Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 05 Jan 2015 15:04:05 +0000
From: Simon McVittie <simon.mcvittie@...labora.co.uk>
To: "dbus@...ts.freedesktop.org" <dbus@...ts.freedesktop.org>, 
 ftp-release <ftp-release@...ts.freedesktop.org>
CC: oss-security@...ts.openwall.com
Subject: Announcing D-Bus 1.8.14

The “40lb of roofing nails” release.

This is a bugfix release for the current stable branch, 1.8.x, adding
security hardening to mitigate faulty third-party security policy files
such as CVE-2014-8148. Please upgrade unless you have a reason to keep
using an older branch.

http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz
http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz.asc
git tag: dbus-1.8.14
git branch: dbus-1.8

Security hardening:

• Do not allow calls to UpdateActivationEnvironment from uids other than
  the uid of the dbus-daemon. If a system service installs unsafe
  security policy rules that allow arbitrary method calls
  (such as CVE-2014-8148) then this prevents memory consumption and
  possible privilege escalation via UpdateActivationEnvironment.

  We believe that in practice, privilege escalation here is avoided
  by dbus-daemon-launch-helper sanitizing its environment; but
  it seems better to be safe.

• Do not allow calls to UpdateActivationEnvironment or the Stats
  interface on object paths other than /org/freedesktop/DBus. Some
  system services install unsafe security policy rules that allow
  arbitrary method calls to any destination, method and interface with
  a specified object path; while less bad than allowing arbitrary
  method calls, these security policies are still harmful, since
  dbus-daemon normally offers the same API on all object paths and
  other system services might behave similarly.

Other fixes:

• Add missing initialization so GetExtendedTcpTable doesn't crash on
  Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко)

-- 
Simon McVittie, Collabora Ltd. / Debian

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ