Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

libdbus-1-3-32bit-1.12.2-150400.18.8.1 RPM for x86_64

From OpenSuSE Leap 15.6 for x86_64

Name: libdbus-1-3-32bit Distribution: SUSE Linux Enterprise 15
Version: 1.12.2 Vendor: SUSE LLC <>
Release: 150400.18.8.1 Build date: Tue Jun 20 12:26:47 2023
Group: Development/Libraries/Other Build host: sheep57
Size: 380252 Source RPM: dbus-1-1.12.2-150400.18.8.1.src.rpm
Summary: Library package for D-Bus
D-Bus is a message bus system, a simple way for applications to talk to
one another. D-Bus supplies both a system daemon and a
per-user-login-session daemon. Also, the message bus is built on top of
a general one-to-one message passing framework, which can be used by
any two apps to communicate directly (without going through the message
bus daemon).




GPL-2.0-or-later OR AFL-2.1


* Mon Jun 19 2023
  - Sometimes unprivileged users were able to crash dbus-daemon
    (CVE-2023-34969, bsc#1212126)
    * fix-upstream-CVE-2023-34969.patch
* Thu Oct 13 2022
  - Fix a potential crash that could be triggered by an invalid signature.
    (CVE-2022-42010, bsc#1204111)
    * fix-upstream-CVE-2022-42010.patch
  - Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
    * fix-upstream-CVE-2022-42011.patch
  - A message in non-native endianness with out-of-band Unix file descriptors
    would cause a use-after-free and possible memory corruption CVE-2022-42012,
    * fix-upstream-CVE-2022-42012.patch
  - Disable asserts (bsc#1087072)
  - Refreshed patches
    * fix-upstream-CVE-2020-35512.patch
* Wed Jan 05 2022
  - Remove pointless %%post scriptlet leveraging non-existent systemd env
    FIRST_ARG has been used in our systemd macros, but this has now been gone for
    years. Thus the true branch of the if has never been executed for years and is
    only causing warnings when installing dbus.
* Thu Jul 15 2021
  - Add missing patch for CVE-2020-12049
    * fix-upstream-CVE-2020-12049_2.patch
* Mon Jul 12 2021
  - Fix CVE-2020-12049 truncated messages lead to resource exhaustion
    (CVE-2020-12049, bsc#1172505)
    * fix-upstream-CVE-2020-12049.patch
  - Rebased fix-CVE-2019-12749.patch
* Fri Jun 25 2021
  - Fix CVE-2020-35512 - shared UID's caused issues (CVE-2020-35512 bsc#1187105)
    * fix-upstream-userdb-constpointer.patch
    * fix-upstream-CVE-2020-35512.patch
* Thu Jun 13 2019
  - Fix CVE-2019-12749 Authentication bypass (CVE-2019-12749 bsc#1137832)
    * added fix-CVE-2019-12749.patch
* Tue Jan 15 2019
  - Make libdbus-1-3 own the %{_datadir}/dbus-1/system.d directory
* Mon Jan 14 2019
  - Use %license instead of %doc [bsc#1082318]
* Wed Dec 19 2018
  - Avoid bashisms in scriptlets.
* Tue Nov 20 2018
  - Avoid ugly error message from %pre(install) script when installing
    for the first time.
* Thu Mar 08 2018
  - Don't spit out a warning if /usr/bin/dbus-daemon does not exist
    when we run the pre-script.
* Mon Dec 11 2017
  - Swap a missed libdir to libexecdir
* Sun Dec 10 2017
  - Do not hide errors during useradd.
* Thu Nov 23 2017
  - Fix dbus-daemon-launch-helper to use proper ref to libexecdir
* Wed Nov 22 2017
  - use %{_libexecdir}/dbus-1 as libexecdir
* Thu Nov 16 2017
  - Update to 1.12.2
    • Eavesdropping is officially deprecated in favour of BecomeMonitor.
    See the release notes for spec version 0.31 (in dbus 1.11.14).
    • [Unix] Flag files in /var/run/console/${username} are deprecated.
    See the release notes for 1.11.18.
    New APIs:
    • <allow> and <deny> rules in dbus-daemon configuration can now
    include send_broadcast="true", send_broadcast="false",
    max_unix_fds="N", min_unix_fds="N" (for some integer N).
    See the release notes for 1.11.18.
    • dbus_try_get_local_machine_id() is like
    dbus_get_local_machine_id(), but returns a DBusError.
    • New APIs around DBusMessageIter to simplify cleanup.
    See the release notes for 1.11.16.
    • The message bus daemon now implements the standard Introspectable,
    Peer and Properties interfaces. See the release notes for
    dbus 1.11.14 and spec version 0.31.
    • DTDs for introspection XML and bus configuration are installed.
    • [Unix] A new unix:dir=… address family resembles unix:tmpdir=… but
    never uses Linux abstract sockets, which is advantageous for
    containers. On non-Linux it is equivalent to unix:tmpdir=….
    See the release notes for dbus 1.11.14 and spec version 0.31.
    • [Unix] New option "dbus-launch --exit-with-x11".
    • [Unix] Session managers can create transient .service files in
    $XDG_RUNTIME_DIR/dbus-1/services. See the release notes for 1.11.12.
    • [Unix] A sysusers.d snippet can create the messagebus user on-demand.
    Miscellaneous behaviour changes:
    • [Unix] The session bus now logs to syslog if it was started by
    • [Unix] Internal warnings are logged to syslog if configured.
    • [Unix] Exceeding an anti-DoS limit is logged to syslog if configured,
    or to stderr.
  - Enabled "make check test suite"
  - Patches removed, fixed upstream
    * fix-upstream-drop-install-sections-from-user-services.patch
    * fix-upstream-increase-backlog.patch
    * fix-upstream-timeout-reset-1.patch
    * fix-upstream-timeout-reset-2.patch
* Mon Sep 11 2017
  - boo#1027201 dbus-daemon not found
  - boo#978477 systemd reseting under heavy load
    * fix-upstream-timeout-reset-1.patch
    * fix-upstream-timeout-reset-2.patch
* Mon Aug 28 2017
  - boo#1027200 don't generate machine-id in %post systemd will do it
    on first boot.
  - swap usage of /bin/false to /usr/bin/false
  - Use libexecdir=%{_libdir}/dbus-1 rather then /lib/dbus-1
* Fri Jul 07 2017
  - No need to set --libdir anymore now that prefix is /usr/bin,
    * fixes boo#1047532
  - No need to set --bindir, bindir in dbus-1-x11 was incorrect
  - Other fixes required to properly change prefix
  - Don't pass --with-initscripts we don't use them anymore.
* Fri Jun 30 2017
  - Update to 1.10.20
    * Fixes:
      + Fix a reference leak when blocking on a pending call on a
      connection that has been disconnected (fdo#101481, Shin-ichi
      + Don't put timestamps in the Doxygen-generated documentation,
      for closer-to-reproducible builds (fdo#100692, Simon
      + Avoid an assertion failure when connecting to a
      semicolon-separated series of addresses, one of which fails
      (fdo#101257, Simon McVittie)
    * Documentation:
      + Update git URIs in HACKING document to sync up with (fdo#100715, Simon McVittie)
* Tue Jun 13 2017
  - swap to /usr/bin bsc#1029968
  - Add the following fixes from SLE12
    * bsc#980928 increase listen() backlog of AF_UNIX sockets to
      SOMAXCONN fix-upstream-increase-backlog.patch
  - The following bugs were already fixed but are missing changelog
    * bsc#867256 (No longer applicable)
    * bsc#916785 (No longer applicable)
    * bsc#1012564 (Not applicable)
    * fdo#90004 (Fixed Upstream)
  - Rename the following patches as a tidy up
    * dbus-log-deny.patch to feature-suse-log-deny.patch
    * dbus-do-autolaunch.patch feature-suse-do-autolaunch.patch
    * 0001-Add-RefuseManualStartStop.patch to
    * 0001-Drop-Install-sections-from-user-services.patch to
* Fri Apr 07 2017
  - Update to 1.10.18
    * Fixes
      + Re-order dbus-daemon startup so that on SELinux systems, the
      thread that reads AVC notifications retains the ability to
      write to the audit log (fdo#92832, Debian #857660; Laurent
      + Fix a harmless read overflow and some memory leaks in a unit
      test (fdo#100568, Philip Withnall)
* Wed Mar 01 2017
  - Update to 1.10.16
    * Prevent symlink attacks in the nonce-tcp transport on Unix that could
    allow an attacker to overwrite a file named "nonce", in a directory
    that the user running dbus-daemon can write, with a random value
    known only to the user running dbus-daemon. This is unlikely to be
    exploitable in practice, particularly since the nonce-tcp transport
    is really only useful on Windows.
    (fd.o #99828, Simon McVittie) (bsc#1025950)
    * Avoid symlink attacks in the "embedded tests", which are not enabled
    by default and should never be enabled in production builds of dbus.
    (fd.o #99828, Simon McVittie) (bsc#1025951)
    * Work around an undesired effect of the fix for CVE-2014-3637
    (fd.o #80559), in which processes that frequently send fds, such as
    logind during a flood of new PAM sessions, can get disconnected for
    continuously having at least one fd "in flight" for too long;
    dbus-daemon interprets that as a potential denial of service attack.
    The workaround is to disable that check for uid 0 process such as
    logind, with a message in the system log. The bug remains open while
    we look for a more general solution.
    (fd.o #95263, LP#1591411; Simon McVittie)
    * Don't run the test if X11 autolaunching
    was disabled at compile time. That test is not expected to work
    in that configuration. (fd.o #98665, Simon McVittie)
    * Do the Travis-CI build in Docker containers for Ubuntu LTS, Debian
    stable and Debian testing in addition to the older Ubuntu that is
    the default (fd.o #98889, Simon McVittie)
* Thu Feb 02 2017
  - A note for scripts bsc#974092 (remove sysvinit script) is already
    fixed here.
* Wed Jan 25 2017
  - Don't restart dbus on upgrade - Includes temporary work around
    for last version boo#1020301
  - Add 0001-Add-RefuseManualStartStop.patch don't allow users to Manually
    start or stop dbus.
* Mon Jan 09 2017
  - Add systemd unit files to start session bus via systemd
  - Added patch:
    * 0001-Drop-Install-sections-from-user-services.patch
      + remove install section from socket unit because it does not
      need to be enabled explicitly (see fdo#92402)
* Fri Dec 09 2016
  - Requires systemd >= 209 and drop the compatibility pkg-config
    names that don't exist in newer systemd
* Thu Dec 08 2016
  - Drop useless --with-pic which is only for static libs
  - Abort installation when user/group creation fails
  - Avoid calling %service_* more than once
* Tue Dec 06 2016
  - Build the dbus-1 package without X in the dbus-1.spec
  - Move the dbus-launch.nox11 to the dbus-1 package and install
    it by default
  - Build devel-doc package in dbus-1.spec and don't build any
    documentation in dbus-1-x11
  - Make dbus-1-x11 package contains only the X11-enabled dbus-launch
  - Fix some rpmlint warnings
  - Delete the file, since maintaining it is
    more complicated then keeping in sync a dbus-1-x11.spec file of
    less then 120 lines
* Mon Nov 21 2016
  - Create new subpackage: dbus-1-nox11
    - contains dbus-launch without x11 support
  - Rename dbus-launch to dbus-launch.x11
  - use update-alternatives to switch between dbus-launch with and
    without X11
  - Solves [bnc#934214]
* Tue Oct 11 2016
  - Update to 1.10.12
    * Security fixes:
      + Do not treat ActivationFailure message received from
      root-owned systemd name as a format string. In principle this
      is a security vulnerability, but we do not believe it is
      exploitable in practice, because only privileged processes can
      own the org.freedesktop.systemd1 bus name, and systemd does
      not appear to send activation failures that contain "%".
      Please note that this probably *was* exploitable in dbus
      versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing
      check which at the time was only thought to be a denial of
      service vulnerability (CVE-2015-0245). If you are still
      running one of those versions, patch or upgrade immediately.
      (fdo#98157, bsc#1003898, Simon McVittie)
    * Other fixes:
      + Harden dbus-daemon against malicious or incorrect
      ActivationFailure messages by rejecting them if they do not
      come from a privileged process, or if systemd activation is
      not enabled (fdo#98157, Simon McVittie)
      + Avoid undefined behaviour when setting reply serial number
      without going via union DBusBasicValue (fdo#98035, Marc Mutz)
      + fail cleanly if autoconf fails (Simon McVittie)
* Tue Sep 13 2016
  - Moved dbus-run-session from dbus-1-x11 to dbus-1 (bdo#836296)
* Mon Aug 22 2016
  - Update to 1.10.10
    * Fixes:
      + On Linux, when dbus-daemon is run with reduced susceptibility
      to the OOM killer (typically via systemd), do not let child
      processes inherit that setting (fdo#32851;
      Kimmo Hämäläinen, WaLyong Cho)
      + Output valid shell syntax in ~/.dbus/session-bus/ if the bus
      address contains a semicolon (fdo#94746, Thiago Macieira)
      + Fix memory leaks and thread safety in subprocess starting on
      Windows (fdo#95191, Ralf Habacker)
      + Do not require systemd to have a service file if using it for
      activation (fdo#93194; Simon McVittie; backport from 1.11.0)
      + Stop test-dbus-daemon incorrectly failing on platforms that
      cannot discover the process ID of clients (fdo#96653,
      Руслан Ижбулатов)
      + In tests that exercise correct handling of crashing D-Bus
      services, suppress Windows crash handler (fdo#95155;
      Yiyang Fei, Ralf Habacker)
      + Explicitly check for stdint.h (Ioan-Adrian Ratiu)
      + update-activation-environment: produce better diagnostics on
      error (fdo#96653, Simon McVittie)
      + Don't fail the build with an unused const variable warning
      under gcc 6 (fdo#97282; Thomas Zimmermann, Simon McVittie)
      + Merge dbus-1.10-ci branch, containing backports from 1.11.0
      in build/test code to support continuous integration
      (fdo#93194, Simon McVittie)
    - Avoid -Wunused-label when compiling with libselinux but no
    - In development builds, allow OOM tests to be disabled as
    - Accept and ignore the --tap argument in all "embedded
      tests", and run all automated tests with that argument for
      better diagnostics
    - Fix the systemd activation test under CMake by installing
      the required files
    - In Automake, fix shell syntax for installcheck-local with
      no DESTDIR
    - In Automake, don't try to run manual tests in installcheck
    - In CMake, don't run manual-tcp test as an automated test
    - Add build machinery
* Mon Mar 14 2016
  - Update to 1.10.8
    * Fixes:
      + Enable "large file support" on systems where it exists:
      dbus-daemon is not expected to open large files, but it might
      need to stat files that happen to have large inode numbers
      (fdo#93545, Hongxu Jia)
      + Eliminate padding inside DBusMessageIter on 64-bit platforms,
      which might result in a pedantic C compiler not copying the
      entire contents of a DBusMessageIter; statically assert that
      this is not an ABI change in practice (fdo#94136, Simon
      + Document dbus-test-tool echo --sleep-ms=N instead of
      incorrect --sleep=N (fdo#94244, Dmitri Iouchtchenko)
      + Correctly report test failures in C tests from
      (fdo#93379; amit tewari, Simon McVittie)
      + When tests are enabled, run all the marshal-validate tests,
      not just the even-numbered ones (fdo#93908, Nick Lewycky)
      + Correct the expected error from one marshal-validate test,
      which was previously not run due to the above bug(fdo#93908,
      Simon McVittie)
* Thu Dec 03 2015
  - Update to 1.10.6
    * Fixes:
    - On Unix when running tests as root, don't assert that root
      and the dbus-daemon user can still call
      UpdateActivationEnvironment; assert that those privileged
      users can call BecomeMonitor instead (fdo#93036, Simon
    - On Windows, fix a memory leak in the autolaunch transport
      (fdo#92899, Simon McVittie)
    - On Windows Autotools builds, don't run tests that rely on
      dbus-run-session and other Unix-specifics (fdo#92899, Simon
* Thu Nov 26 2015
  - Update to 1.10.4
    * Changes between 1.10.2 and 1.10.4
    - Enhancements:
      + GetConnectionCredentials, GetConnectionUnixUser and
      GetConnectionUnixProcessID with argument
      "org.freedesktop.DBus" will now return details of the
      dbus-daemon itself. This is required to be able to call
      SetEnvironment on systemd. (fdo#92857, Jan Alexander
    - Fixes:
      + Make UpdateActivationEnvironment always fail with
      AccessDenied  on the system bus. Previously, it was
      possible to configure it so root could call it, but the
      environment variables were not actually used, because the
      launch helper would discard them. (fdo#92857, Jan Alexander
      + On Unix with --systemd-activation on a user bus, make
      UpdateActivationEnvironment pass on its arguments to
      systemd's SetEnvironment method, solving inconsistency
      between the environments used for traditional activation
      and systemd user-service activation. (fdo#92857, Jan
      Alexander Steffens)
      + On Windows, don't crash if <syslog/> or --syslog is used
      (fdo#92538, Ralf Habacker)
      + On Windows, fix a memory leak when setting a DBusError from
      a Windows error (fdo#92721, Ralf Habacker)
      + On Windows, don't go into infinite recursion if we abort the
      process with backtraces enabled (fdo#92721, Ralf Habacker)
      + Fix various failing tests, variously on Windows and
      . don't test system.conf features (users, groups) that only
      make sense on the system bus, which is not supported on
      . don't call _dbus_warn() when we skip a test, since it is
      . fix computation of expected <standard_session_servicedirs/>
      . when running TAP tests, translate newlines to Unix format,
      fixing cross-compiled tests under Wine on Linux
      . don't stress-test refcounting under Wine, where it's
      really slow
      . stop assuming that a message looped-back to the test will
      be received immediately
      . skip some system bus tests on Windows since they make no
      sense there (fdo#92538, fdo#92721; Ralf Habacker, Simon
    * Changes between 1.10.0 and 1.10.2
    - Fixes:
      + Correct error handling for activation: if there are multiple
      attempts to activate the same service and it fails
      immediately, the first attempt would get the correct reply,
      but the rest would time out. We now send the same error
      reply to each attempt. (fdo#92200, Simon McVittie)
      + If BecomeMonitor is called with a syntactically invalid
      match rule, don't crash with an assertion failure, fixing a
      regression in 1.9.10. This was not exploitable as a denial
      of service, because the check for a privileged user is done
      first. (fdo#92298, Simon McVittie)
      + On Linux with --enable-user-session, add the bus address to
      the environment of systemd services for better backwards
      compatibility (fdo#92612, Jan Alexander Steffens)
      + On Windows, fix the logic for replacing the installation
      prefix in service files' Exec lines (fdo#83539; Milan Crha,
      Simon McVittie)
      + On Windows, if installed in the conventional layout with
      ${prefix}/etc and ${prefix}/share, use relative paths
      between bus configuration files to allow the tree to be
      relocated (fdo#92028, Simon McVittie)
      + Make more of the regression tests pass in Windows builds
      (fdo#92538, Simon McVittie)
    * Summary of major changes since 1.8.0:
    - The basic setup for the well-known system and session buses is
      now done in read-only files in ${datadir} (normally /usr/share).
    - AppArmor integration has been merged, with features similar to
      the pre-existing SELinux integration. It is mostly compatible
      with the patches previously shipped by Ubuntu, with one
      significant change: Ubuntu's GetConnectionAppArmorSecurityContext
      method has been superseded by GetConnectionCredentials and was
      not included.
    - The --enable-user-session configure option can be enabled
      by OS integrators intending to use systemd to provide a
      session bus per user (in effect, treating all concurrent
      graphical and non-graphical login sessions as one large session).
    - The new listenable address mode "unix:runtime=yes" listens on
      $XDG_RUNTIME_DIR/bus, the same AF_UNIX socket used by the
      systemd user session. libdbus and "dbus-launch --autolaunch"
      will connect to this address by default. GLib >= 2.45.3 and
      sd-bus >= 209 have a matching default.
    - All executables are now dynamically linked to libdbus-1.
      Previously, some executables, most notably dbus-daemon, were
      statically linked to a specially-compiled variant of libdbus.
      This results in various private functions in the _dbus
      namespace being exposed by the shared library. These are not
      API, and must not be used outside the dbus source tree.
    - On platforms with ELF symbol versioning, all public symbols
      are versioned LIBDBUS_1_3.
    * New bus APIs:
    - org.freedesktop.DBus.GetConnectionCredentials returns
      LinuxSecurityLabel where supported
    - org.freedesktop.DBus.Monitoring interface (privileged)
      . BecomeMonitor method supersedes match rules with eavesdrop=true,
      which are now deprecated
    - org.freedesktop.DBus.Stats interface (semi-privileged)
      . now enabled by default
      . new GetAllMatchRules method
    - org.freedesktop.DBus.Verbose interface (not normally compiled)
      . toggles the effect of DBUS_VERBOSE
    * New executables:
    - dbus-test-tool
    - dbus-update-activation-environment
    * New optional dependencies:
    - The systemd: pseudo-transport requires libsystemd or libsd-daemon
    - Complete documentation requires Ducktype and yelp-tools
    - Full test coverage requires GLib 2.36 and PyGI
    - AppArmor integration requires libapparmor and optionally libaudit
    * Dependencies removed:
    - dbus-glib
* Tue Nov 17 2015
  - Update to 1.8.20:
    * Fixes:
    - Fix a memory leak when GetConnectionCredentials() succeeds
      (fdo#91008, Jacek Bukarewicz)
    - Ensure that dbus-monitor does not reply to messages intended
      for others (fdo#90952, Simon McVittie)
* Wed Sep 16 2015
  - Account for openSUSE:Leap in the conditional for chosing right
    local state directories (boo#941352)
* Wed May 27 2015
  - Move common-begin sections around to make pre_checkin work again
  - Unconditionally build with systemd features, there are no cycles
    now, systemd no longer buildrequires dbus-1-devel
* Mon May 18 2015
  - Update to 1.8.18:
    * Security hardening:
    - On Unix platforms, change the default configuration for the
      session bus to only allow EXTERNAL authentication (secure
      kernel-mediated credentials-passing), as was already done for
      the system bus.
      This avoids falling back to DBUS_COOKIE_SHA1, which relies on
      strongly unpredictable pseudo-random numbers; under certain
      circumstances (/dev/urandom unreadable or malloc() returns
      NULL), dbus could fall back to using rand(), which does not
      have the desired unpredictability. The fallback to rand() has
      not been changed in this stable-branch since the necessary
      code changes for correct error-handling are rather intrusive.
      If you are using D-Bus over the (unencrypted!) tcp: or
      nonce-tcp: transport, in conjunction with DBUS_COOKIE_SHA1
      and a shared home directory using NFS or similar, you will
      need to reconfigure the session bus to accept DBUS_COOKIE_SHA1
      by commenting out the <auth> element. This configuration is
      not recommended. (bsc#931066, fdo#90414, Simon McVittie)
    * Other fixes:
    - Add locking to DBusCounter's reference count and notify
      function (fdo#89297, Adrian Szyndela)
    - Ensure that DBusTransport's reference count is protected by
      the corresponding DBusConnection's lock (fdo#90312,
      Adrian Szyndela)
    - On Windows, listen on the same port for IPv4 and IPv6
      (previously broken by an endianness mistake), and fix a
      failure to bind TCP sockets on approximately 1 attempt in 256
      (fdo#87999, Ralf Habacker)
    - Correctly release DBusServer mutex before early-return if we
      run out of memory while copying authentication mechanisms
      (fdo#90021, Ralf Habacker)
    - Correctly initialize all fields of DBusTypeReader (fdo#90021,
      Ralf Habacker, Simon McVittie)
    - Fix some missing \n in verbose (debug log) messages
      (fdo#90021, Ralf Habacker)
    - Clean up some memory leaks in test code (fdo#90021,
      Ralf Habacker)
* Thu Mar 26 2015
  - Sync changes from SLE12 conditionalized for suse_version <= 1315
* Mon Feb 09 2015
  - Update to 1.8.16:
    * Security fixes:
    - Do not allow non-uid-0 processes to send forged
      ActivationFailure messages. On Linux systems with systemd
      activation, this would allow a local denial of service:
      unprivileged processes could flood the bus with these forged
      messages, winning the race with the actual service activation
      and causing an error reply to be sent back when service
      auto-activation was requested. This does not prevent the real
      service from being started, so it only works while the real
      service is not running. (CVE-2015-0245, fdo#88811, bnc#916343;
      Simon McVittie)
    * Other fixes:
    - fix a Windows build failure (fdo#88009, Ralf Habacker)
    - on Windows, allow up to 8K connections to the dbus-daemon
      instead of the previous 64, completing a previous fix which
      only worked under Autotools (fdo#71297, Ralf Habacker)
* Tue Jan 06 2015
  - Update to 1.8.14
    * Security hardening:
    - Do not allow calls to UpdateActivationEnvironment from uids
      other than the uid of the dbus-daemon. If a system service
      installs unsafe security policy rules that allow arbitrary
      method calls (such as CVE-2014-8148) then this prevents
      memory consumption and possible privilege escalation via
      We believe that in practice, privilege escalation here is
      avoided by dbus-daemon-launch-helper sanitizing its
      environment; but it seems better to be safe.
    - Do not allow calls to UpdateActivationEnvironment or the
      Stats interface on object paths other than
      /org/freedesktop/DBus. Some system services install unsafe
      security policy rules that allow arbitrary method calls to
      any destination, method and interface with a specified object
      path; while less bad than allowing arbitrary method calls,
      these security policies are still harmful, since dbus-daemon
      normally offers the same API on all object paths and other
      system services might behave similarly.
    * Other fixes:
    - Add missing initialization so GetExtendedTcpTable doesn't
      crash on Windows Vista SP0 (fdo#77008, Ilya A. Tkachenko)
* Tue Nov 25 2014
  - Update to 1.8.12:
    * Fixes:
    - Partially revert the CVE-2014-3639 patch by increasing the
      default authentication timeout on the system bus from 5
      seconds back to 30 seconds, since this has been reported to
      cause boot regressions for some users, mostly with parallel
      boot (systemd) on slower hardware.
      On fast systems where local users are considered particularly
      hostile, administrators can return to the 5 second timeout
      (or any other value in milliseconds) by saving this as
      <limit name="auth_timeout">5000</limit>
      (fdo#86431, Simon McVittie)
    - Add a message in syslog/the Journal when the auth_timeout is
      exceeded (fdo#86431, Simon McVittie)
    - Send back an AccessDenied error if the addressed recipient is
      not allowed to receive a message (and in builds with
      assertions enabled, don't assert under the same conditions).
      (fdo#86194, Jacek Bukarewicz)
* Mon Nov 10 2014
  - Update to 1.8.10:
    * Security fixes:
    - Increase dbus-daemon's RLIMIT_NOFILE rlimit to 65536
      so that CVE-2014-3636 part A cannot exhaust the system bus'
      file descriptors, completing the incomplete fix in 1.8.8.
      (CVE-2014-7824, fdo#85105; Simon McVittie, Alban Crequy)



Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 20:06:21 2024