-
dbus (1.12.16-2ubuntu2.3) focal-security; urgency=medium
* SECURITY UPDATE: Assertion failure in dbus-marshal-validate
- debian/patches/CVE-2022-42010.patch: Check brackets in signature nest
correctly
- CVE-2022-42010
* SECURITY UPDATE: Out-of-bound access in dbus-marshal-validate
- debian/patches/CVE-2022-42011.patch: Validate length of arrays of
fixed-length items
- CVE-2022-42011
* SECURITY UPDATE: Out-of-bound access in dbus-marshal-byteswap
- debian/patches/CVE-2022-42012.patch: Byte-swap Unix fd indexes if needed
- CVE-2022-42012
-- Nishit Majithia <email address hidden> Tue, 25 Oct 2022 18:39:26 +0530
-
dbus (1.12.16-2ubuntu2.2) focal-security; urgency=medium
* SECURITY UPDATE: use-after-free when users share UID
- debian/patches/CVE-2020-35512.patch: apply
reference-counting to the user and group data structures
in dbus/dbus-userdb.h, dbus/dbus-sysdeps-unix.h,
dbus/dbus-userdb-util.c and dbus/dbus-userdb.c.
- CVE-2020-35512
-- David Fernandez Gonzalez <email address hidden> Fri, 29 Apr 2022 14:03:28 +0200
-
dbus (1.12.16-2ubuntu2.1) focal-security; urgency=medium
* SECURITY UPDATE: DoS via file descriptor leak
- debian/patches/CVE-2020-12049-1.patch: on MSG_CTRUNC, close the fds
we did receive in dbus/dbus-sysdeps-unix.c.
- debian/patches/CVE-2020-12049-2.patch: assert that we don't leak file
descriptors in test/fdpass.c.
- CVE-2020-12049
-- Marc Deslauriers <email address hidden> Thu, 11 Jun 2020 14:22:13 -0400
-
dbus (1.12.16-2ubuntu2) focal; urgency=medium
* Make autopkgtests cross-test-friendly.
-- Steve Langasek <email address hidden> Fri, 06 Dec 2019 21:22:40 -0800
-
dbus (1.12.16-2ubuntu1) focal; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit.
- debian/dbus.postinst, debian/rules: Don't start D-Bus on package
installation, as that doesn't work any more with dont-stop-dbus.patch.
Instead, start dbus.socket in postinst, which will then start D-Bus
on demand after package installation.
- Add aa-get-connection-apparmor-security-context.patch: This is not
intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.
* Removed patches included in new version:
- d/p/0001-auth-Reject-DBUS_COOKIE_SHA1-for-users-other-than-th.patch
- d/p/0002-test-Add-basic-test-coverage-for-DBUS_COOKIE_SHA1.patch
dbus (1.12.16-2) unstable; urgency=medium
* Add bug number to previous changelog entry
* Standards-Version: 4.4.1 (no changes required)
- Note that dbus-user-session still has its previous dependencies,
and has deliberately not been switched to the new default-logind
virtual package. dbus-user-session relies on systemd --user: it
is not enough to have systemd-logind or a compatible replacement
like elogind.
* d/dbus.init: Work around #940971 in libnss-systemd.
If we are booting with a non-systemd init but libnss-systemd is still
installed, tell libnss-systemd not to try to connect to dbus-daemon,
which is never going to work well from inside dbus-daemon.
* dbus.postinst: Append dbus to /run/reboot-required.pkgs on upgrade
(Closes: #867263)
-- Marc Deslauriers <email address hidden> Tue, 26 Nov 2019 12:58:43 -0500
-
dbus (1.12.14-1ubuntu2) eoan; urgency=medium
* SECURITY UPDATE: DBUS_COOKIE_SHA1 implementation flaw
- d/p/0001-auth-Reject-DBUS_COOKIE_SHA1-for-users-other-than-th.patch:
reject DBUS_COOKIE_SHA1 for users other than the server owner in
dbus/dbus-auth.c.
- d/p/0002-test-Add-basic-test-coverage-for-DBUS_COOKIE_SHA1.patch:
add basic test coverage for DBUS_COOKIE_SHA1 in
dbus/dbus-auth-script.c, dbus/dbus-sysdeps-util-unix.c,
dbus/dbus-sysdeps-util-win.c, dbus/dbus-sysdeps.h, test/Makefile.am,
test/data/auth/cookie-sha1-username.auth-script,
test/data/auth/cookie-sha1.auth-script.
- CVE-2019-12749
-- Marc Deslauriers <email address hidden> Tue, 11 Jun 2019 13:04:53 -0400
