[Ftp-release] Announcing security release D-Bus 1.8.22

Simon McVittie simon.mcvittie at collabora.co.uk
Mon Oct 10 12:40:57 UTC 2016

The “barren and lifeless” release.

This is a security release for the old-stable branch, 1.8.x. Please
prefer to use 1.10.x if possible.

Branches older than 1.8.x are no longer supported.

git tag: dbus-1.8.22
git branch: dbus-1.8

There is one security fix:

• Do not treat ActivationFailure message received from root-owned
  systemd name as a format string. In principle this is a security
  vulnerability, but we do not believe it is exploitable in practice,
  because only privileged processes can own the
  org.freedesktop.systemd1 bus name, and systemd does not appear to
  send activation failures that contain "%".

  Please note that this probably *was* exploitable in dbus versions
  older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at
  the time was only thought to be a denial of service vulnerability
  (CVE-2015-0245). If you are still running one of those versions,
  patch or upgrade immediately.

  (fd.o #98157, Simon McVittie)

Simon McVittie, Collabora Ltd. <http://www.collabora.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 845 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/ftp-release/attachments/20161010/15d0014d/attachment.sig>

More information about the Ftp-release mailing list