diff options
author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2017-02-16 16:27:58 +0000 |
---|---|---|
committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2017-02-16 16:36:31 +0000 |
commit | 8116f98b49c2389e66c8715cf02782515fe99579 (patch) | |
tree | 96b67a139d645ee3f00253448ab0f3a9586a4688 | |
parent | ca04b6b2ed56a7df4976936a1ddda24f5e903354 (diff) | |
download | dbus-8116f98b49c2389e66c8715cf02782515fe99579.tar.gz |
Update NEWS for 1.8.x
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
-rw-r--r-- | NEWS | 26 |
1 files changed, 26 insertions, 0 deletions
@@ -1,3 +1,29 @@ +D-Bus 1.8.24 (UNRELEASED) +== + +The fixes in this release are arguably security fixes, but if they +affect you, please take this opportunity to rethink how you are +configuring dbus. + +Fixes: + +• Prevent symlink attacks in the nonce-tcp transport on Unix that could + allow an attacker to overwrite a file named "nonce", in a directory + that the user running dbus-daemon can write, with a random value + known only to the user running dbus-daemon. This is unlikely to be + exploitable in practice, particularly since the nonce-tcp transport + is really only useful on Windows. + + On Unix systems we strongly recommend using only the unix: and systemd: + transports, together with EXTERNAL authentication. These are the only + transports and authentication mechanisms enabled by default. + + (fd.o #99828, Simon McVittie) + +• Avoid symlink attacks in the "embedded tests", which are not enabled + by default and should never be enabled in production builds of dbus. + (fd.o #99828, Simon McVittie) + D-Bus 1.8.22 (2016-10-10) == |