Announcing dbus 1.12.28 (security update)
Simon McVittie
smcv at collabora.com
Tue Jun 6 17:03:19 UTC 2023
dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.
The dbus 1.12.x branch was originally released in 2017, and is maintained
for the benefit of long-term-support OS distributions such as Debian.
It is planned to reach end-of-life status at the end of Debian 11
mainstream security support, in mid 2024. After it reaches end-of-life
there will be no more 1.12.x releases, even if new security issues
are discovered.
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.28.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.28.tar.gz.asc>
git tag: dbus-1.12.28
Denial-of-service fixes:
• Fix an assertion failure in dbus-daemon when a privileged Monitoring
connection (dbus-monitor, busctl monitor, gdbus monitor or similar)
is active, and a message from the bus driver cannot be delivered to a
client connection due to <deny> rules or outgoing message quota. This
is a denial of service if triggered maliciously by a local attacker.
(dbus#457; hongjinghao, Simon McVittie)
Other fixes:
• Documentation:
· Fix syntax of a code sample in dbus-api-design
(dbus!396; Yen-Chin, Lee)
Tests and CI enhancements:
• Fix CI pipelines after freedesktop/freedesktop#540
(dbus!405, dbus#456; Simon McVittie)
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers
More information about the dbus
mailing list