Opened 7 years ago

Closed 7 years ago

#6502 closed enhancement (fixed)

dbus-1.8.18

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: normal Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

http://dbus.freedesktop.org/releases/dbus/dbus-1.8.18.tar.gz

http://dbus.freedesktop.org/releases/dbus/dbus-1.8.18.tar.gz.asc

http://lists.freedesktop.org/archives/dbus/2015-May/016676.html

The “unicorn rifts” release.

This is a security-hardening and bugfix release for the current stable
branch, 1.8.x. Please upgrade unless you have a reason to keep using an
older branch.

Security hardening:

• On Unix platforms, change the default configuration for the session
  bus to only allow EXTERNAL authentication (secure kernel-mediated
  credentials-passing), as was already done for the system bus.

  This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly
  unpredictable pseudo-random numbers; under certain circumstances
  (/dev/urandom unreadable or malloc() returns NULL), dbus could
  fall back to using rand(), which does not have the desired
  unpredictability. The fallback to rand() has not been changed in this
  stable-branch since the necessary code changes for correct
  error-handling are rather intrusive.

  If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp:
  transport, in conjunction with DBUS_COOKIE_SHA1 and a shared home
  directory using NFS or similar, you will need to reconfigure the
  session bus to accept DBUS_COOKIE_SHA1 by commenting out the <auth>
  element. This configuration is not recommended.

  (fd.o #90414, Simon McVittie)

Other fixes:

• Add locking to DBusCounter's reference count and notify function
  (fd.o #89297, Adrian Szyndela)

• Ensure that DBusTransport's reference count is protected by the
  corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela)

• On Windows, listen on the same port for IPv4 and IPv6 (previously
  broken by an endianness mistake), and fix a failure to bind TCP
  sockets on approximately 1 attempt in 256 (fd.o #87999, Ralf Habacker)

• Correctly release DBusServer mutex before early-return if we run out
  of memory while copying authentication mechanisms (fd.o #90021,
  Ralf Habacker)

• Correctly initialize all fields of DBusTypeReader (fd.o #90021;
  Ralf Habacker, Simon McVittie)

• Fix some missing \n in verbose (debug log) messages (fd.o #90021,
  Ralf Habacker)

• Clean up some memory leaks in test code (fd.o #90021, Ralf Habacker)

-- 
Simon McVittie, Collabora Ltd.

Change History (2)

comment:1 by Fernando de Oliveira, 7 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:2 by Fernando de Oliveira, 7 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r15976.

Note: See TracTickets for help on using tickets.