Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package dbus-1 for openSUSE:Factory checked
in at 2022-10-27 13:54:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dbus-1 (Old)
and /work/SRC/openSUSE:Factory/.dbus-1.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dbus-1"
Thu Oct 27 13:54:08 2022 rev:175 rq:1031295 version:1.14.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/dbus-1/dbus-1-devel-doc.changes 2022-10-17
14:57:25.390060836 +0200
+++ /work/SRC/openSUSE:Factory/.dbus-1.new.2275/dbus-1-devel-doc.changes
2022-10-27 13:54:46.648752712 +0200
@@ -1,0 +2,57 @@
+Wed Oct 26 08:53:48 UTC 2022 - Dirk M??ller <dmuel...@suse.com>
+
+- update to 1.14.4 (bsc#1204111, CVE-2022-42010,
+ bsc#1204112, CVE-2022-42011,
+ bsc#1204113, CVE-2022-42012):
+ This is a security update for the dbus 1.14.x stable branch, fixing
+ denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
+ security hardening (dbus#416).
+ Behaviour changes:
+ * On Linux, dbus-daemon and other uses of DBusServer now create a
+ path-based Unix socket, unix:path=..., when asked to listen on a
+ unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
+ unix:dir=... on all platforms.
+ Previous versions would have created an abstract socket,
unix:abstract=...,
+ in this situation.
+ This change primarily affects the well-known session bus when run via
+ dbus-launch(1) or dbus-run-session(1). The user bus, enabled by
configuring
+ dbus with --enable-user-session and running it on a systemd system,
+ already used path-based Unix sockets and is unaffected by this change.
+ This behaviour change prevents a sandbox escape via the session bus socket
+ in sandboxing frameworks that can share the network namespace with the
host
+ system, such as Flatpak.
+ This change might cause a regression in situations where the abstract
socket
+ is intentionally shared between the host system and a chroot or container,
+ such as some use-cases of schroot(1). That regression can be resolved by
+ using a bind-mount to share either the D-Bus socket, or the whole /tmp
+ directory, with the chroot or container.
+ (dbus#416, Simon McVittie)
+ * Denial of service fixes:
+ - Evgeny Vereshchagin discovered several ways in which an authenticated
+ local attacker could cause a crash (denial of service) in
+ dbus-daemon --system or a custom DBusServer. In uncommon configurations
+ these could potentially be carried out by an authenticated remote
attacker.
+ - An invalid array of fixed-length elements where the length of the array
+ is not a multiple of the length of the element would cause an assertion
+ failure in debug builds or an out-of-bounds read in production builds.
+ This was a regression in version 1.3.0.
+ (dbus#413, CVE-2022-42011; Simon McVittie)
+ - A syntactically invalid type signature with incorrectly nested
parentheses
+ and curly brackets would cause an assertion failure in debug builds.
+ Similar messages could potentially result in a crash or incorrect message
+ processing in a production build, although we are not aware of a
practical
+ example. (dbus#418, CVE-2022-42010; Simon McVittie)
+ - A message in non-native endianness with out-of-band Unix file descriptors
+ would cause a use-after-free and possible memory corruption in production
+ builds, or an assertion failure in debug builds. This was a regression in
+ version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
+ - Preserve errno on failure to open /proc/self/oom_score_adj
+ (dbus!285, Gentoo#834725; Mike Gilbert)
+ - On Linux, don't log warnings if oom_score_adj is read-only but does not
+ need to be changed (dbus!291, Simon McVittie)
+ - Slightly improve error-handling for inotify
+ (dbus!235, Simon McVittie)
+ - Don't crash if dbus-daemon is asked to watch more than 128 directories
+ for changes (dbus!302, Jan Tojnar)
+
+-------------------------------------------------------------------
dbus-1-x11.changes: same change
dbus-1.changes: same change
Old:
----
dbus-1.14.0.tar.xz
dbus-1.14.0.tar.xz.asc
New:
----
dbus-1.14.4.tar.xz
dbus-1.14.4.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dbus-1-devel-doc.spec ++++++
--- /var/tmp/diff_new_pack.7nunzi/_old 2022-10-27 13:54:47.540757262 +0200
+++ /var/tmp/diff_new_pack.7nunzi/_new 2022-10-27 13:54:47.548757303 +0200
@@ -23,7 +23,7 @@
%global _backup
%{_sysconfdir}/sysconfig/services.rpmbak.%{name}-%{version}-%{release}
%bcond_without selinux
Name: dbus-1-devel-doc
-Version: 1.14.0
+Version: 1.14.4
Release: 0
Summary: Developer documentation package for D-Bus
License: AFL-2.1 OR GPL-2.0-or-later
++++++ dbus-1-x11.spec ++++++
--- /var/tmp/diff_new_pack.7nunzi/_old 2022-10-27 13:54:47.572757426 +0200
+++ /var/tmp/diff_new_pack.7nunzi/_new 2022-10-27 13:54:47.580757466 +0200
@@ -23,7 +23,7 @@
%endif
%bcond_without selinux
Name: dbus-1-x11
-Version: 1.14.0
+Version: 1.14.4
Release: 0
Summary: D-Bus Message Bus System
License: AFL-2.1 OR GPL-2.0-or-later
++++++ dbus-1.spec ++++++
--- /var/tmp/diff_new_pack.7nunzi/_old 2022-10-27 13:54:47.608757610 +0200
+++ /var/tmp/diff_new_pack.7nunzi/_new 2022-10-27 13:54:47.616757650 +0200
@@ -21,7 +21,7 @@
%define _libname libdbus-1-3
%bcond_without selinux
Name: dbus-1
-Version: 1.14.0
+Version: 1.14.4
Release: 0
Summary: D-Bus Message Bus System
License: AFL-2.1 OR GPL-2.0-or-later
++++++ dbus-1.14.0.tar.xz -> dbus-1.14.4.tar.xz ++++++
++++ 5545 lines of diff (skipped)
