Date: Mon, 05 Jan 2015 15:04:05 +0000 From: Simon McVittie <simon.mcvittie@...labora.co.uk> To: "dbus@...ts.freedesktop.org" <dbus@...ts.freedesktop.org>, ftp-release <ftp-release@...ts.freedesktop.org> CC: oss-security@...ts.openwall.com Subject: Announcing D-Bus 1.8.14 The “40lb of roofing nails” release. This is a bugfix release for the current stable branch, 1.8.x, adding security hardening to mitigate faulty third-party security policy files such as CVE-2014-8148. Please upgrade unless you have a reason to keep using an older branch. http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz http://dbus.freedesktop.org/releases/dbus/dbus-1.8.14.tar.gz.asc git tag: dbus-1.8.14 git branch: dbus-1.8 Security hardening: • Do not allow calls to UpdateActivationEnvironment from uids other than the uid of the dbus-daemon. If a system service installs unsafe security policy rules that allow arbitrary method calls (such as CVE-2014-8148) then this prevents memory consumption and possible privilege escalation via UpdateActivationEnvironment. We believe that in practice, privilege escalation here is avoided by dbus-daemon-launch-helper sanitizing its environment; but it seems better to be safe. • Do not allow calls to UpdateActivationEnvironment or the Stats interface on object paths other than /org/freedesktop/DBus. Some system services install unsafe security policy rules that allow arbitrary method calls to any destination, method and interface with a specified object path; while less bad than allowing arbitrary method calls, these security policies are still harmful, since dbus-daemon normally offers the same API on all object paths and other system services might behave similarly. Other fixes: • Add missing initialization so GetExtendedTcpTable doesn't crash on Windows Vista SP0 (fd.o #77008, Илья А. Ткаченко) -- Simon McVittie, Collabora Ltd. / Debian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ