In order to fix CVE-2008-4311 the default permissions on the system bus have been tightened up. This has revealed bugs in the configurations shipped with a number of services using the system bus which relied on the broken behaviour and will now break. We've been using <http://wiki.debian.org/DBusPermissions> to track the resulting mess.
i386 binaries and source for a version of dbus targeted at lenny are available from <http://people.debian.org/~smcv/dbus-cve-2008-4311/>. This has the correct deny-by-default policy, and logs to syslog (auth.log) when messages are disallowed. Please test D-Bus-related packages with this version, or with the new upstream version in experimental (which has the same deny-by-default policy but a bit less logging). However, there are known regressions in hal, ConsoleKit, PolicyKit, system-tools-backends and bluez-utils with this version of dbus, so don't install it until their RC bugs have been fixed if you rely heavily on these packages. (hal mostly works, but RF kill-switches and cpufreq manipulation are known to be broken; the bug I filed has a patch which works for me, and might work for you too. Similarly, system-tools-backends' bug has a patch that works for me. I haven't tested the other RC-buggy packages myself.) At the Cambridge BSP we've been through all the packages that install system bus configuration checking for obvious problems in the configuration, and tested some of the more popular ones. However, we weren't able to test everything, so these packages (maintainers Cc'd) particularly need testing: kerneloops mumble network-manager-openvpn network-manager-pptp network-manager-vpnc pathfinder smart-notifier yum Thanks, Simon
signature.asc
Description: Digital signature