[Ftp-release] Announcing D-Bus 1.10.16

Simon McVittie simon.mcvittie at collabora.co.uk
Thu Feb 16 22:19:35 UTC 2017


The “super digging powers” release.

This is a bugfix release for the current stable branch, 1.10.x. Please
upgrade unless you have a reason to keep using an older branch.

The fixes in this release are arguably security fixes, but if they
affect you, please take this opportunity to rethink how you are
configuring dbus.

http://dbus.freedesktop.org/releases/dbus/dbus-1.10.16.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.10.16.tar.gz.asc
git tag: dbus-1.10.16
git branch: dbus-1.10

Enhancements:

• Do the Travis-CI build in Docker containers for Ubuntu LTS, Debian
  stable and Debian testing in addition to the older Ubuntu that is
  the default (fd.o #98889, Simon McVittie)

Fixes:

• Prevent symlink attacks in the nonce-tcp transport on Unix that could
  allow an attacker to overwrite a file named "nonce", in a directory
  that the user running dbus-daemon can write, with a random value
  known only to the user running dbus-daemon. This is unlikely to be
  exploitable in practice, particularly since the nonce-tcp transport
  is really only useful on Windows.

  On Unix systems we strongly recommend using only the unix: and systemd:
  transports, together with EXTERNAL authentication. These are the only
  transports and authentication mechanisms enabled by default.

  (fd.o #99828, Simon McVittie)

• Avoid symlink attacks in the "embedded tests", which are not enabled
  by default and should never be enabled in production builds of dbus.
  (fd.o #99828, Simon McVittie)

-- 
Simon McVittie, Collabora Ltd.


More information about the Ftp-release mailing list