UbuntuUpdates.org

Package "dbus-user-session"

Name: dbus-user-session

Description:

simple interprocess messaging system (systemd --user integration)

Latest version: 1.10.6-1ubuntu3.6
Release: xenial (16.04)
Level: security
Repository: universe
Head package: dbus
Homepage: http://dbus.freedesktop.org/

Links


Download "dbus-user-session"


Other versions of "dbus-user-session" in Xenial

Repository Area Version
base universe 1.10.6-1ubuntu3
updates universe 1.10.6-1ubuntu3.6

Changelog

Version: 1.10.6-1ubuntu3.6 2020-06-16 18:06:41 UTC

  dbus (1.10.6-1ubuntu3.6) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via file descriptor leak
    - debian/patches/CVE-2020-12049-1.patch: on MSG_CTRUNC, close the fds
      we did receive in dbus/dbus-sysdeps-unix.c.
    - debian/patches/CVE-2020-12049-2.patch: assert that we don't leak file
      descriptors in test/fdpass.c.
    - CVE-2020-12049

 -- Marc Deslauriers <email address hidden> Thu, 11 Jun 2020 14:26:07 -0400

Source diff to previous version
CVE-2020-12049 An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exc

Version: 1.10.6-1ubuntu3.4 2019-06-11 18:06:15 UTC

  dbus (1.10.6-1ubuntu3.4) xenial-security; urgency=medium

  * SECURITY UPDATE: DBUS_COOKIE_SHA1 implementation flaw
    - d/p/0001-auth-Reject-DBUS_COOKIE_SHA1-for-users-other-than-th.patch:
      reject DBUS_COOKIE_SHA1 for users other than the server owner in
      dbus/dbus-auth.c.
    - d/p/0002-test-Add-basic-test-coverage-for-DBUS_COOKIE_SHA1.patch:
      add basic test coverage for DBUS_COOKIE_SHA1 in
      dbus/dbus-auth-script.c, dbus/dbus-sysdeps-util-unix.c,
      dbus/dbus-sysdeps-util-win.c, dbus/dbus-sysdeps.h, test/Makefile.am,
      test/data/auth/cookie-sha1-username.auth-script,
      test/data/auth/cookie-sha1.auth-script.
    - CVE-2019-12749

 -- Marc Deslauriers <email address hidden> Mon, 10 Jun 2019 14:06:01 -0400

Source diff to previous version
CVE-2019-12749 DBusServer DBUS_COOKIE_SHA1 authentication bypass

Version: 1.10.6-1ubuntu3.1 2016-11-01 18:06:50 UTC

  dbus (1.10.6-1ubuntu3.1) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution or denial of service via
    format string vulnerability (likely limited to uid 0 only)
    - debian/patches/format_string.patch: do not use non-literal format
      string in bus/activation.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Wed, 12 Oct 2016 08:33:00 -0400




About   -   Send Feedback to @ubuntu_updates