From 5757fd54804b81fe860fafccf6b59b30ec16f3bd Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 2 Jul 2020 10:25:04 +0100 Subject: [PATCH] Update NEWS Signed-off-by: Simon McVittie --- NEWS | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 58098ea..e022c94 100644 --- a/NEWS +++ b/NEWS @@ -1,7 +1,26 @@ dbus 1.12.20 (UNRELEASED) ========================= -... +The “temporary nemesis” release. + +Maybe security fixes: + +• On Unix, avoid a use-after-free if two usernames have the same + numeric uid. In older versions this could lead to a crash (denial of + service) or other undefined behaviour, possibly including incorrect + authorization decisions if is used. + Like Unix filesystems, D-Bus' model of identity cannot distinguish + between users of different names with the same numeric uid, so this + configuration is not advisable on systems where D-Bus will be used. + Thanks to Daniel Onaca. + (dbus#305, dbus!166; Simon McVittie) + +Other fixes: + +• On Solaris and its derivatives, if a cmsg header is truncated, ensure + that we do not overrun the buffer used for fd-passing, even if the + kernel tells us to. + (dbus#304, dbus!165; Andy Fiddaman) dbus 1.12.18 (2020-06-02) ========================= -- 2.7.4