Prepare version 1.12.16

Signed-off-by: Simon McVittie <smcv@collabora.com>

diff --git a/NEWS b/NEWS
index f746568..07a933a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,20 @@
-dbus 1.12.16 (UNRELEASED)
+dbus 1.12.16 (2019-06-11)
 =========================
 
-...
+The “tree cat” release.
+
+Security fixes:
+
+• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
+  authentication for identities that differ from the user running the
+  DBusServer. Previously, a local attacker could manipulate symbolic
+  links in their own home directory to bypass authentication and connect
+  to a DBusServer with elevated privileges. The standard system and
+  session dbus-daemons in their default configuration were immune to this
+  attack because they did not allow DBUS_COOKIE_SHA1, but third-party
+  users of DBusServer such as Upstart could be vulnerable.
+  Thanks to Joe Vennix of Apple Information Security.
+  (dbus#269, Simon McVittie)
 
 dbus 1.12.14 (2019-05-17)
 =========================

diff --git a/configure.ac b/configure.ac
index e7c408a..d1e3a29 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@ AC_PREREQ([2.63])
 
 m4_define([dbus_major_version], [1])
 m4_define([dbus_minor_version], [12])
-m4_define([dbus_micro_version], [15])
+m4_define([dbus_micro_version], [16])
 m4_define([dbus_version],
           [dbus_major_version.dbus_minor_version.dbus_micro_version])
 AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -42,7 +42,7 @@ LT_CURRENT=22
 
 ## increment any time the source changes; set to
 ##  0 if you increment CURRENT
-LT_REVISION=10
+LT_REVISION=11
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has