| 2 | |
| 3 | {{{ |
| 4 | D-Bus 1.8.12 (2014-11-24) |
| 5 | == |
| 6 | |
| 7 | The “days of fuchsia passed” release. |
| 8 | |
| 9 | Fixes: |
| 10 | |
| 11 | • '''Partially revert the CVE-2014-3639 patch''' by increasing the default |
| 12 | authentication timeout on the system bus from 5 seconds back to 30 |
| 13 | seconds, since this has been reported to cause boot regressions for |
| 14 | some users, mostly with parallel boot ('''systemd''') on slower hardware. |
| 15 | |
| 16 | On fast systems where local users are considered particularly hostile, |
| 17 | administrators can return to the 5 second timeout (or any other value |
| 18 | in milliseconds) by saving this as /etc/dbus-1/system-local.conf: |
| 19 | |
| 20 | <busconfig> |
| 21 | <limit name="auth_timeout">5000</limit> |
| 22 | </busconfig> |
| 23 | |
| 24 | (fd.o #86431, Simon McVittie) |
| 25 | |
| 26 | • '''Add a message in syslog/the Journal''' when the auth_timeout is exceeded |
| 27 | (fd.o #86431, Simon McVittie) |
| 28 | |
| 29 | • Send back an AccessDenied error if the addressed recipient is not allowed |
| 30 | to receive a message (and in builds with assertions enabled, don't |
| 31 | assert under the same conditions). (fd.o #86194, Jacek Bukarewicz) |
| 32 | |
| 33 | D-Bus 1.8.10 (2014-11-10) |
| 34 | == |
| 35 | |
| 36 | The “tenants with a leaking roof get priority” release. |
| 37 | |
| 38 | Security fixes: |
| 39 | |
| 40 | • Increase dbus-daemon's RLIMIT_NOFILE rlimit to 65536 |
| 41 | so that CVE-2014-3636 part A cannot exhaust the system bus' |
| 42 | file descriptors, completing the incomplete fix in 1.8.8. |
| 43 | (CVE-2014-7824, fd.o #85105; Simon McVittie, Alban Crequy) |
| 44 | }}} |