[prev in list] [next in list] [prev in thread] [next in thread]
List: freedesktop-dbus
Subject: Announcing dbus 1.12.16 security update
From: Simon McVittie <smcv () collabora ! com>
Date: 2019-06-11 15:04:25
Message-ID: 20190611150425.GA18155 () espresso ! pseudorandom ! co ! uk
[Download RAW message or body]
dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.
This is a stable-branch security fix release. Upgrading is recommended,
unless you are following the older security-fix-only stable branch 1.10.x.
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.16.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.16.tar.gz.asc>
git tag: dbus-1.12.16
The "tree cat" release.
Security fixes:
• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
authentication for identities that differ from the user running the
DBusServer. Previously, a local attacker could manipulate symbolic
links in their own home directory to bypass authentication and connect
to a DBusServer with elevated privileges. The standard system and
session dbus-daemons in their default configuration were immune to this
attack because they did not allow DBUS_COOKIE_SHA1, but third-party
users of DBusServer such as Upstart could be vulnerable.
Thanks to Joe Vennix of Apple Information Security.
(dbus#269, Simon McVittie)
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers
_______________________________________________
dbus mailing list
dbus@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dbus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic