-
dbus (1.10.6-1ubuntu3.6) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via file descriptor leak
- debian/patches/CVE-2020-12049-1.patch: on MSG_CTRUNC, close the fds
we did receive in dbus/dbus-sysdeps-unix.c.
- debian/patches/CVE-2020-12049-2.patch: assert that we don't leak file
descriptors in test/fdpass.c.
- CVE-2020-12049
-- Marc Deslauriers <email address hidden> Thu, 11 Jun 2020 14:26:07 -0400
-
dbus (1.10.6-1ubuntu3.5) xenial; urgency=medium
* Prevent logind from leaking session files (LP: #1846787). Fixed by
upstream patches:
- d/p/Only-read-one-message-at-a-time-if-there-are-fds-pen.patch
- d/p/bus-Fix-timeout-restarts.patch
- d/p/DBusMainLoop-ensure-all-required-timeouts-are-restar.patch
-- Heitor Alves de Siqueira <email address hidden> Mon, 07 Oct 2019 08:29:04 -0300
-
dbus (1.10.6-1ubuntu3.4) xenial-security; urgency=medium
* SECURITY UPDATE: DBUS_COOKIE_SHA1 implementation flaw
- d/p/0001-auth-Reject-DBUS_COOKIE_SHA1-for-users-other-than-th.patch:
reject DBUS_COOKIE_SHA1 for users other than the server owner in
dbus/dbus-auth.c.
- d/p/0002-test-Add-basic-test-coverage-for-DBUS_COOKIE_SHA1.patch:
add basic test coverage for DBUS_COOKIE_SHA1 in
dbus/dbus-auth-script.c, dbus/dbus-sysdeps-util-unix.c,
dbus/dbus-sysdeps-util-win.c, dbus/dbus-sysdeps.h, test/Makefile.am,
test/data/auth/cookie-sha1-username.auth-script,
test/data/auth/cookie-sha1.auth-script.
- CVE-2019-12749
-- Marc Deslauriers <email address hidden> Mon, 10 Jun 2019 14:06:01 -0400
-
dbus (1.10.6-1ubuntu3.3) xenial; urgency=medium
* debian/dbus.user-session.upstart:
- Temporarily revert latest changes as those seem to cause issues in the
unity8 session on touch (LP: #1654241).
-- Łukasz 'sil2100' Zemczak <email address hidden> Thu, 12 Jan 2017 19:01:21 +0100
-
dbus (1.10.6-1ubuntu3.2) xenial; urgency=medium
[ Iain Lane ]
* debian/dbus.user-session.upstart: Backport zesty's version - don't launch
a duplicate session bus if there already is one (dbus-user-session). (LP:
#1644323)
[ Łukasz 'sil2100' Zemczak ]
* debian/patches/make-uid-0-immune-to-timeout.patch:
- Backport fix proposed by Simon McVittie upstream to workaround bug
LP: #1591411.
-- Iain Lane <email address hidden> Wed, 30 Nov 2016 10:48:01 +0000
-
dbus (1.10.6-1ubuntu3.1) xenial-security; urgency=medium
* SECURITY UPDATE: arbitrary code execution or denial of service via
format string vulnerability (likely limited to uid 0 only)
- debian/patches/format_string.patch: do not use non-literal format
string in bus/activation.c.
- No CVE number
-- Marc Deslauriers <email address hidden> Wed, 12 Oct 2016 08:33:00 -0400
-
dbus (1.10.6-1ubuntu3) xenial; urgency=medium
* debian/dbus.preinst: divert the dbus-daemon-launch-helper if upgrading
from < 1.9.4-2~. This will make sure we keep the setuid bit during upgrade.
(LP: #1555237)
* debian/dbus.postinst: remove diversion.
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 31 Mar 2016 15:07:46 -0400
-
dbus (1.10.6-1ubuntu2) xenial; urgency=medium
* dont-stop-dbus.patch: Disallow manual (re)starts, as we don't (want to)
stop D-Bus on shutdown. (LP: #1540282)
* debian/rules: Don't start D-Bus on package installation, as that doesn't
work any more with the above. Instead, start dbus.socket in postinst,
which will then start D-Bus on demand after package installation.
-- Martin Pitt <email address hidden> Thu, 11 Feb 2016 12:58:02 +0100
-
dbus (1.10.6-1ubuntu1) xenial; urgency=low
* Merge with Debian, remaining changes:
- Add upstart jobs; Upstart is still supported for the system init.
+ Add debian/dbus.upstart and dbus.user-session.upstart
- Add debian/patches/dont-stop-dbus.patch: Don't stop D-Bus in the service
unit (see patch header and upstream bug for details). Fixes various
causes of shutdown hangs, particularly with remote file systems. (LP:
#1438612)
- aa-get-connection-apparmor-security-context.patch: This is not
intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.
dbus (1.10.6-1) unstable; urgency=medium
* New upstream stable release 1.10.6
- fixes regression tests when run as root (Closes: #806305)
* When removing dbus.target.wants (for #757913), do not fail if it does
not exist. This should fix FTBFS on non-Linux kernels, and in stage1
Linux builds (Closes: #805513)
* debian/libdbus-1-3.symbols.in: use a regex for private symbols, so
that this packaging can be used for snapshots of dbus where
DEB_VERSION_UPSTREAM does not necessarily match Autoconf's VERSION
-- Iain Lane <email address hidden> Thu, 03 Dec 2015 16:19:34 +0000
-
dbus (1.10.4-1ubuntu2) xenial; urgency=medium
* debian/patches/0001-uid-permissions-test-don-t-assert-that-root-can-Upda.patch:
Take patch from fd.o bug #119997 to resolve 'root' test failure - root can
no longer call UpdateActivationEnvironment. Check using BecomeMonitor that
root and messagebus are privileged.
-- Iain Lane <email address hidden> Mon, 23 Nov 2015 12:51:40 +0000
-
dbus (1.10.4-1ubuntu1) xenial; urgency=low
* Merge with Debian, remaining changes:
- Add upstart jobs; Upstart is still supported for the system init.
+ Add debian/dbus.upstart and dbus.user-session.upstart
- Add debian/patches/dont-stop-dbus.patch: Don't stop D-Bus in the service
unit (see patch header and upstream bug for details). Fixes various
causes of shutdown hangs, particularly with remote file systems. (LP:
#1438612)
- aa-get-connection-apparmor-security-context.patch: This is not
intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.
* debian/rules, debian/dbus.install: Modify upstart session job installation
to use dh-exec instead of editing debian/rules
dbus (1.10.4-1) unstable; urgency=medium
* New upstream stable release 1.10.4
* prerm: clean up /etc/dbus-1/s*.conf compat symlinks on remove.
We only remove them if they match what the package sets up, so
we do not need to distinguish between remove and purge.
* prerm: also clean up /etc/dbus-1/s*.conf symlinks before downgrading
to a version << 1.10.2-1, so that the dbus-daemon will not fail to reload
or start after the downgrade. Please note that downgrading packages remains
an unsupported action. (Closes: #804183)
* postrm: clean up /etc/dbus-1/s*.conf on purge, even if their targets
do not match what is expected (Closes: #803441)
* dbus.install: use dh-exec to mark systemd-related files for [linux-any],
instead of constructing dbus.install programmatically
* dbus-1-dbg.links: use dh-exec instead of sh
* Stop installing dbus.target.wants/dbus.socket, since dbus.target no
longer exists in systemd. sockets.target covers that, and is part
of the DefaultDependencies anyway (Closes: #757913)
* Simplify dh_install override, and remove dh_link override altogether,
by using dh-exec
dbus (1.10.2-1) unstable; urgency=medium
* New upstream stable release 1.10.2
* Touch /var/run/reboot-required on upgrade, even if neither
reboot-notifier nor update-notifier-common is installed.
Various other tools look for this file. (Closes: #799396)
* Allow dbus-daemon (<< 1.9.18) to reload bus setup and configuration
again (follow-up for #793519). This means that if an upgrade
from jessie to stretch pulls in a new system service, dbus-daemon
will load the configuration that allows that system service to work,
even before the system has been rebooted to use the new dbus-daemon.
- if /etc/dbus-1/s*.conf have been modified, move them to
/etc/dbus-1/s*.conf.dpkg-bak; if not, delete them
- patch /usr/share/dbus-1/s*.conf to include
/etc/dbus-1/s*.conf.dpkg-bak instead of /etc/dbus-1/s*.conf
- add new symlinks /etc/dbus-1/s*.conf -> /usr/share/dbus-1/s*.conf
so that the old dbus-daemon will load the new bus setup
* Remove Breaks and upgrade code for versions older than oldstable
dbus (1.10.0-3) unstable; urgency=medium
* Put the entire debug build in an arch-specific directory, so
dbus-1-dbg can continue to be Multi-Arch: same (Closes: #798748)
* Record that Iain's change in 1.10.0-1 closed #796165
dbus (1.10.0-2) unstable; urgency=medium
* dbus-user-session Breaks versions of dbus-x11 that would incorrectly
try to start a second bus (Closes: #797678)
* dbus-user-session Breaks versions of policykit-1 and udisks2 that
work poorly with user sessions
* Upload to unstable
-- Iain Lane <email address hidden> Thu, 19 Nov 2015 12:19:17 +0000
-
dbus (1.10.0-1ubuntu1) wily; urgency=medium
* Merge with Debian, remaining changes:
- Add upstart jobs; Upstart is still supported for the system init.
+ Add debian/dbus.upstart and dbus.user-session.upstart
- Add debian/patches/dont-stop-dbus.patch: Don't stop D-Bus in the service
unit (see patch header and upstream bug for details). Fixes various
causes of shutdown hangs, particularly with remote file systems. (LP:
#1438612)
- aa-get-connection-apparmor-security-context.patch: This is not
intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.
dbus (1.10.0-1) experimental; urgency=medium
[ Iain Lane ]
* debian/dbus.postinst: Check if /run/dbus exists before writing to a file
there. If it doesn't then the system bus isn't running so we don't have
anything to restart anyway.
[ Simon McVittie ]
* New upstream stable release.
* Continue to upload to experimental for now, to avoid the shlibs bump
making the libstdc++ transition any worse than it already is.
-- Iain Lane <email address hidden> Tue, 01 Sep 2015 17:35:32 +0100
