Announcing D-Bus 1.11.6

Simon McVittie simon.mcvittie at collabora.co.uk
Mon Oct 10 12:35:02 UTC 2016 

The “darkly whimsical” release. This is a development release, in the
branch leading to future D-Bus 1.12.x stable releases.

http://dbus.freedesktop.org/releases/dbus/dbus-1.11.6.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.11.6.tar.gz.asc
git tag: dbus-1.11.6

Security fixes:

• Do not treat ActivationFailure message received from root-owned
  systemd name as a format string. In principle this is a security
  vulnerability, but we do not believe it is exploitable in practice,
  because only privileged processes can own the
  org.freedesktop.systemd1 bus name, and systemd does not appear to
  send activation failures that contain "%".

  Please note that this probably *was* exploitable in dbus versions
  older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at
  the time was only thought to be a denial of service vulnerability
  (CVE-2015-0245). If you are still running one of those versions,
  patch or upgrade immediately.

  (fd.o #98157, Simon McVittie)

Enhancements:

• D-Bus Specification version 0.29
  · Recommend not using '/' for object paths (fd.o #37095, Philip Withnall)
  · Allow <annotation> in <arg> elements (fd.o #86162, Philip Withnall)

• Log to syslog when we exceed various anti-DoS limits, and add test
  coverage for them (fd.o #86442, Simon McVittie)

• Improve syslog handling so that _dbus_warn() and similar warnings
  go to syslog, add dbus-daemon --syslog|--nosyslog|--syslog-only options,
  and log to syslog (instead of /dev/null) when dbus-daemon is started by
  dbus-launch. (fd.o #97009, Simon McVittie)

• Install introspect.dtd and busconfig.dtd to ${datadir}/xml/dbus-1
  (fd.o #89011, Philip Withnall)

• When logging messages about service activation, mention which peer
  requested the activation (fd.o #68212, Philip Withnall)

• On Linux, mention the LSM label (if available) whenever we print
  debug information about a peer (fd.o #68212, Philip Withnall)

Other fixes:

• Harden dbus-daemon against malicious or incorrect ActivationFailure
  messages by rejecting them if they do not come from a privileged
  process, or if systemd activation is not enabled
  (fd.o #98157, Simon McVittie)

• Avoid undefined behaviour when setting reply serial number without going
  via union DBusBasicValue (fd.o #98035, Marc Mutz)

• Fix CMake build for Unix platforms that do not have -lrt, such as Android,
  or that do need -lsocket, such as QNX (fd.o #94096, Ralf Habacker)

• autogen.sh: fail cleanly if autoconf fails (Simon McVittie)

-- 
Simon McVittie, Collabora Ltd. <http://www.collabora.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 845 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/dbus/attachments/20161010/f34d0da3/attachment.sig>

More information about the dbus mailing list