-
dbus (1.8.8-1ubuntu2.1) utopic-security; urgency=medium
* SECURITY UPDATE: denial of service via large number of fds
- debian/patches/CVE-2014-7824.patch: raise rlimit and restore it for
activated services in bus/activation.c, bus/bus.*,
dbus/dbus-sysdeps-util-unix.c, dbus/dbus-sysdeps-util-win.c,
dbus/dbus-sysdeps.h.
- debian/dbus.init: don't launch daemon as a user so the rlimit can be
raised.
- CVE-2014-7824
* SECURITY REGRESSION: authentication timeout on certain slower systems
- debian/patches/CVE-2014-3639-regression.patch: raise auth_timeout
back up to 30 secs in bus/config-parser.c, add a warning to
bus/connection.c.
- CVE-2014-3639
-- Marc Deslauriers <email address hidden> Tue, 25 Nov 2014 14:34:31 -0500
-
dbus (1.8.8-1ubuntu2) utopic; urgency=medium
* write to $XDG_RUNTIME_DIR instead of the users home when creating the
dbus-session file, so we can start our session even with 100% filled or
readonly home dir (LP: #1316978)
-- Oliver Grawert <email address hidden> Fri, 26 Sep 2014 15:07:05 +0200
-
dbus (1.8.8-1ubuntu1) utopic; urgency=medium
* Resynchronize on Debian. Remaining Ubuntu changes:
- Install binaries into / rather than /usr:
+ debian/rules: Set --exec-prefix=/
+ debian/dbus.install, debian/dbus-x11.install: Install from /bin
- Use upstart to start:
+ Add debian/dbus.upstart and dbus.user-session.upstart
+ debian/dbus.postinst: Use upstart call instead of invoking the init.d
script for checking if we are already running.
+ debian/control: versioned dependency on netbase that emits the new
deconfiguring-networking event used in upstart script.
- 20_system_conf_limit.patch: Increase max_match_rules_per_connection for
the system bus to 5000 (LP #454093)
- 81-session.conf-timeout.patch: Raise the service startup timeout from 25
to 60 seconds. It may be too short on the live CD with slow machines.
- debian/dbus.user-session.upstart, debian/rules: Communicate session bus
to Upstart Session Init to avoid potential out-of-memory scenario
triggered by Upstart clients that do not run main loops
(LP: #1235649, LP: #1252317).
- debian/control, debian/rules: Build against libapparmor for AppArmor
D-Bus mediation
- debian/control: Use logind for session tracking, so that "at_console"
policies work with logind instead of ConsoleKit. Add "libpam-systemd"
recommends.
- debian/rules: Adjust dbus-send path to our changed install layout.
(LP: #1325364)
- debian/dbus-Xsession: Don't start a session bus if there already is
one, i. e. $DBUS_SESSION_BUS_ADDRESS is already set. (Closes: #681241)
- 0001-Document-AppArmor-enforcement-in-the-dbus-daemon-man.patch,
0002-Add-apparmor-element-and-attributes-to-the-bus-confi.patch,
0003-Update-autoconf-file-to-build-against-libapparmor.patch,
0004-Add-apparmor-element-support-to-bus-config-parsing.patch,
0005-Initialize-AppArmor-mediation.patch,
0006-Store-AppArmor-label-of-bus-during-initialization.patch,
0007-Store-AppArmor-label-of-connecting-processes.patch,
0008-Mediation-of-processes-that-acquire-well-known-names.patch,
0009-Do-LSM-checks-after-determining-if-the-message-is-a-.patch,
0010-Mediation-of-processes-sending-and-receiving-message.patch,
0011-Mediation-of-processes-eavesdropping.patch,
0012-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch,
0013-Add-AppArmor-support-to-GetConnectionCredentials.patch: Add the
latest set of AppArmor D-Bus mediation patches. This the v3 patch set
from the upstream feature inclusion bug.
- https://bugs.freedesktop.org/show_bug.cgi?id=75113
- aa-get-connection-apparmor-security-context.patch: This is not
intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.
dbus (1.8.8-1) unstable; urgency=medium
[ Michael Biebl ]
* Don't attempt config reload if dbus system bus is not running.
[ Simon McVittie ]
* Bump dbus up to Priority: standard because without it, systemd-logind
does not run a getty on tty2..tty6 (matching ftp-master action in
#759293)
* New upstream release fixes several security issues
- CVE-2014-3635: do not accept an extra fd in cmsg padding,
avoiding a buffer overrun in dbus-daemon or system services
- CVE-2014-3636: reduce maximum number of file descriptors
per message from 1024 to 16, to avoid two separate denial-of-service
attacks that could cause system services to be dropped from the bus
- CVE-2014-3637: time out connections that have a
partially-sent message containing a file descriptor, so that
malicious processes cannot use self-referential file descriptors
to make a connection that will never close
- CVE-2014-3638: reduce maximum number of pending replies
per connection to avoid algorithmic complexity DoS
- CVE-2014-3639: reduce timeout for authentication and
do not accept() new connections when all unauthenticated connection
slots are in use, so that malicious processes cannot prevent new
connections to the system bus
* debian/copyright: fix glob syntax, .[ch] is not supported
dbus (1.8.6-2) unstable; urgency=medium
* debian/dbus.posinst: When triggered only poke the dbus-daemon, don't run
update-rc.d/invoke-rc.d as added by dh_installinit. This prevent some
odd-corner when being triggered during init system upgrade
(Closes: #754404)
-- Marc Deslauriers <email address hidden> Wed, 17 Sep 2014 15:52:35 -0400
-
dbus (1.8.6-1ubuntu1) utopic; urgency=low
* Resynchronize on Debian testing (LP: #1320422). Remaining Ubuntu changes:
- Install binaries into / rather than /usr:
+ debian/rules: Set --exec-prefix=/
+ debian/dbus.install, debian/dbus-x11.install: Install from /bin
- Use upstart to start:
+ Add debian/dbus.upstart and dbus.user-session.upstart
+ debian/dbus.postinst: Use upstart call instead of invoking the init.d
script for checking if we are already running.
+ debian/control: versioned dependency on netbase that emits the new
deconfiguring-networking event used in upstart script.
- 20_system_conf_limit.patch: Increase max_match_rules_per_connection for
the system bus to 5000 (LP #454093)
- 81-session.conf-timeout.patch: Raise the service startup timeout from 25
to 60 seconds. It may be too short on the live CD with slow machines.
- debian/dbus.user-session.upstart, debian/rules: Communicate session bus
to Upstart Session Init to avoid potential out-of-memory scenario
triggered by Upstart clients that do not run main loops
(LP: #1235649, LP: #1252317).
- debian/control, debian/rules: Build against libapparmor for AppArmor
D-Bus mediation
- debian/control: Use logind for session tracking, so that "at_console"
policies work with logind instead of ConsoleKit. Add "libpam-systemd"
recommends.
- debian/rules: Adjust dbus-send path to our changed install layout.
(LP: #1325364)
- debian/dbus-Xsession: Don't start a session bus if there already is one,
i. e. $DBUS_SESSION_BUS_ADDRESS is already set. (Closes: #681241)
* Dropped changes:
- debian/control: Drop version bump on the libglib2.0-dev Build-Depends.
It is no longer needed.
- debian/control: use "Breaks: unity-services (<< 6.0.0-0ubuntu6)", the
new dbus eavedropping protection was creating issues with previous
versions. This can be dropped now since upgrades from Quantal are no
longer a concern.
- debian/control, debian/rules: The tests are not run during the build.
Configure with --disable-tests, drop the build dependencies needed for
the tests. The tests should now run with the debug build using
autopkgtest.
- 00git_logind_check.patch: Fix logind check. This change is present in
upstream dbus.
- Add 00git_sd_daemon_update.patch: Update to current sytemd upstream
sd_booted() to actually check for systemd init. This change is present
in upstream dbus.
- debian/patches/aa-build-tools.patch, debian/patches/aa-mediation.patch,
debian/patches/aa-mediate-eavesdropping.patch: Drop these patches in
favor of the latest set of patches submitted for upstream inclusion
- debian/patches/02_obsolete_g_thread_api.patch: This change is present in
upstream dbus
- 0001-activation-allow-for-more-variation-than-just-system.patch,
0002-bus-change-systemd-activation-to-activation-systemd.patch,
0003-upstart-add-upstart-as-a-possible-activation-type.patch,
0004-upstart-add-UpstartJob-to-service-desktop-files.patch,
0005-activation-implement-upstart-activation.patch: These patches have
been disabled since 12.10 so it should be safe to remove them at this
point
- debian/patches/CVE-2014-3477.patch, debian/patches/CVE-2014-3532.patch,
debian/patches/CVE-2014-3533.patch: These changes are present in
upstream dbus
* 0001-Document-AppArmor-enforcement-in-the-dbus-daemon-man.patch,
0002-Add-apparmor-element-and-attributes-to-the-bus-confi.patch,
0003-Update-autoconf-file-to-build-against-libapparmor.patch,
0004-Add-apparmor-element-support-to-bus-config-parsing.patch,
0005-Initialize-AppArmor-mediation.patch,
0006-Store-AppArmor-label-of-bus-during-initialization.patch,
0007-Store-AppArmor-label-of-connecting-processes.patch,
0008-Mediation-of-processes-that-acquire-well-known-names.patch,
0009-Do-LSM-checks-after-determining-if-the-message-is-a-.patch,
0010-Mediation-of-processes-sending-and-receiving-message.patch,
0011-Mediation-of-processes-eavesdropping.patch,
0012-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch,
0013-Add-AppArmor-support-to-GetConnectionCredentials.patch: Add the
latest set of AppArmor D-Bus mediation patches. This the v3 patch set from
the upstream feature inclusion bug.
- https://bugs.freedesktop.org/show_bug.cgi?id=75113
* aa-get-connection-apparmor-security-context.patch: Refresh this patch so
that it compiles with latest AppArmor D-Bus mediation patches. It is not
intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.
dbus (1.8.6-1) unstable; urgency=high
* New upstream release
- fix two local DoS vulnerabilities (CVE-2014-3532, CVE-2014-3533)
dbus (1.8.4-1) unstable; urgency=high
* New upstream release, fixing a DoS vulnerability (CVE-2014-3477)
dbus (1.8.2-1) unstable; urgency=medium
* New upstream release
dbus (1.8.0-3) unstable; urgency=medium
* Improve autopkgtest support
- use a shell wildcard instead of dpkg-architecture, to avoid stderr spam
failing the test if gcc is missing
- wrap each test-case in an arbitrary (5 minute) timeout so that one
test-case failing won't halt the whole build
dbus (1.8.0-2) unstable; urgency=low
* debian/rules: look for DEB_BUILD_PROFILES, the new name for
DEB_BUILD_PROFILE
* Don't try to install systemd units in a stage1 build (they are
no longer installed unless libsystemd*-dev are found) (Closes: #738317)
* Mark dbus-1-doc with Build-Profiles: !stage1
* Register a dpkg trigger on /usr/share/dbus-1/system-services and
/etc/dbus-1/system.d that calls ReloadConfig on the system dbus-daemon,
in case our inotify monitoring isn't completely reliable (see #740139)
* Clean debian/tmp-udeb in `debian/rules clean`
* Hook up the installed tests to DEP-8 metadata
* Add a simple compile/link/run test
dbus (1.8.0-1) unstable; urgency=low
* New upstream stable release
- add debian/copyright stanzas for some new BSD-licensed cmake macros
dbus (1.7.10-2) unstable; urgency=low
* Conditionalize libaudit and libcap-ng build-dependencies to [linux-any]
* Explicitly enable libaudit, SELinux and systemd on Linux;
do not enable them elsewhere
dbus (1.7.10-1) unstable; urgency=low
* Merge from experimental into unstable
* New upstream release 1.7.10 (1.8 rc1)
* Generate debian/dbus.install from a generic part and a Linux-specific
part, since systemd metadata doesn't get installed on non-Linux any more
dbus (1.7.8-1) experimental; urgency=low
[ Laurent Bigonville ]
* debian/rules: Re-add udeb_configure_flags that were lost during merge
(Closes: #727774)
[ Simon McVittie ]
* Standards-Version: 3.9.5 (no changes needed)
* Enable libaudit support so messages that violate SELinux policy go to the
audit log (Closes: #727771)
* New upstream release
- add new dependency on libsystemd-journal-dev for linux-any
dbus (1.7.6-2) experimental; urgency=low
* debian/rules: FTBFS if new symbols or libraries are added
without updating the symbols file
* debian/copyright: list copyright holders and minor licenses
(Closes: #726000)
* Merge packaging changes from unstable:
- Run `update-rc.d dbus defaults` instead of deprecated
`update-rc.d dbus start ...` (Closes: #725923)
- Add udeb packages, so the graphical installer can use AT-SPI
(Closes: #723952)
- Standards-Version: 3.9.4 (no changes needed)
dbus (1.7.6-1) experimental; urgency=low
* Standards-Version: 3.9.4 (no changes needed)
* New upstream development release
- update symbols
dbus (1.7.4-1) experimental; urgency=low
* New upstream development release
- CVE-2013-2168: avoid a user-triggerable crash (denial of services)
in system services that use libdbus
dbus (1.7.2-1) experimental; urgency=low
* New upstream development release
* Do the debug build --with-valgrind on mipsel, too
dbus (1.7.0-1) experimental; urgency=low
* Branch for experimental
* New upstream development release
* On architectures where it's currently supported, do the
debug build with --with-valgrind for better instrumentation
* debian/rules: factor out production and debug configure flags
* Add support for DEB_BUILD_OPTIONS=nodocs, which omits most documentation
(allowing doxygen and xmlto to be avoided) and the dbus-1-doc package
* Add support for DEB_BUILD_PROFILE=stage1, which does the same as nodocs
and additionally makes the debug build not insist on building all tests
* Make the development and debugging packages Multi-Arch: same,
since their arch-dependent files are all arch-segregated
(/usr/lib/TUPLE) or named according to a build-ID (/usr/lib/debug)
(Closes: #689071). This is not actually useful until pkg-config
becomes M-A: foreign (#631275).
dbus (1.6.18-2) unstable; urgency=medium
* Disable valgrind integration in the debug build on armel,
since valgrind no longer supports armel (Closes: #729136)
dbus (1.6.18-1) unstable; urgency=low
* Run `update-rc.d dbus defaults` instead of deprecated
`update-rc.d dbus start ...` (Closes: #725923)
* debian/rules: FTBFS if new symbols or libraries are added
without updating the symbols file
* debian/copyright: list copyright holders and minor licenses
(Closes: #726000)
* New upstream release 1.6.18
* Standards-Version: 3.9.5 (no changes needed)
-- Tyler Hicks <email address hidden> Fri, 15 Aug 2014 13:37:15 -0500
-
dbus (1.6.18-0ubuntu10) utopic; urgency=medium
* Drop upstart dependency. We ship init scripts for sysv, upstart, and
systemd now. (LP: #1351306)
-- Martin Pitt <email address hidden> Fri, 01 Aug 2014 15:19:20 +0200
-
dbus (1.6.18-0ubuntu9) utopic; urgency=medium
* SECURITY UPDATE: denial of service via activation errors
- debian/patches/CVE-2014-3477.patch: improve error handling in
bus/activation.*, bus/services.c.
- CVE-2014-3477
* SECURITY UPDATE: denial of service via ETOOMANYREFS
- debian/patches/CVE-2014-3532.patch: drop message on ETOOMANYREFS in
dbus/dbus-sysdeps.*, dbus/dbus-transport-socket.c.
- CVE-2014-3532
* SECURITY UPDATE: denial of service via invalid file descriptor
- debian/patches/CVE-2014-3533.patch: fix memory handling in
dbus/dbus-message.c.
- CVE-2014-3533
-- Marc Deslauriers <email address hidden> Thu, 03 Jul 2014 08:28:23 -0400
-
dbus (1.6.18-0ubuntu8) utopic; urgency=medium
* debian/dbus-Xsession: Don't start a session bus if there already is one,
i. e. $DBUS_SESSION_BUS_ADDRESS is already set. (Closes: #681241)
-- Martin Pitt <email address hidden> Tue, 03 Jun 2014 11:07:54 +0200
-
dbus (1.6.18-0ubuntu7) utopic; urgency=medium
* debian/rules: Adjust dbus-send path to our changed install layout.
(LP: #1325364)
-- Martin Pitt <email address hidden> Mon, 02 Jun 2014 09:05:53 +0200
-
dbus (1.6.18-0ubuntu6) utopic; urgency=high
* No change rebuild against new dh_installinit, to call update-rc.d at
postinst.
-- Dimitri John Ledkov <email address hidden> Wed, 28 May 2014 10:39:49 +0100
-
dbus (1.6.18-0ubuntu5) utopic; urgency=medium
* Do not fail starting user-session dbus, if e.g. /home is 100% or
~/.cache is not-writable.
* Make sure that DBUS_SESSION_ADDRESS is only exported, after the
session dbus has been launched.
-- Dimitri John Ledkov <email address hidden> Fri, 02 May 2014 12:00:27 +0100
-
dbus (1.6.18-0ubuntu4) trusty; urgency=medium
* Create ~/.cache/upstart if it doesn't already exist.
Thanks to Ryan Lovett for the patch. (LP: #1300516)
-- Stephane Graber <email address hidden> Tue, 01 Apr 2014 17:53:17 -0400
