New upstream release fixes several security issues

- CVE-2014-3635: do not accept an extra fd in cmsg padding, avoiding a buffer overrun in dbus-daemon or system services - CVE-2014-3636: reduce maximum number of file descriptors per message from 1024 to 16, to avoid two separate denial-of-service attacks that could cause system services to be dropped from the bus - CVE-2014-3637: time out connections that have a partially-sent message containing a file descriptor, so that malicious processes cannot use self-referential file descriptors to make a connection that will never close - CVE-2014-3638: reduce maximum number of pending replies per connection to avoid algorithmic complexity DoS - CVE-2014-3639: reduce timeout for authentication and do not accept() new connections when all unauthenticated connection slots are in use, so that malicious processes cannot prevent new connections to the system bus

New upstream release fixes several security issues
- CVE-2014-3635: do not accept an extra fd in cmsg padding, avoiding a buffer overrun in dbus-daemon or system services - CVE-2014-3636: reduce maximum number of file descriptors per message from 1024 to 16, to avoid two separate denial-of-service attacks that could cause system services to be dropped from the bus - CVE-2014-3637: time out connections that have a partially-sent message containing a file descriptor, so that malicious processes cannot use self-referential file descriptors to make a connection that will never close - CVE-2014-3638: reduce maximum number of pending replies per connection to avoid algorithmic complexity DoS - CVE-2014-3639: reduce timeout for authentication and do not accept() new connections when all unauthenticated connection slots are in use, so that malicious processes cannot prevent new connections to the system bus
9faacc93 · Simon McVittie · 29f7b361 · 9faacc93
Commit 9faacc93 authored Sep 15, 2014 by Simon McVittie
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 3 deletions

changelog debian/changelog +19 -3

No files found.
--- a/debian/changelog
+++ b/debian/changelog
-dbus (1.8.6-3) UNRELEASED; urgency=medium
+dbus (1.8.8-1) unstable; urgency=medium

  [ Michael Biebl ]
  * Don't attempt config reload if dbus system bus is not running.
@@ -7,8 +7,24 @@ dbus (1.8.6-3) UNRELEASED; urgency=medium
  * Bump dbus up to Priority: standard because without it, systemd-logind
    does not run a getty on tty2..tty6 (matching ftp-master action in
    #759293)
-
- -- Michael Biebl <biebl@debian.org>  Thu, 21 Aug 2014 05:56:30 +0200
+  * New upstream release fixes several security issues
+    - CVE-2014-3635: do not accept an extra fd in cmsg padding,
+      avoiding a buffer overrun in dbus-daemon or system services
+    - CVE-2014-3636: reduce maximum number of file descriptors
+       per message from 1024 to 16, to avoid two separate denial-of-service
+       attacks that could cause system services to be dropped from the bus
+    - CVE-2014-3637: time out connections that have a
+       partially-sent message containing a file descriptor, so that
+       malicious processes cannot use self-referential file descriptors
+       to make a connection that will never close
+    - CVE-2014-3638: reduce maximum number of pending replies
+      per connection to avoid algorithmic complexity DoS
+    - CVE-2014-3639: reduce timeout for authentication and
+      do not accept() new connections when all unauthenticated connection
+      slots are in use, so that malicious processes cannot prevent new
+      connections to the system bus
+
+ -- Simon McVittie <smcv@debian.org>  Mon, 15 Sep 2014 12:58:25 +0100

 dbus (1.8.6-2) unstable; urgency=medium