This partially addresses CVE-2014-3639.
This will change the default on the system bus where the limit
<limit name="auth_timeout">...</limit>
is not specified.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* and legitimate auth will fail. If interactive auth (ask user for
* password) is allowed, then potentially it has to be quite long.
*/
- parser->limits.auth_timeout = 30000; /* 30 seconds */
+ parser->limits.auth_timeout = 5000; /* 5 seconds */
parser->limits.max_incomplete_connections = 64;
parser->limits.max_connections_per_user = 256;