X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=NEWS;h=2fca1455a981f9c491670c921586a4787ce8bba8;hb=5c4fb289437d1d80991ae74f689e34fcebb27b31;hp=07a933a40d4aacee80b88cd907965ecb9c596b36;hpb=931a8fa172e295be9b14ee5c5ed7658f3f0d86dd;p=platform%2Fupstream%2Fdbus.git

diff --git a/NEWS b/NEWS
index 07a933a..2fca145 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,66 @@
+dbus 1.12.20 (2020-07-02)
+=========================
+
+The âtemporary nemesisâ release.
+
+Maybe security fixes:
+
+â¢ On Unix, avoid a use-after-free if two usernames have the same
+  numeric uid. In older versions this could lead to a crash (denial of
+  service) or other undefined behaviour, possibly including incorrect
+  authorization decisions if <policy group=...> is used.
+  Like Unix filesystems, D-Bus' model of identity cannot distinguish
+  between users of different names with the same numeric uid, so this
+  configuration is not advisable on systems where D-Bus will be used.
+  Thanks to Daniel Onaca.
+  (dbus#305, dbus!166; Simon McVittie)
+
+Other fixes:
+
+â¢ On Solaris and its derivatives, if a cmsg header is truncated, ensure
+  that we do not overrun the buffer used for fd-passing, even if the
+  kernel tells us to.
+  (dbus#304, dbus!165; Andy Fiddaman)
+
+dbus 1.12.18 (2020-06-02)
+=========================
+
+The âtelepathic vinesâ release.
+
+Denial of service fixes:
+
+â¢ CVE-2020-12049: If a message contains more file descriptors than can
+  be sent, close those that did get through before reporting error.
+  Previously, a local attacker could cause the system dbus-daemon (or
+  another system service with its own DBusServer) to run out of file
+  descriptors, by repeatedly connecting to the server and sending fds that
+  would get leaked.
+  Thanks to Kevin Backhouse of GitHub Security Lab.
+  (dbus#294, GHSL-2020-057; Simon McVittie)
+
+Other fixes:
+
+â¢ Fix a crash when the dbus-daemon is terminated while one or more
+  monitors are active (dbus#291, dbus!140; Simon McVittie)
+
+â¢ The dbus-send(1) man page now documents --bus and --peer instead of
+  the old --address synonym for --peer, which has been deprecated since
+  the introduction of --bus and --peer in 1.7.6
+  (fd.o #48816, dbus!115; Chris Morin)
+
+â¢ Fix a wrong environment variable name in dbus-daemon(1)
+  (dbus#275, dbus!122; Mubin, Philip Withnall)
+
+â¢ Fix formatting of dbus_message_append_args example
+  (dbus!126, Felipe Franciosi)
+
+â¢ Avoid a test failure on Linux when built in a container as uid 0, but
+  without the necessary privileges to increase resource limits
+  (dbus!58, Debian #908092; Simon McVittie)
+
+â¢ When building with CMake, cope with libX11 in a non-standard location
+  (dbus!129, Tuomo Rinne)
+
 dbus 1.12.16 (2019-06-11)
 =========================
 
