tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions for /var/log/journal/%m/system.journal, which allows local users to obtain sensitive information by reading the file.
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "libsystemd-dev-dbgsym": "229-4ubuntu1", "libsystemd0": "229-4ubuntu1", "udev": "229-4ubuntu1", "systemd-coredump": "229-4ubuntu1", "libudev-dev-dbgsym": "229-4ubuntu1", "systemd-dbg": "229-4ubuntu1", "libnss-resolve": "229-4ubuntu1", "systemd-container-dbgsym": "229-4ubuntu1", "systemd-container": "229-4ubuntu1", "systemd-sysv": "229-4ubuntu1", "libudev-dev": "229-4ubuntu1", "libnss-myhostname": "229-4ubuntu1", "libnss-resolve-dbgsym": "229-4ubuntu1", "udev-udeb-dbgsym": "229-4ubuntu1", "systemd-sysv-dbgsym": "229-4ubuntu1", "systemd-dbgsym": "229-4ubuntu1", "systemd-coredump-dbgsym": "229-4ubuntu1", "libnss-mymachines-dbgsym": "229-4ubuntu1", "systemd-journal-remote-dbgsym": "229-4ubuntu1", "libpam-systemd": "229-4ubuntu1", "libsystemd-dev": "229-4ubuntu1", "libudev1-udeb": "229-4ubuntu1", "libudev1-udeb-dbgsym": "229-4ubuntu1", "systemd-journal-remote": "229-4ubuntu1", "libudev1-dbgsym": "229-4ubuntu1", "libnss-myhostname-dbgsym": "229-4ubuntu1", "udev-dbgsym": "229-4ubuntu1", "udev-udeb": "229-4ubuntu1", "libpam-systemd-dbgsym": "229-4ubuntu1", "libudev1": "229-4ubuntu1", "libnss-mymachines": "229-4ubuntu1", "libsystemd0-dbgsym": "229-4ubuntu1", "systemd": "229-4ubuntu1" } ] }