OBS-URL: https://build.opensuse.org/package/show/Base:System/dbus-1?expand=0&rev=218

2016-10-11 07:38:09 +00:00 · 2016-10-11 07:38:09 +00:00 · f6fdbb00fe
commit f6fdbb00fe
parent 1d9c0f2077
2 changed files with 52 additions and 0 deletions
--- a/dbus-1-x11.changes
+++ b/dbus-1-x11.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Tue Oct 11 07:33:15 UTC 2016 - fstrba@suse.com
+
+- Update to 1.10.12
+  * Security fixes:
+    + Do not treat ActivationFailure message received from
+      root-owned systemd name as a format string. In principle this
+      is a security vulnerability, but we do not believe it is
+      exploitable in practice, because only privileged processes can
+      own the org.freedesktop.systemd1 bus name, and systemd does
+      not appear to send activation failures that contain "%".
+      Please note that this probably *was* exploitable in dbus
+      versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing
+      check which at the time was only thought to be a denial of
+      service vulnerability (CVE-2015-0245). If you are still
+      running one of those versions, patch or upgrade immediately.
+      (fdo#98157, Simon McVittie)
+  * Other fixes:
+    + Harden dbus-daemon against malicious or incorrect
+      ActivationFailure messages by rejecting them if they do not
+      come from a privileged process, or if systemd activation is
+      not enabled (fdo#98157, Simon McVittie)
+    + Avoid undefined behaviour when setting reply serial number
+      without going via union DBusBasicValue (fdo#98035, Marc Mutz)
+    + autogen.sh: fail cleanly if autoconf fails (Simon McVittie)
+
 -------------------------------------------------------------------
 Tue Sep 13 14:40:21 UTC 2016 - mvidner@suse.com

--- a/dbus-1.changes
+++ b/dbus-1.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Tue Oct 11 07:33:15 UTC 2016 - fstrba@suse.com
+
+- Update to 1.10.12
+  * Security fixes:
+    + Do not treat ActivationFailure message received from
+      root-owned systemd name as a format string. In principle this
+      is a security vulnerability, but we do not believe it is
+      exploitable in practice, because only privileged processes can
+      own the org.freedesktop.systemd1 bus name, and systemd does
+      not appear to send activation failures that contain "%".
+      Please note that this probably *was* exploitable in dbus
+      versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing
+      check which at the time was only thought to be a denial of
+      service vulnerability (CVE-2015-0245). If you are still
+      running one of those versions, patch or upgrade immediately.
+      (fdo#98157, Simon McVittie)
+  * Other fixes:
+    + Harden dbus-daemon against malicious or incorrect
+      ActivationFailure messages by rejecting them if they do not
+      come from a privileged process, or if systemd activation is
+      not enabled (fdo#98157, Simon McVittie)
+    + Avoid undefined behaviour when setting reply serial number
+      without going via union DBusBasicValue (fdo#98035, Marc Mutz)
+    + autogen.sh: fail cleanly if autoconf fails (Simon McVittie)
+
 -------------------------------------------------------------------
 Tue Sep 13 14:40:21 UTC 2016 - mvidner@suse.com