|Reported by:||Douglas R. Reno||Owned by:||Douglas R. Reno|
Description (last modified by )
New security release. "Upgrading is recommended".
dbus is the reference implementation of D-Bus, a message bus for communication between applications and system services. This is a stable-branch release, including a fix that addresses a security vulnerability (on systems that are arguably misconfigured). Upgrading is recommended. <http://dbus.freedesktop.org/releases/dbus/dbus-1.12.20.tar.gz> <http://dbus.freedesktop.org/releases/dbus/dbus-1.12.20.tar.gz.asc> git tag: dbus-1.12.20 The “temporary nemesis” release. Maybe security fixes: • On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if <policy group=...> is used. Like Unix filesystems, D-Bus' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used. Thanks to Daniel Onaca. (dbus#305, dbus!166; Simon McVittie) Other fixes: • On Solaris and its derivatives, if a cmsg header is truncated, ensure that we do not overrun the buffer used for fd-passing, even if the kernel tells us to. (dbus#304, dbus!165; Andy Fiddaman) -- Simon McVittie, Collabora Ltd. / Debian on behalf of the dbus maintainers _______________________________________________ dbus mailing list email@example.com https://lists.freedesktop.org/mailman/listinfo/dbus
We're waiting on changes by Thomas for ticket #13748 (he's gone until Sunday Evening) for elogind systems. I don't feel comfortable doing this update until after he returns.
I'll get this done Sunday night.