From abbbf449f17e0a74a5d9a50fb5b074e96e9b7030 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 1 Jan 2015 23:42:41 +0000 Subject: Prepare release for Monday --- NEWS | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) (limited to 'NEWS') diff --git a/NEWS b/NEWS index 250aedb1..4fc8c0ff 100644 --- a/NEWS +++ b/NEWS @@ -1,7 +1,33 @@ -D-Bus 1.8.14 (UNRELEASED) +D-Bus 1.8.14 (2015-01-05) == -... +The “40lb of roofing nails” release. + +Security hardening: + +• Do not allow calls to UpdateActivationEnvironment from uids other than + the uid of the dbus-daemon. If a system service installs unsafe + security policy rules that allow arbitrary method calls + (such as CVE-2014-8148) then this prevents memory consumption and + possible privilege escalation via UpdateActivationEnvironment. + + We believe that in practice, privilege escalation here is avoided + by dbus-daemon-launch-helper sanitizing its environment; but + it seems better to be safe. + +• Do not allow calls to UpdateActivationEnvironment or the Stats interface + on object paths other than /org/freedesktop/DBus. Some system services + install unsafe security policy rules that allow arbitrary method calls + to any destination, method and interface with a specified object path; + while less bad than allowing arbitrary method calls, these security + policies are still harmful, since dbus-daemon normally offers the + same API on all object paths and other system services might behave + similarly. + +Other fixes: + +• Add missing initialization so GetExtendedTcpTable doesn't crash on + Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко) D-Bus 1.8.12 (2014-11-24) == -- cgit v1.2.1