| | 2 | |
| | 3 | {{{ |
| | 4 | D-Bus 1.8.12 (2014-11-24) |
| | 5 | == |
| | 6 | |
| | 7 | The “days of fuchsia passed” release. |
| | 8 | |
| | 9 | Fixes: |
| | 10 | |
| | 11 | • '''Partially revert the CVE-2014-3639 patch''' by increasing the default |
| | 12 | authentication timeout on the system bus from 5 seconds back to 30 |
| | 13 | seconds, since this has been reported to cause boot regressions for |
| | 14 | some users, mostly with parallel boot ('''systemd''') on slower hardware. |
| | 15 | |
| | 16 | On fast systems where local users are considered particularly hostile, |
| | 17 | administrators can return to the 5 second timeout (or any other value |
| | 18 | in milliseconds) by saving this as /etc/dbus-1/system-local.conf: |
| | 19 | |
| | 20 | <busconfig> |
| | 21 | <limit name="auth_timeout">5000</limit> |
| | 22 | </busconfig> |
| | 23 | |
| | 24 | (fd.o #86431, Simon McVittie) |
| | 25 | |
| | 26 | • '''Add a message in syslog/the Journal''' when the auth_timeout is exceeded |
| | 27 | (fd.o #86431, Simon McVittie) |
| | 28 | |
| | 29 | • Send back an AccessDenied error if the addressed recipient is not allowed |
| | 30 | to receive a message (and in builds with assertions enabled, don't |
| | 31 | assert under the same conditions). (fd.o #86194, Jacek Bukarewicz) |
| | 32 | |
| | 33 | D-Bus 1.8.10 (2014-11-10) |
| | 34 | == |
| | 35 | |
| | 36 | The “tenants with a leaking roof get priority” release. |
| | 37 | |
| | 38 | Security fixes: |
| | 39 | |
| | 40 | • Increase dbus-daemon's RLIMIT_NOFILE rlimit to 65536 |
| | 41 | so that CVE-2014-3636 part A cannot exhaust the system bus' |
| | 42 | file descriptors, completing the incomplete fix in 1.8.8. |
| | 43 | (CVE-2014-7824, fd.o #85105; Simon McVittie, Alban Crequy) |
| | 44 | }}} |
