Announcing dbus 1.10.30 security update
Simon McVittie
smcv at collabora.com
Tue Jun 2 20:03:58 UTC 2020
dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.
The dbus 1.10.x branch was originally released in 2015. It currently
receives security-fix releases whenever necessary, but it is planned to
reach end-of-life status at the end of Debian 9's official security
support (approximately July 2020). If you are a dbus downstream
maintainer in a long-lived OS distribution and you want to use the
upstream dbus-1.10 git branch as a place to share backported security
fixes with other distributions, please contact the dbus maintainers via
the dbus-security mailing list on lists.freedesktop.org.
<http://dbus.freedesktop.org/releases/dbus/dbus-1.10.30.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.10.30.tar.gz.asc>
git tag: dbus-1.10.30
The “centaur bus” release.
Denial of service fixes:
• CVE-2020-12049: If a message contains more file descriptors than can
be sent, close those that did get through before reporting error.
Previously, a local attacker could cause the system dbus-daemon (or
another system service with its own DBusServer) to run out of file
descriptors, by repeatedly connecting to the server and sending fds that
would get leaked.
Thanks to Kevin Backhouse of GitHub Security Lab.
(dbus#294, GHSL-2020-057; Simon McVittie)
Other fixes:
• Fix a crash when the dbus-daemon is terminated while one or more
monitors are active (dbus#291, dbus!140; Simon McVittie)
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers
More information about the dbus
mailing list