[Ftp-release] Announcing dbus 1.6.28

Simon McVittie simon.mcvittie at collabora.co.uk
Mon Nov 24 13:03:43 PST 2014


This is a bugfix release for the old-stable branch, fixing a regression
in security fix release 1.6.24. Upgrading to 1.8.12 instead is
recommended, but if you need to use 1.6.x:

http://dbus.freedesktop.org/releases/dbus/dbus-1.6.28.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.6.28.tar.gz.asc
git tag: dbus-1.6.28
git branch: dbus-1.6

Regression fix backported from 1.8.12:

• Partially revert the CVE-2014-3639 patch by increasing the default
  authentication timeout on the system bus from 5 seconds back to 30
  seconds, since this has been reported to cause boot regressions for
  some users, mostly with parallel boot (systemd) on slower hardware.

  On fast systems where local users are considered particularly hostile,
  administrators can return to the 5 second timeout (or any other value
  in milliseconds) by saving this as /etc/dbus-1/system-local.conf:

  <busconfig>
    <limit name="auth_timeout">5000</limit>
  </busconfig>

  (fd.o #86431, Simon McVittie)

• Add a message in syslog/the Journal when the auth_timeout is exceeded
  (fd.o #86431, Simon McVittie)

-- 
Simon McVittie, Collabora Ltd.


More information about the Ftp-release mailing list