Commit 9faacc93 authored by Simon McVittie's avatar Simon McVittie

New upstream release fixes several security issues

  - CVE-2014-3635: do not accept an extra fd in cmsg padding,
    avoiding a buffer overrun in dbus-daemon or system services
  - CVE-2014-3636: reduce maximum number of file descriptors
     per message from 1024 to 16, to avoid two separate denial-of-service
     attacks that could cause system services to be dropped from the bus
  - CVE-2014-3637: time out connections that have a
     partially-sent message containing a file descriptor, so that
     malicious processes cannot use self-referential file descriptors
     to make a connection that will never close
  - CVE-2014-3638: reduce maximum number of pending replies
    per connection to avoid algorithmic complexity DoS
  - CVE-2014-3639: reduce timeout for authentication and
    do not accept() new connections when all unauthenticated connection
    slots are in use, so that malicious processes cannot prevent new
    connections to the system bus
parent 29f7b361
dbus (1.8.6-3) UNRELEASED; urgency=medium
dbus (1.8.8-1) unstable; urgency=medium
[ Michael Biebl ]
* Don't attempt config reload if dbus system bus is not running.
......@@ -7,8 +7,24 @@ dbus (1.8.6-3) UNRELEASED; urgency=medium
* Bump dbus up to Priority: standard because without it, systemd-logind
does not run a getty on tty2..tty6 (matching ftp-master action in
#759293)
-- Michael Biebl <biebl@debian.org> Thu, 21 Aug 2014 05:56:30 +0200
* New upstream release fixes several security issues
- CVE-2014-3635: do not accept an extra fd in cmsg padding,
avoiding a buffer overrun in dbus-daemon or system services
- CVE-2014-3636: reduce maximum number of file descriptors
per message from 1024 to 16, to avoid two separate denial-of-service
attacks that could cause system services to be dropped from the bus
- CVE-2014-3637: time out connections that have a
partially-sent message containing a file descriptor, so that
malicious processes cannot use self-referential file descriptors
to make a connection that will never close
- CVE-2014-3638: reduce maximum number of pending replies
per connection to avoid algorithmic complexity DoS
- CVE-2014-3639: reduce timeout for authentication and
do not accept() new connections when all unauthenticated connection
slots are in use, so that malicious processes cannot prevent new
connections to the system bus
-- Simon McVittie <smcv@debian.org> Mon, 15 Sep 2014 12:58:25 +0100
dbus (1.8.6-2) unstable; urgency=medium
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment