3.11

Changes

• [CONT] allow to ignore containers by name
  (github issue #260 by Arnaud Rebillout @elboulangero)
• [Kernel] allow glob customization for find kernel image files
  (github issue #297 by @tblancher)

Fixes

• [core] fix warnings if no cgroup could be determined
  (github issue #339 by Aristarkh Zagorodnikov @onyxmaster)

3.10

Changes

• [core] add override for systemd-nspawn (Debian Bug #1101553)
  (Debian Bug#1101553 by Raphaël Halimi [email protected])
• [core] add another pattern to ignore java native access
  (github issue #267 by @rdemongeot)

Fixes

• [core] unbreak systemd-user w/ dash
  (Debian Bug#1101551 by Raphaël Halimi [email protected])
  (github pull request #338 by Ivan Shapovalov @intelfx)
• [metrics] fix undefined values warning if no expected ucode version is available

3.9

Features

• [CONT] Detect systemd-nspawn and add a fallback module.
  (github pull request #302 by Ivan Shapovalov @intelfx)
• [Core] Add option '-x' to skip user interaction when no process is
  selected for restart by default.
  (github pull request #336 by @larsen0815)

Changes

• [Core] Add default override for qrtr-ns / rmtfs.
  (github pull request #332 by Arnaud Ferraris @a-wai)
• [Core] Add override for bacula.
  (Debian Bug#1017417 by Carsten Leonhardt [email protected])
• [Core] Add override for lxc.
  (Debian Bug#1030843 by Richard Hector [email protected])
• [Core] Add override for xrdp.
  (Debian Bug#1042008 by Andrew Chadwick [email protected])
• [Core] Print executable in verbose mode.
  (github issue #277 by Paul Wise @pabs3)
• [Core] Better systemd --user integration.
  (github pull request #301 by Ivan Shapovalov @intelfx)
• [Core] Ignore /memfd: binaries.
  (github issue #283 by @flisk)
  (github issue #287 by @moerkey)
• [Docs] Update kernel naming in config example for RPi2/3.
  (github pull request #330 by @Popkornium18)
• [Docs] Document -b a little more.
  (github pull request #333 by @flisk)
• [L10N] Add zh-TW Traditional Chinese locale.
  (github pull request #320 by Peter Dave Hello @PeterDaveHello)

Fixes

• [Core] Fix regression of false positives for processes running in
  chroot or mountns (#317).
  (github issue #317 by Ivan Kurnosov @zerkms)
• [Core] Fix typos.
  (github pull request #335 by Viktor Szépe @szepeviktor)
• [Docs] Fix missing escapes in markdown files.
  (github issue #312 by Mikko Rantalainen @mikkorantalainen)
• [Interp] Fix source file scanning for processes in another mountns.
  (github pull request #327 by Corey Hickey @bugfood)
• [uCode] Do not print undef values in batch mode.
  (github issue #322 by @guruguruguru)

3.8

Security

• [Core] CVE-2024-48991: Prevent race condition on /proc/$PID/exec evaluation.
  (responsibly reported by Qualys)
• [Interp] CVE-2024-11003: Drop usage of Module::ScanDeps to prevent LPE.
  (responsibly reported by Qualys)
• [Interp] CVE-2024-48990: Do not set PYTHONPATH environment variable to prevent a LPE.
  (responsibly reported by Qualys)
• [Interp] CVE-2024-48992: Do not set RUBYLIB environment variable to prevent a LPE.
  (responsibly reported by Qualys)

Features

• [CONT] Add Incus support.
  (github pull request #315 by Colin Watson @cjwatson)

Changes

• [Core] Refactor device number comparison to be independent of leading zeros.
  (closes #286)
• [Interp] Enable ruby check for versioned ruby binary names.
  (suggested by Qualys)
• [Interp] Chdir into empty directory to prevent python parsing arbitrary files.
  (motivated by Qualys)

Fixes

• [VM] Fix spelling mistake.
  (github pull request #309 by @fritz-fritz)
• [Core] Make OpenMetrics output prometheus compatible.
  (github pull request #311 by Gabriel Filion @lelutin)
• [uCode] Fix error handling logic being dependent on debug level.
  (github pull request #313 by Aristarkh Zagorodnikov @onyxmaster)
• [Core] Fix "Use of uninitialized value $sdev in right bitshift".
  (github pull request #314 by Aristarkh Zagorodnikov @onyxmaster)

This release contains some critical security fixes in the interpreter module.
While the default configuration was vulnerable it is possible to migitate
the issues by disabling the interpeter heuristic: $nrconf{interpscan} = 0;

All CVEs received a CVSS core of:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]

Qualys Security Advisory:
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

Many thanks to the Qualys Security Advisory team and Mark Esler from the
Ubuntu Security Team for the responsible disclosure, reviewing patches and
coordinating the disclosure of these security issues.

3.7

Features

• [Interp] Add optional persistent cache support for perl scanning.
  (github pull request #282 by Jean-Marc Saffroy @saffroy)
• [Core] Add OpenMetrics time series output.
  (github pull request #308 by Gabriel Filion @lelutin)

Changes

• [Core] Replace which by command -v.
  (github pull request #254 by @a1346054)
• [Core] Ignore USBGuard.
  (github pull request #257 by Christoph Anton Mitterer @calestyo)
• [Core] Do not ignore dhclient but prevent restart ifup automaticly.
  (github pull request #262 by @anarcat)
• [Core] Add greetd to the list of restart exclusions.
  (github pull request #266 by Iván Zaera @ivan-zaera)
• [Core] Support dbus replacements.
  (github pull request #276 by @Vladimir-csp)
• [Core] Apply override_rc deterministically.
  (github pull request #280 by Corey Hickey @bugfood)
• [uCode] Test vendor id before check for Intel ucode.
  (github pull request #284 by FRITZ|FRITZ @fritz-fritz)
• [uCode] Fix AMD ucode checking in non-debug mode.
  (github pull request #288 by @anarcat)
• [uCode] Mark unavailable ucode as CURRENT.
  (github pull request #290 by @anarcat)
• [Kernel] Increase read size for version strings.
  (github pull request #293 by @jaycci)
• [README] Add RPi5 details.
  (github pull request #298 by @Opa-)
• [README] Add RPi1 details.
  (github pull request #304 by @juadde)
• [uCode] Add an option to print uCode hints w/o acknowledgement.
  (github pull request #307 by Adam @adsr)

Fixes

• [README] Prevent shell expansion in example.
  (github pull request #252 by David Taylor @dtaylor84)
• [Core] Fix VM detection regression introduced in f54d85c.
  (github pull request #248 by @zxyrepf)
• [uCode] Fix uninitialized value regression.
  (github pull request #273 by Stefan Bühler @stbuehler)
• [uCode] Fix AMD uCode check in non-debug mode.
  (github pull request #278 by Jan-Philipp Litza @jplitza)
• [CONT] Fix always ignoring lxc/lxd instances.
  (github issue #245 by Mitsuya Shibata @m-shibata)
• [Core] Fix shellcheck issues.
  (github issue #300 by Eisuke Kawashima @e-kwsm)
• [Kernel] Fix kernel version detection for kernel images >= 6.0.
  (github issue #245 by Stefan Bühler @tik-stbuehler)

v3.6

Security

• [Interp] CVE-2022-30688: Anchor interpreter regex to prevent local privilege escalation.
  (responsibly reported by Jakub Wilk)
  DSA 5137-1 | USN-5426-1

Features

• [Core] Add support for runit.
  (Debian Bug#972685 by Lorenzo Puliti [email protected])
• [VM] Add support to detect outdated VM processes (i.e. qemu).
  (github pull request #216 by )Christian Ehrhardt @cpaelzer)

Changes

• [Cont] Improve LXD container support.
  (github pull request #188 by James TD Smith @ahktenzero)
• [Cont] Update cgroup regex for LXC 4.0.
  (github pull request #215 by James TD Smith @ahktenzero)
• [Cont] Support cgroup v2 for docker.
  (github pull request #234 by Markus Frosch @lazyfrosch)
• [Cont] Support cgroup v2 for LXC/LXD.
  (github pull request #238 by Trent Lloyd @lathiat)
• [Core] Support cgroup v2 for services and user sessions.
• [Core] Support systemd manager restart on Ubuntu 20.04+.
  (github pull request #195 by Lars Kollstedt @LarsKollstedt)
• [Core] Do not restart bluetooth.service by default.
  (github pull request #209 by Erik Tews @eriktews)
• [Core] Do not restart elogind by default.
  (github issue #205 by @HumanG33k)
• [Core] Output user sessions in batch mode.
  (github pull request #232 by @anarcat)
• [Core] Use ImVirt for virtualization detection if not running on systemd.
  (Debian Bug#984789 by Patrik Schindler [email protected])
• [Interp] Add tolerance when checking script file ctimes to avoid false positives.
  (github pull request #233 by Corey Hickey @bugfood)
• [Kernel] Replace strings(1) by GNU grep to drop binutils dependency.
  (Debian Bug#986507 by Trent W. Buck [email protected])

Fixes

• [Core] Fix comment for default value of skip_mapfiles.
  (github pull request #179 by @iasdeoupxe)
• [Interp] Fix detection for ruby script started from relative paths.
  (github pull request #182 by Alexander Neumann @rtpt-alex)
• [Core] Fix typos.
  (github pull request #189 by @wwuck)
  (github pull request #193 by Stefan Weil @stweil)
• [Core] Fix verbose/verbosity confusion in needrestart.conf.
  (github pull request #197 by Jan-Philipp Litza @jplitza)
• [Core] Ignore memfd files like used by nvidia's binary drivers.
  (github pull request #200 by Jan Visser @starquake)
• [Core] Ignore all memfd mappings.
  (Debian Bug#972685 by Michail Bachmann [email protected])
• [Core] Ignore Java Native Access mappings.
  (github issue #142 by @nirgal)
  (github issue #185 by Ivan Zaera @izaera)
• [Core] nagios: Do not print perfdata data in unkown state.
  (github pull request #222 by Lorenz @RincewindsHat)
• [uCode] Fix 'uninitialized value' on AMD.
  (github pull request #226 by Christian Garbs @mmitch)

Misc

• Minor cleanups (whitespaces, shellcheck, ...).
  (github pull request #217 by @a1346054)
• Update README.batch.md.
  (github pull request #219 by Stavros Ntentos @stdedos)
• Add icinga2 example config.
  (github pull request #223 by Lorenz @RincewindsHat)
• [uCode] Fix lsinitrd example.
  (github pull request #240 by Corey Hickey @bugfood)

Full Changelog: v3.5...v3.6

3.5

Features

• [uCode] Check for pending AMD microcode updates (experimental).
  (Debian Bug#886611 by Paul Wise [email protected])
  (github issue #150 by Tom Reynolds @tomreyn and Mark Wagie @yochananmarqos)

Changes

• [Core] Add network.service to blacklist.
  (github pull request #145 by Marc Dequènes (Duck) @duck-rh)
• [uCode] Check microcode revision of each individual CPUs.
• [Kernel] Support kernel image filename filtering required for Raspbian.
  (github issue #146 by @takichikawa)
  (github issue #155 by Fenhl @fenhl and Christian @git-developer)
• [uCode] Support local override for iucode_tool call.
  (github issue #148 by @mphilipps and Marc Dequènes (Duck) @duck-rh)
• [notify] Add app name to notify-send call.
  (github issue #76 by @Vladimir-csp)

Fixes

• [Core] Do not restart networking.service.
  (Debian Bug#922725 by Timo Sigurdsson [email protected]).
• [Core] Fix typo in man page for env variable DEBIAN_FRONT(END).
  (Debian Bug#922864 by Lee Garrett [email protected])
  (Debian Bug#923853 by Petter Reinholdtsen [email protected])
• [Interp] Restore cwd when skipping processes with unavailable cwd.
  (github issue #147 by Stavros Ntentos @stdedos)
• [Core] Remove leading zero before testing in map_files.
  (Debian Bug#928225 by Alexander Galanin [email protected])
• [Core] Fix typos in ex/needrestart.conf.
  (github pull request #163 by Simon Brand @brandsimon)
• [UI] Don't fail when terminal has zero columns width.
  (github pull request #167 by @libnoon)
• [Core] Ignore mapped files not found on filesystem (stat) to suppress
  chroot false positives.
  (github issue #158 by @mphilipps)
  (github issue #152 by Ivan Kurnosov @zerkms and @djl)
• [Core] Supress warnings from Proc::ProcessTable.
  (github issue #170 by @mphilipps)
• [CONT] Fix docker detection on CentOS 7.
  (github issue #165 by Christian Ruppert @idl0r)
• [notify] Fix notify-send not working with dbus-user-session.
  (github issue #76 by @Vladimir-csp)
• [Core] Ignore mapped files in temporary directories.
  (Debian Bug#925408 by Donald Pellegrino [email protected])

3.4

Changes:

• Features:

  • [L10n] Add Czech localization.
    (github pull request #131 by @p-bo)
    (github pull request #132 by @p-bo)
    (github pull request #133 by @p-bo)
  • [Core] Add FRR to override.
    (github pull request #138 by David Lamparter @eqvinox)
  • [Core] Detect if run inside a container or vm using systemd.
    (github issue #139 by Tobby @tobby88)
  • [Core] Skip needrestart in apt hook if system is shutting down.
    (Debian Bug#914753 by Balint Reczey [email protected])

• Changes:

  • [Core] Do restart systemd-journald (again).
    (see also Debian Bug#771122, #771254 and #898818)
    (Debian Bug#898818 by Mathieu Parent [email protected])

• Fixes:

  • [uCode] Ignore broken microcode files (required for CentOS).
    (github issue #123 by Marc Dequènes (Duck) @duck-rh)
  • [uCode] Parse output of old iucode-tool 1.5.
    (github pull request #127 by Lutz Heermann @LuHee)
  • [uCode] Prevent microcode false positives for BIOS updates.
    (Debian Bug#906958 by Maik Zumstrull [email protected])
  • [uCode] Handle microcode updates for multiple CPUs in initramfs.
    (Debian Bug#907372 by Paul Wise [email protected])
  • [Core] Ignore temporary mappings of elasticsearch.
    (github issue #134 by Georg @teadur)
  • [Core] Do not restart oneshot services from systemd-cron.
    (Debian Bug#917073 by Antti Salmela [email protected])

3.3

ChangeLog

• Fixes:
  • [Core] Configuration file is ignored.
    (Debian Bug#901999 by Andreas Schmidt [email protected])
    (Debian Bug#902031 by Axel Beckert [email protected])
    (Debian Bug#902049 by Jon [email protected])
    (github issue #121 by Sven Hartge @shartge)
  • [Interp] Supress uninitalized value if abs_path fails.
    (github issue #120 by Craig Andrews @candrews)

3.2

ChangeLog

• Changes:

  • [Kernel] Include /boot/kernel* while looking for linux
    kernel images (required for Gentoo)
    (Gentoo Bug 654958 by Klaus Ethgen)
    (github pull request #113 by Craig Andrews @candrews)
  • [Core] Do not restart ModemManager by default.
    (github pull request #119 by @bodqhrohro)

• Fixes:

  • [UI] Do not call GetTerminalSize if STDOUT is not a tty.
    (github pull request #110 by Michael Scherer @mscherer)
  • [uCode] Filter microcode for CPU signature and flags.
    (github issue #112 by @mgondium)
    (Debian Bug#900298 by Francois Mescam [email protected])
  • [uCode] Assigning ucodehints a false value disables ucode
    checks.
    (github issue #115 by Johannes Kampmeyer @xschlef)
  • [Hooks] Ignore non-executable init scripts.
    (github issue #116 by Marc Dequènes (Duck) @duck-rh)
  • [L10n] Fix typo in Russian localization.
    (github pull request #118 by @bodqhrohro)
  • [UI] Do not leak fd into restarted services.
    (Debian Bug#893152 by Stephen Rothwell [email protected])