diff options
author | wiz <wiz@pkgsrc.org> | 2014-09-16 21:30:18 +0000 |
---|---|---|
committer | wiz <wiz@pkgsrc.org> | 2014-09-16 21:30:18 +0000 |
commit | 55f2eac25ef0fff4b54e3267c70cccc6b2ba2a47 (patch) | |
tree | 911197e6bd732e65343ec1cdfbdd627d30264a6c /sysutils/dbus | |
parent | c7a8e7f41af4c18b2a3d9a9c7142353ea293922c (diff) | |
download | pkgsrc-55f2eac25ef0fff4b54e3267c70cccc6b2ba2a47.tar.gz |
Update to 1.8.8, many security fixes.
D-Bus 1.8.8 (2014-09-16)
==
The "smashy smashy egg man" release.
Security fixes:
* Do not accept an extra fd in the padding of a cmsg message, which
could lead to a 4-byte heap buffer overrun.
(CVE-2014-3635, fd.o #83622; Simon McVittie)
* Reduce default for maximum Unix file descriptors passed per message
from 1024 to 16, preventing a uid with the default maximum number of
connections from exhausting the system bus' file descriptors under
Linux's default rlimit. Distributors or system administrators with a
more restrictive fd limit may wish to reduce these limits further.
Additionally, on Linux this prevents a second denial of service
in which the dbus-daemon can be made to exceed the maximum number
of fds per sendmsg() and disconnect the process that would have
received them.
(CVE-2014-3636, fd.o #82820; Alban Crequy)
* Disconnect connections that still have a fd pending unmarshalling after
a new configurable limit, pending_fd_timeout (defaulting to 150 seconds),
removing the possibility of creating an abusive connection that cannot be
disconnected by setting up a circular reference to a connection's
file descriptor.
(CVE-2014-3637, fd.o #80559; Alban Crequy)
* Reduce default for maximum pending replies per connection from 8192 to 128,
mitigating an algorithmic complexity denial-of-service attack
(CVE-2014-3638, fd.o #81053; Alban Crequy)
* Reduce default for authentication timeout on the system bus from
30 seconds to 5 seconds, avoiding denial of service by using up
all unauthenticated connection slots; and when all unauthenticated
connection slots are used up, make new connection attempts block
instead of disconnecting them.
(CVE-2014-3639, fd.o #80919; Alban Crequy)
Other fixes:
* Check for libsystemd from systemd >= 209, falling back to
the older separate libraries if not found (Umut Tezduyar Lindskog,
Simon McVittie)
* On Linux, use prctl() to disable core dumps from a test executable
that deliberately raises SIGSEGV to test dbus-daemon's handling
of that condition (fd.o #83772, Simon McVittie)
* Fix compilation with --enable-stats (fd.o #81043, Gentoo #507232;
Alban Crequy)
* Improve documentation for running tests on Windows (fd.o #41252,
Ralf Habacker)
Diffstat (limited to 'sysutils/dbus')
-rw-r--r-- | sysutils/dbus/Makefile | 5 | ||||
-rw-r--r-- | sysutils/dbus/distinfo | 8 |
2 files changed, 6 insertions, 7 deletions
diff --git a/sysutils/dbus/Makefile b/sysutils/dbus/Makefile index 1c77fd17f30..9b57b16737a 100644 --- a/sysutils/dbus/Makefile +++ b/sysutils/dbus/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.73 2014/09/13 09:47:11 richard Exp $ +# $NetBSD: Makefile,v 1.74 2014/09/16 21:30:18 wiz Exp $ -DISTNAME= dbus-1.8.6 -PKGREVISION= 1 +DISTNAME= dbus-1.8.8 CATEGORIES= sysutils MASTER_SITES= http://dbus.freedesktop.org/releases/dbus/ diff --git a/sysutils/dbus/distinfo b/sysutils/dbus/distinfo index 72d2564b9d0..85a3cc6bdd7 100644 --- a/sysutils/dbus/distinfo +++ b/sysutils/dbus/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.58 2014/09/13 09:47:11 richard Exp $ +$NetBSD: distinfo,v 1.59 2014/09/16 21:30:18 wiz Exp $ -SHA1 (dbus-1.8.6.tar.gz) = ad7cb87cdce66533479a9d7c1c956bdb0243ad87 -RMD160 (dbus-1.8.6.tar.gz) = 78dcfa48f4d780b27a8c144e481bc285fcf5fd62 -Size (dbus-1.8.6.tar.gz) = 1861784 bytes +SHA1 (dbus-1.8.8.tar.gz) = e0d10e8b4494383c7e366ac80a942ba45a705a96 +RMD160 (dbus-1.8.8.tar.gz) = dc0dbd1ed515e8efe2e30a429e35efa69924c0a4 +Size (dbus-1.8.8.tar.gz) = 1864881 bytes SHA1 (patch-aa) = 0c3d145979e3b2358261c9f7f34701d02eb6ecd4 SHA1 (patch-ak) = 6d05ebde29acb3f6cb6f577dd2f2b734f590e8dd SHA1 (patch-al) = 57d08196e9daf49eb6bda2b30f019ce2cad77c6f |