#4682 closed task (fixed)
dbus-1.12.20
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 10.0 |
| Component: | Book | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New security release. "Upgrading is recommended".
dbus is the reference implementation of D-Bus, a message bus for communication between applications and system services. This is a stable-branch release, including a fix that addresses a security vulnerability (on systems that are arguably misconfigured). Upgrading is recommended. <http://dbus.freedesktop.org/releases/dbus/dbus-1.12.20.tar.gz> <http://dbus.freedesktop.org/releases/dbus/dbus-1.12.20.tar.gz.asc> git tag: dbus-1.12.20 The “temporary nemesis” release. Maybe security fixes: • On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if <policy group=...> is used. Like Unix filesystems, D-Bus' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used. Thanks to Daniel Onaca. (dbus#305, dbus!166; Simon McVittie) Other fixes: • On Solaris and its derivatives, if a cmsg header is truncated, ensure that we do not overrun the buffer used for fd-passing, even if the kernel tells us to. (dbus#304, dbus!165; Andy Fiddaman) -- Simon McVittie, Collabora Ltd. / Debian on behalf of the dbus maintainers _______________________________________________ dbus mailing list dbus@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dbus
We're waiting on changes by Thomas in BLFS (he's gone until Sunday Evening) for elogind systems. I don't feel comfortable doing this update until after he returns.
I'll get this done Sunday night.
Change History (5)
comment:1 by , 4 years ago
comment:2 by , 4 years ago
Since changes are needed for BLFS ticket #13748, I guess it'll be updated there too, so for keeping lfs in sync, I'd suggest updating it (when Thomas is back).
comment:3 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.
As LFS doesn't use users with same UID I think we can wait. (Is there anyone really using this stupid "feature"?)