Imported Upstream version 1.8.6upstream/1.8.6

1 files changed, 24 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 8ad88829..0944bf42 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,27 @@
+D-Bus 1.8.6 (2014-06-02)
+==
+
+Security fixes:
+
+• On Linux ≥ 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS, silently drop
+  the message. This prevents an attack in which a malicious client can
+  make dbus-daemon disconnect a system service, which is a local
+  denial of service.
+  (fd.o #80163, CVE-2014-3532; Alban Crequy)
+
+• Track remaining Unix file descriptors correctly when more than one
+  message in quick succession contains fds. This prevents another attack
+  in which a malicious client can make dbus-daemon disconnect a system
+  service.
+  (fd.o #79694, fd.o #80469, CVE-2014-3533; Alejandro Martínez Suárez,
+  Simon McVittie, Alban Crequy)
+
+Other fixes:
+
+• When dbus-launch --exit-with-session starts a dbus-daemon but then cannot
+  attach to a session, kill the dbus-daemon as intended
+  (fd.o #74698, Роман Донченко)
+
 D-Bus 1.8.4 (2014-06-10)
 ==