diff options
author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-01-05 14:58:48 +0000 |
---|---|---|
committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-01-05 14:58:48 +0000 |
commit | d97e8f95aad270acb58f3d7e7b92da5cc087e02b (patch) | |
tree | 9dc650819bd5f41ca405dadb880b1f6d718a3e70 /NEWS | |
parent | fd4f3ca3f6b3338ef8d111b05471b4f65c09dd04 (diff) | |
parent | ae9d7149aa9a9f8f276c35b2343e78aaa7c9054c (diff) | |
download | dbus-d97e8f95aad270acb58f3d7e7b92da5cc087e02b.tar.gz |
Merge tag 'dbus-1.9.6'
dbus-1.9.6
Conflicts:
NEWS
configure.ac
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 33 |
1 files changed, 32 insertions, 1 deletions
@@ -1,8 +1,39 @@ -D-Bus 1.9.6 (UNRELEASED) +D-Bus 1.9.8 (UNRELEASED) == ... +D-Bus 1.9.6 (2015-01-05) +== + +The “I do have a bread knife” release. + +Security hardening: + +• Do not allow calls to UpdateActivationEnvironment from uids other than + the uid of the dbus-daemon. If a system service installs unsafe + security policy rules that allow arbitrary method calls + (such as CVE-2014-8148) then this prevents memory consumption and + possible privilege escalation via UpdateActivationEnvironment. + + We believe that in practice, privilege escalation here is avoided + by dbus-daemon-launch-helper sanitizing its environment; but + it seems better to be safe. + +• Do not allow calls to UpdateActivationEnvironment or the Stats interface + on object paths other than /org/freedesktop/DBus. Some system services + install unsafe security policy rules that allow arbitrary method calls + to any destination, method and interface with a specified object path; + while less bad than allowing arbitrary method calls, these security + policies are still harmful, since dbus-daemon normally offers the + same API on all object paths and other system services might behave + similarly. + +Other fixes: + +• Add missing initialization so GetExtendedTcpTable doesn't crash on + Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко) + D-Bus 1.9.4 (2014-11-24) == |