Announcing dbus 1.6.30 (security fix release)

Simon McVittie simon.mcvittie at collabora.co.uk
Mon Feb 9 07:27:04 PST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is a security release for the old-stable branch. Upgrading to
1.8.16 instead is recommended, but if you need to use 1.6.x:

http://dbus.freedesktop.org/releases/dbus/dbus-1.6.30.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.6.30.tar.gz.asc
git tag: dbus-1.6.30
git branch: dbus-1.6

Security fix backported from 1.8.16:

• Do not allow non-uid-0 processes to send forged ActivationFailure
  messages. On Linux systems with systemd activation, this would
  allow a local denial of service: unprivileged processes could
  flood the bus with these forged messages, winning the race with
  the actual service activation and causing an error reply
  to be sent back when service auto-activation was requested.
  This does not prevent the real service from being started,
  so the attack only works while the real service is not running.
  (CVE-2015-0245, fd.o #88811; Simon McVittie)

- -- 
Simon McVittie, Collabora Ltd.
for the D-Bus maintainers
-----BEGIN PGP SIGNATURE-----

iQIVAwUBVNjRxk3o/ypjx8yQAQjmpg//VtcJ0lSJYijjie0WtZSJ3hJs+a45uuKX
+k3QfW4YGpUzDmr6N7fd4T7MpIPVjmEFlgaoVPcVfvsIr81QCmL5pYdxBFrYjErA
SM7fUrQCwkRC/N2Xzgn81loTKyvunF/F9OdBi2Dq5HA+aQswMQSyV/G8BfTtz7B6
+8HF1nVbPo7DsFsgZMaBvO0+kQWiDU+V/8cJeJ/q8CjoW0B/cL5jV2uzelCHEF91
+Kd3vhpM9TSS1Tsd+q4gMLK05jHsDRxJm7BkkAj7sm+AwpntFrQ6+2xx8lXvT1zP
5Xz5wp4wihRl9/e2F/y7LZa6AcpHiwWoimNGx2NQJCvWD+hDKknMNEIiMskep3uG
UVobPUl1d9SUIwPHLpa+Rj6YpjHvxDpqHeQSIajhnq9lhDZoEM9K1FaOyFFBpZR7
g6lUEtg4AzA656tz60D/yPwwC1jVvsUMyzC2hmOO9H+ejNA2bknCBTJs6tF69RR5
cD4TXEpk+ehN3iPWU2ZBf148zyGVC1vFJgLw31sEL+Ac6ZtE/67v5hpCA01KpcRe
lcogcTzNu/fjUMkyLg7hM/f6Foc0cBhieYRlUw+M10DP/e7ohWie8dnzaqOsp6cx
E5hYvIFrYNx4mAwhjhaNu0qTrch44u9VBsHE+NUiy6BqgoXLPunaQFK1HTgXZ6Xr
vrQTR0rD31U=
=+U/L
-----END PGP SIGNATURE-----


More information about the dbus mailing list