diff options
| -rw-r--r-- | debian/changelog | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index ea57bfd1..448bbb7d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -dbus (1.8.6-3) UNRELEASED; urgency=medium +dbus (1.8.8-1) unstable; urgency=medium [ Michael Biebl ] * Don't attempt config reload if dbus system bus is not running. @@ -7,8 +7,24 @@ dbus (1.8.6-3) UNRELEASED; urgency=medium * Bump dbus up to Priority: standard because without it, systemd-logind does not run a getty on tty2..tty6 (matching ftp-master action in #759293) - - -- Michael Biebl <biebl@debian.org> Thu, 21 Aug 2014 05:56:30 +0200 + * New upstream release fixes several security issues + - CVE-2014-3635: do not accept an extra fd in cmsg padding, + avoiding a buffer overrun in dbus-daemon or system services + - CVE-2014-3636: reduce maximum number of file descriptors + per message from 1024 to 16, to avoid two separate denial-of-service + attacks that could cause system services to be dropped from the bus + - CVE-2014-3637: time out connections that have a + partially-sent message containing a file descriptor, so that + malicious processes cannot use self-referential file descriptors + to make a connection that will never close + - CVE-2014-3638: reduce maximum number of pending replies + per connection to avoid algorithmic complexity DoS + - CVE-2014-3639: reduce timeout for authentication and + do not accept() new connections when all unauthenticated connection + slots are in use, so that malicious processes cannot prevent new + connections to the system bus + + -- Simon McVittie <smcv@debian.org> Mon, 15 Sep 2014 12:58:25 +0100 dbus (1.8.6-2) unstable; urgency=medium |