diff options
| author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-01-01 23:48:13 +0000 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-01-01 23:48:13 +0000 |
| commit | ae9d7149aa9a9f8f276c35b2343e78aaa7c9054c (patch) | |
| tree | 8697326f4c120119e825b82f96bd239002de3712 /NEWS | |
| parent | fda9d8a44aa1bde4f2777fb9ad8650f45820fb6b (diff) | |
| parent | abbbf449f17e0a74a5d9a50fb5b074e96e9b7030 (diff) | |
| download | dbus-ae9d7149aa9a9f8f276c35b2343e78aaa7c9054c.tar.gz | |
Merge branch 'dbus-1.8' and prepare 1.9.6dbus-1.9.6
Conflicts:
NEWS
configure.ac
test/dbus-daemon.c
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 30 |
1 files changed, 28 insertions, 2 deletions
@@ -1,7 +1,33 @@ -D-Bus 1.9.6 (UNRELEASED) +D-Bus 1.9.6 (2015-01-05) == -... +The “I do have a bread knife” release. + +Security hardening: + +• Do not allow calls to UpdateActivationEnvironment from uids other than + the uid of the dbus-daemon. If a system service installs unsafe + security policy rules that allow arbitrary method calls + (such as CVE-2014-8148) then this prevents memory consumption and + possible privilege escalation via UpdateActivationEnvironment. + + We believe that in practice, privilege escalation here is avoided + by dbus-daemon-launch-helper sanitizing its environment; but + it seems better to be safe. + +• Do not allow calls to UpdateActivationEnvironment or the Stats interface + on object paths other than /org/freedesktop/DBus. Some system services + install unsafe security policy rules that allow arbitrary method calls + to any destination, method and interface with a specified object path; + while less bad than allowing arbitrary method calls, these security + policies are still harmful, since dbus-daemon normally offers the + same API on all object paths and other system services might behave + similarly. + +Other fixes: + +• Add missing initialization so GetExtendedTcpTable doesn't crash on + Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко) D-Bus 1.9.4 (2014-11-24) == |