diff options
| author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-01-01 23:42:41 +0000 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-01-01 23:42:41 +0000 |
| commit | abbbf449f17e0a74a5d9a50fb5b074e96e9b7030 (patch) | |
| tree | 6b1fad41d0f233eb3090acb81e04b30908d918d6 /NEWS | |
| parent | eec885de3b4b9559a2f28be7c17bf21ca8d2382f (diff) | |
| download | dbus-abbbf449f17e0a74a5d9a50fb5b074e96e9b7030.tar.gz | |
Prepare release for Mondaydbus-1.8.14
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 30 |
1 files changed, 28 insertions, 2 deletions
@@ -1,7 +1,33 @@ -D-Bus 1.8.14 (UNRELEASED) +D-Bus 1.8.14 (2015-01-05) == -... +The “40lb of roofing nails” release. + +Security hardening: + +• Do not allow calls to UpdateActivationEnvironment from uids other than + the uid of the dbus-daemon. If a system service installs unsafe + security policy rules that allow arbitrary method calls + (such as CVE-2014-8148) then this prevents memory consumption and + possible privilege escalation via UpdateActivationEnvironment. + + We believe that in practice, privilege escalation here is avoided + by dbus-daemon-launch-helper sanitizing its environment; but + it seems better to be safe. + +• Do not allow calls to UpdateActivationEnvironment or the Stats interface + on object paths other than /org/freedesktop/DBus. Some system services + install unsafe security policy rules that allow arbitrary method calls + to any destination, method and interface with a specified object path; + while less bad than allowing arbitrary method calls, these security + policies are still harmful, since dbus-daemon normally offers the + same API on all object paths and other system services might behave + similarly. + +Other fixes: + +• Add missing initialization so GetExtendedTcpTable doesn't crash on + Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко) D-Bus 1.8.12 (2014-11-24) == |