diff options
| author | Simon McVittie <smcv@debian.org> | 2014-09-15 12:58:54 +0100 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2014-09-15 12:58:54 +0100 |
| commit | 9faacc93c86c27683e4659bdb06d150d79254f2b (patch) | |
| tree | 1f5f132051045470091c82e81b687b031e9f9150 | |
| parent | 29f7b36183ae21c9d9bdf95f277e14a5ae8af258 (diff) | |
| download | dbus-9faacc93c86c27683e4659bdb06d150d79254f2b.tar.gz | |
New upstream release fixes several security issues
- CVE-2014-3635: do not accept an extra fd in cmsg padding,
avoiding a buffer overrun in dbus-daemon or system services
- CVE-2014-3636: reduce maximum number of file descriptors
per message from 1024 to 16, to avoid two separate denial-of-service
attacks that could cause system services to be dropped from the bus
- CVE-2014-3637: time out connections that have a
partially-sent message containing a file descriptor, so that
malicious processes cannot use self-referential file descriptors
to make a connection that will never close
- CVE-2014-3638: reduce maximum number of pending replies
per connection to avoid algorithmic complexity DoS
- CVE-2014-3639: reduce timeout for authentication and
do not accept() new connections when all unauthenticated connection
slots are in use, so that malicious processes cannot prevent new
connections to the system bus
| -rw-r--r-- | debian/changelog | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index ea57bfd1..448bbb7d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -dbus (1.8.6-3) UNRELEASED; urgency=medium +dbus (1.8.8-1) unstable; urgency=medium [ Michael Biebl ] * Don't attempt config reload if dbus system bus is not running. @@ -7,8 +7,24 @@ dbus (1.8.6-3) UNRELEASED; urgency=medium * Bump dbus up to Priority: standard because without it, systemd-logind does not run a getty on tty2..tty6 (matching ftp-master action in #759293) - - -- Michael Biebl <biebl@debian.org> Thu, 21 Aug 2014 05:56:30 +0200 + * New upstream release fixes several security issues + - CVE-2014-3635: do not accept an extra fd in cmsg padding, + avoiding a buffer overrun in dbus-daemon or system services + - CVE-2014-3636: reduce maximum number of file descriptors + per message from 1024 to 16, to avoid two separate denial-of-service + attacks that could cause system services to be dropped from the bus + - CVE-2014-3637: time out connections that have a + partially-sent message containing a file descriptor, so that + malicious processes cannot use self-referential file descriptors + to make a connection that will never close + - CVE-2014-3638: reduce maximum number of pending replies + per connection to avoid algorithmic complexity DoS + - CVE-2014-3639: reduce timeout for authentication and + do not accept() new connections when all unauthenticated connection + slots are in use, so that malicious processes cannot prevent new + connections to the system bus + + -- Simon McVittie <smcv@debian.org> Mon, 15 Sep 2014 12:58:25 +0100 dbus (1.8.6-2) unstable; urgency=medium |