UbuntuUpdates.org

Package "dbus"

Name: dbus

Description:

simple interprocess messaging system (daemon and utilities)

Latest version: 1.6.18-0ubuntu4.4
Release: trusty (14.04)
Level: security
Repository: main
Homepage: http://dbus.freedesktop.org/

Links


Download "dbus"


Other versions of "dbus" in Trusty

Repository Area Version
base main 1.6.18-0ubuntu4
updates main 1.6.18-0ubuntu4.5

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.6.18-0ubuntu4.4 2016-11-01 18:06:49 UTC

  dbus (1.6.18-0ubuntu4.4) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via ActivationFailure signal race
    - debian/patches/CVE-2015-0245.patch: prevent forged ActivationFailure
      from non-root processes in bus/system.conf.in.
    - CVE-2015-0245
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    format string vulnerability
    - debian/patches/format_string.patch: do not use non-literal format
      string in bus/activation.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Wed, 12 Oct 2016 08:33:44 -0400

Source diff to previous version
CVE-2015-0245 D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, whic

Version: 1.6.18-0ubuntu4.3 2014-11-27 16:06:28 UTC

  dbus (1.6.18-0ubuntu4.3) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via large number of fds
    - debian/patches/CVE-2014-7824.patch: raise rlimit and restore it for
      activated services in bus/activation.c, bus/bus.*,
      dbus/dbus-sysdeps-util-unix.c, dbus/dbus-sysdeps-util-win.c,
      dbus/dbus-sysdeps.h.
    - debian/dbus.init: don't launch daemon as a user so the rlimit can be
      raised.
    - CVE-2014-7824
  * SECURITY REGRESSION: authentication timeout on certain slower systems
    - debian/patches/CVE-2014-3639-regression.patch: raise auth_timeout
      back up to 30 secs in bus/config-parser.c, add a warning to
      bus/connection.c.
    - CVE-2014-3639
 -- Marc Deslauriers <email address hidden> Tue, 25 Nov 2014 14:36:43 -0500

Source diff to previous version
CVE-2014-7824 D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of n
CVE-2014-3639 The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of

Version: 1.6.18-0ubuntu4.2 2014-09-22 18:07:15 UTC

  dbus (1.6.18-0ubuntu4.2) trusty-security; urgency=medium

  * SECURITY UPDATE: buffer overrun via odd max_message_unix_fds
    - debian/patches/CVE-2014-3635.patch: do not extra fds in cmsg padding
      in dbus/dbus-sysdeps-unix.c, allow using _DBUS_STATIC_ASSERT at a
      non-global scope in dbus/dbus-internals.h, dbus/dbus-macros.h.
    - CVE-2014-3635
  * SECURITY UPDATE: denial of service via large number of fds
    - debian/patches/CVE-2014-3636.patch: reduce max number of fds in
      bus/config-parser.c, bus/session.conf.in, dbus/dbus-message.c,
      dbus/dbus-sysdeps.h.
    - CVE-2014-3636
  * SECURITY UPDATE: denial of service via persistent file descriptiors
    - debian/patches/CVE-2014-3637.patch: add a timeout to expire pending
      fds in bus/bus.*, bus/config-parser.c, bus/connection.c,
      bus/session.conf.in, cmake/bus/dbus-daemon.xml,
      dbus/dbus-connection-internal.h, dbus/dbus-connection.c,
      dbus/dbus-message-internal.h, dbus/dbus-message-private.h,
      dbus/dbus-message.c, dbus/dbus-transport.*.
    - CVE-2014-3637
  * SECURITY UPDATE: denial of service via large number of pending replies
    - debian/patches/CVE-2014-3638.patch: reduce max_replies_per_connection
      to 128 in bus/config-parser.c.
    - CVE-2014-3638
  * SECURITY UPDATE: denial of service via incomplete connections
    - debian/patches/CVE-2014-3639.patch: reduce auth_timeout in
      bus/config-parser.c, stop listening on DBusServer sockets when
      reaching max_incomplete_connections in bus/bus.*, bus/connection.*,
      dbus/dbus-server-protected.h, dbus/dbus-server.c, dbus/dbus-watch.*.
    - CVE-2014-3639
 -- Marc Deslauriers <email address hidden> Wed, 17 Sep 2014 10:16:51 -0400

Source diff to previous version

Version: 1.6.18-0ubuntu4.1 2014-07-08 18:06:28 UTC

  dbus (1.6.18-0ubuntu4.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via activation errors
    - debian/patches/CVE-2014-3477.patch: improve error handling in
      bus/activation.*, bus/services.c.
    - CVE-2014-3477
  * SECURITY UPDATE: denial of service via ETOOMANYREFS
    - debian/patches/CVE-2014-3532.patch: drop message on ETOOMANYREFS in
      dbus/dbus-sysdeps.*, dbus/dbus-transport-socket.c.
    - CVE-2014-3532
  * SECURITY UPDATE: denial of service via invalid file descriptor
    - debian/patches/CVE-2014-3533.patch: fix memory handling in
      dbus/dbus-message.c.
    - CVE-2014-3533
 -- Marc Deslauriers <email address hidden> Thu, 03 Jul 2014 08:35:11 -0400

CVE-2014-3477 The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and ...
CVE-2014-3532 DoS
CVE-2014-3533 DoS



About   -   Send Feedback to @ubuntu_updates