------

(Debsecan output from one server)

Less code - less opportunity for security issues.

I am not sure whether someone looked whether some of these CVEs also apply
to libelogind0. But the less stuff is in there, the less is the chance it
also has issues like these.

Best,
--
Martin