id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
4682	dbus-1.12.20	Douglas R. Reno	Douglas R. Reno	"New security release. ""Upgrading is recommended"".

{{{


dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.

This is a stable-branch release, including a fix that addresses
a security vulnerability (on systems that are arguably misconfigured).
Upgrading is recommended.

<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.20.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.20.tar.gz.asc>
git tag: dbus-1.12.20

The “temporary nemesis” release.

Maybe security fixes:

• On Unix, avoid a use-after-free if two usernames have the same
  numeric uid. In older versions this could lead to a crash (denial of
  service) or other undefined behaviour, possibly including incorrect
  authorization decisions if <policy group=...> is used.
  Like Unix filesystems, D-Bus' model of identity cannot distinguish
  between users of different names with the same numeric uid, so this
  configuration is not advisable on systems where D-Bus will be used.
  Thanks to Daniel Onaca.
  (dbus#305, dbus!166; Simon McVittie)

Other fixes:

• On Solaris and its derivatives, if a cmsg header is truncated, ensure
  that we do not overrun the buffer used for fd-passing, even if the
  kernel tells us to.
  (dbus#304, dbus!165; Andy Fiddaman)

-- 
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers
_______________________________________________
dbus mailing list
dbus@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dbus
}}}

We're waiting on changes by Thomas in BLFS (he's gone until Sunday Evening) for elogind systems. I don't feel comfortable doing this update until after he returns.

I'll get this done Sunday night."	task	closed	high	10.0	Book	SVN	normal	fixed