Opened 8 years ago
Closed 8 years ago
#6502 closed enhancement (fixed)
|Reported by:||Fernando de Oliveira||Owned by:||Fernando de Oliveira|
The “unicorn rifts” release. This is a security-hardening and bugfix release for the current stable branch, 1.8.x. Please upgrade unless you have a reason to keep using an older branch. Security hardening: • On Unix platforms, change the default configuration for the session bus to only allow EXTERNAL authentication (secure kernel-mediated credentials-passing), as was already done for the system bus. This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly unpredictable pseudo-random numbers; under certain circumstances (/dev/urandom unreadable or malloc() returns NULL), dbus could fall back to using rand(), which does not have the desired unpredictability. The fallback to rand() has not been changed in this stable-branch since the necessary code changes for correct error-handling are rather intrusive. If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp: transport, in conjunction with DBUS_COOKIE_SHA1 and a shared home directory using NFS or similar, you will need to reconfigure the session bus to accept DBUS_COOKIE_SHA1 by commenting out the <auth> element. This configuration is not recommended. (fd.o #90414, Simon McVittie) Other fixes: • Add locking to DBusCounter's reference count and notify function (fd.o #89297, Adrian Szyndela) • Ensure that DBusTransport's reference count is protected by the corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela) • On Windows, listen on the same port for IPv4 and IPv6 (previously broken by an endianness mistake), and fix a failure to bind TCP sockets on approximately 1 attempt in 256 (fd.o #87999, Ralf Habacker) • Correctly release DBusServer mutex before early-return if we run out of memory while copying authentication mechanisms (fd.o #90021, Ralf Habacker) • Correctly initialize all fields of DBusTypeReader (fd.o #90021; Ralf Habacker, Simon McVittie) • Fix some missing \n in verbose (debug log) messages (fd.o #90021, Ralf Habacker) • Clean up some memory leaks in test code (fd.o #90021, Ralf Habacker) -- Simon McVittie, Collabora Ltd.
Change History (2)
comment:1 by , 8 years ago
|Status:||new → assigned|
comment:2 by , 8 years ago
|Status:||assigned → closed|
Note: See TracTickets for help on using tickets.
Fixed at r15976.