Opened 8 years ago
Last modified 8 years ago
#3993 closed enhancement
dbus-1.10.12 — at Version 1
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | high | Milestone: | 8.0 |
Component: | Book | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description (last modified by )
New point version.
Security fixes: • Do not treat ActivationFailure message received from root-owned systemd name as a format string. In principle this is a security vulnerability, but we do not believe it is exploitable in practice, because only privileged processes can own the org.freedesktop.systemd1 bus name, and systemd does not appear to send activation failures that contain "%". Please note that this probably *was* exploitable in dbus versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at the time was only thought to be a denial of service vulnerability (CVE-2015-0245). If you are still running one of those versions, patch or upgrade immediately. (fd.o #98157, Simon McVittie)
Change History (1)
comment:1 by , 8 years ago
Description: | modified (diff) |
---|---|
Priority: | normal → high |
Type: | task → enhancement |
Note:
See TracTickets
for help on using tickets.
It has come to my attention through the BLFS ticket #8424 that there is a security flaw in the versions before.