[Ftp-release] Announcing D-Bus 1.10.16
Simon McVittie
simon.mcvittie at collabora.co.uk
Thu Feb 16 22:19:35 UTC 2017
The “super digging powers” release.
This is a bugfix release for the current stable branch, 1.10.x. Please
upgrade unless you have a reason to keep using an older branch.
The fixes in this release are arguably security fixes, but if they
affect you, please take this opportunity to rethink how you are
configuring dbus.
http://dbus.freedesktop.org/releases/dbus/dbus-1.10.16.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.10.16.tar.gz.asc
git tag: dbus-1.10.16
git branch: dbus-1.10
Enhancements:
• Do the Travis-CI build in Docker containers for Ubuntu LTS, Debian
stable and Debian testing in addition to the older Ubuntu that is
the default (fd.o #98889, Simon McVittie)
Fixes:
• Prevent symlink attacks in the nonce-tcp transport on Unix that could
allow an attacker to overwrite a file named "nonce", in a directory
that the user running dbus-daemon can write, with a random value
known only to the user running dbus-daemon. This is unlikely to be
exploitable in practice, particularly since the nonce-tcp transport
is really only useful on Windows.
On Unix systems we strongly recommend using only the unix: and systemd:
transports, together with EXTERNAL authentication. These are the only
transports and authentication mechanisms enabled by default.
(fd.o #99828, Simon McVittie)
• Avoid symlink attacks in the "embedded tests", which are not enabled
by default and should never be enabled in production builds of dbus.
(fd.o #99828, Simon McVittie)
--
Simon McVittie, Collabora Ltd.
More information about the Ftp-release
mailing list