-dbus 1.12.16 (UNRELEASED)
+dbus 1.12.20 (2020-07-02)
=========================
-...
+The “temporary nemesis” release.
+
+Maybe security fixes:
+
+• On Unix, avoid a use-after-free if two usernames have the same
+ numeric uid. In older versions this could lead to a crash (denial of
+ service) or other undefined behaviour, possibly including incorrect
+ authorization decisions if <policy group=...> is used.
+ Like Unix filesystems, D-Bus' model of identity cannot distinguish
+ between users of different names with the same numeric uid, so this
+ configuration is not advisable on systems where D-Bus will be used.
+ Thanks to Daniel Onaca.
+ (dbus#305, dbus!166; Simon McVittie)
+
+Other fixes:
+
+• On Solaris and its derivatives, if a cmsg header is truncated, ensure
+ that we do not overrun the buffer used for fd-passing, even if the
+ kernel tells us to.
+ (dbus#304, dbus!165; Andy Fiddaman)
+
+dbus 1.12.18 (2020-06-02)
+=========================
+
+The “telepathic vines” release.
+
+Denial of service fixes:
+
+• CVE-2020-12049: If a message contains more file descriptors than can
+ be sent, close those that did get through before reporting error.
+ Previously, a local attacker could cause the system dbus-daemon (or
+ another system service with its own DBusServer) to run out of file
+ descriptors, by repeatedly connecting to the server and sending fds that
+ would get leaked.
+ Thanks to Kevin Backhouse of GitHub Security Lab.
+ (dbus#294, GHSL-2020-057; Simon McVittie)
+
+Other fixes:
+
+• Fix a crash when the dbus-daemon is terminated while one or more
+ monitors are active (dbus#291, dbus!140; Simon McVittie)
+
+• The dbus-send(1) man page now documents --bus and --peer instead of
+ the old --address synonym for --peer, which has been deprecated since
+ the introduction of --bus and --peer in 1.7.6
+ (fd.o #48816, dbus!115; Chris Morin)
+
+• Fix a wrong environment variable name in dbus-daemon(1)
+ (dbus#275, dbus!122; Mubin, Philip Withnall)
+
+• Fix formatting of dbus_message_append_args example
+ (dbus!126, Felipe Franciosi)
+
+• Avoid a test failure on Linux when built in a container as uid 0, but
+ without the necessary privileges to increase resource limits
+ (dbus!58, Debian #908092; Simon McVittie)
+
+• When building with CMake, cope with libX11 in a non-standard location
+ (dbus!129, Tuomo Rinne)
+
+dbus 1.12.16 (2019-06-11)
+=========================
+
+The “tree cat” release.
+
+Security fixes:
+
+• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+ authentication for identities that differ from the user running the
+ DBusServer. Previously, a local attacker could manipulate symbolic
+ links in their own home directory to bypass authentication and connect
+ to a DBusServer with elevated privileges. The standard system and
+ session dbus-daemons in their default configuration were immune to this
+ attack because they did not allow DBUS_COOKIE_SHA1, but third-party
+ users of DBusServer such as Upstart could be vulnerable.
+ Thanks to Joe Vennix of Apple Information Security.
+ (dbus#269, Simon McVittie)
dbus 1.12.14 (2019-05-17)
=========================
projects / platform / upstream / dbus.git / blobdiff