Change logs for dbus source package in Trusty

  • dbus (1.6.18-0ubuntu4.5) trusty; urgency=medium
    
      * debian/patches/unrequested-reply-mediation.patch: Don't let unrequested
        reply messages through and don't audit them. Unrequested reply messages
        are error or method_return messages that are sent from D-Bus connection A
        to D-Bus connection B that do not correspond to any message ever sent by
        D-Bus connection B. They should be quietly dropped as there's no use for
        them outside of malicious activity. Patch based on upstream patches.
        (LP: #1641243)
    
     -- Tyler Hicks <email address hidden>  Wed, 30 Nov 2016 21:44:48 +0000
  • dbus (1.6.18-0ubuntu4.4) trusty-security; urgency=medium
    
      * SECURITY UPDATE: denial of service via ActivationFailure signal race
        - debian/patches/CVE-2015-0245.patch: prevent forged ActivationFailure
          from non-root processes in bus/system.conf.in.
        - CVE-2015-0245
      * SECURITY UPDATE: arbitrary code execution or denial of service via
        format string vulnerability
        - debian/patches/format_string.patch: do not use non-literal format
          string in bus/activation.c.
        - No CVE number
    
     -- Marc Deslauriers <email address hidden>  Wed, 12 Oct 2016 08:33:44 -0400
  • dbus (1.6.18-0ubuntu4.3) trusty-security; urgency=medium
    
      * SECURITY UPDATE: denial of service via large number of fds
        - debian/patches/CVE-2014-7824.patch: raise rlimit and restore it for
          activated services in bus/activation.c, bus/bus.*,
          dbus/dbus-sysdeps-util-unix.c, dbus/dbus-sysdeps-util-win.c,
          dbus/dbus-sysdeps.h.
        - debian/dbus.init: don't launch daemon as a user so the rlimit can be
          raised.
        - CVE-2014-7824
      * SECURITY REGRESSION: authentication timeout on certain slower systems
        - debian/patches/CVE-2014-3639-regression.patch: raise auth_timeout
          back up to 30 secs in bus/config-parser.c, add a warning to
          bus/connection.c.
        - CVE-2014-3639
     -- Marc Deslauriers <email address hidden>   Tue, 25 Nov 2014 14:36:43 -0500
  • dbus (1.6.18-0ubuntu4.2) trusty-security; urgency=medium
    
      * SECURITY UPDATE: buffer overrun via odd max_message_unix_fds
        - debian/patches/CVE-2014-3635.patch: do not extra fds in cmsg padding
          in dbus/dbus-sysdeps-unix.c, allow using _DBUS_STATIC_ASSERT at a
          non-global scope in dbus/dbus-internals.h, dbus/dbus-macros.h.
        - CVE-2014-3635
      * SECURITY UPDATE: denial of service via large number of fds
        - debian/patches/CVE-2014-3636.patch: reduce max number of fds in
          bus/config-parser.c, bus/session.conf.in, dbus/dbus-message.c,
          dbus/dbus-sysdeps.h.
        - CVE-2014-3636
      * SECURITY UPDATE: denial of service via persistent file descriptiors
        - debian/patches/CVE-2014-3637.patch: add a timeout to expire pending
          fds in bus/bus.*, bus/config-parser.c, bus/connection.c,
          bus/session.conf.in, cmake/bus/dbus-daemon.xml,
          dbus/dbus-connection-internal.h, dbus/dbus-connection.c,
          dbus/dbus-message-internal.h, dbus/dbus-message-private.h,
          dbus/dbus-message.c, dbus/dbus-transport.*.
        - CVE-2014-3637
      * SECURITY UPDATE: denial of service via large number of pending replies
        - debian/patches/CVE-2014-3638.patch: reduce max_replies_per_connection
          to 128 in bus/config-parser.c.
        - CVE-2014-3638
      * SECURITY UPDATE: denial of service via incomplete connections
        - debian/patches/CVE-2014-3639.patch: reduce auth_timeout in
          bus/config-parser.c, stop listening on DBusServer sockets when
          reaching max_incomplete_connections in bus/bus.*, bus/connection.*,
          dbus/dbus-server-protected.h, dbus/dbus-server.c, dbus/dbus-watch.*.
        - CVE-2014-3639
     -- Marc Deslauriers <email address hidden>   Wed, 17 Sep 2014 10:16:51 -0400
  • dbus (1.6.18-0ubuntu4.1) trusty-security; urgency=medium
    
      * SECURITY UPDATE: denial of service via activation errors
        - debian/patches/CVE-2014-3477.patch: improve error handling in
          bus/activation.*, bus/services.c.
        - CVE-2014-3477
      * SECURITY UPDATE: denial of service via ETOOMANYREFS
        - debian/patches/CVE-2014-3532.patch: drop message on ETOOMANYREFS in
          dbus/dbus-sysdeps.*, dbus/dbus-transport-socket.c.
        - CVE-2014-3532
      * SECURITY UPDATE: denial of service via invalid file descriptor
        - debian/patches/CVE-2014-3533.patch: fix memory handling in
          dbus/dbus-message.c.
        - CVE-2014-3533
     -- Marc Deslauriers <email address hidden>   Thu, 03 Jul 2014 08:35:11 -0400
  • dbus (1.6.18-0ubuntu4) trusty; urgency=medium
    
      * Create ~/.cache/upstart if it doesn't already exist.
        Thanks to Ryan Lovett for the patch. (LP: #1300516)
     -- Stephane Graber <email address hidden>   Tue, 01 Apr 2014 17:53:17 -0400
  • dbus (1.6.18-0ubuntu3) trusty; urgency=low
    
      * aa-mediate-eavesdropping.patch: Query AppArmor when confined applications
        attempt to eavesdrop on the bus. See the apparmor.d(5) man page for
        AppArmor syntax details. (LP: #1262440)
      * debian/control: Depend on the apparmor version containing the new
        eavesdrop permission
     -- Tyler Hicks <email address hidden>   Mon, 13 Jan 2014 11:45:21 -0600
  • dbus (1.6.18-0ubuntu2) trusty; urgency=low
    
      [ James Hunt ]
      * debian/dbus.user-session.upstart: Communicate session bus to Upstart
        Session Init to avoid potential out-of-memory scenario triggered by
        Upstart clients that do not run main loops (LP: #1235649, LP: #1252317).
     -- Dmitrijs Ledkovs <email address hidden>   Tue, 19 Nov 2013 11:14:58 +0000
  • dbus (1.6.18-0ubuntu1) trusty; urgency=low
    
      * New upstream version
     -- Sebastien Bacher <email address hidden>   Mon, 11 Nov 2013 18:07:24 +0100
  • dbus (1.6.12-0ubuntu10) saucy; urgency=low
    
      * debian/patches/aa-mediation.patch: Attempt to open() the mask file in
        apparmorfs/features/dbus rather than simply stat() the dbus directory.
        This is an important difference because AppArmor does not mediate the
        stat() syscall. This resulted in problems in an environment where
        dbus-daemon, running inside of an LXC container, did not have the
        necessary AppArmor rules to access apparmorfs but the stat() succeeded
        so mediation was not properly disabled. (LP: #1238267)
        This problem was exposed after dropping aa-kernel-compat-check.patch
        because the compat check was an additional check that performed a test
        query. The test query was failing in the above scenario, which did result
        in mediation being disabled.
      * debian/patches/aa-get-connection-apparmor-security-context.patch,
        debian/patches/aa-mediate-eavesdropping.patch: Refresh these patches to
        accomodate the above change
     -- Tyler Hicks <email address hidden>   Thu, 10 Oct 2013 10:40:26 -0700