On Thu, Jun 26, 2008 at 11:06:06PM +0200, Moritz Muehlenhoff wrote: > Package : dbus > Vulnerability : programming error > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2008-0595 > > Havoc Pennington discovered that DBus, a simple interprocess messaging > system, performs insufficient validation of security policies, which > might allow local privilege escalation. > > We recommend that you upgrade your dbus packages.
As far as I can see, this update does not restart dbus daemon, so vulnerable dbus process will run until reboot (or until manual restart of dbus). Have I missed anything? ---------- bash# aptitude upgrade Reading package lists... Done Building dependency tree... Done Reading extended state information Initializing package states... Done Building tag database... Done The following packages will be upgraded: dbus libdbus-1-3 2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 620kB of archives. After unpacking 8192B will be used. Do you want to continue? [Y/n/?] Get:1 http://localhost etch/updates/main libdbus-1-3 1.0.2-1+etch1 [269kB] Get:2 http://localhost etch/updates/main dbus 1.0.2-1+etch1 [351kB] Fetched 620kB in 0s (2261kB/s) (Reading database ... 141860 files and directories currently installed.) Preparing to replace libdbus-1-3 1.0.2-1 (using .../libdbus-1-3_1.0.2-1+etch1_i386.deb) ... Unpacking replacement libdbus-1-3 ... Preparing to replace dbus 1.0.2-1 (using .../dbus_1.0.2-1+etch1_i386.deb) ... Unpacking replacement dbus ... Setting up libdbus-1-3 (1.0.2-1+etch1) ... Setting up dbus (1.0.2-1+etch1) ... Reloading system message bus config...done. ---------- Reloading != Restarting Thank you for your work, Alexandra. PS: CC me, I'm not subscribed to debian-security@ -- Alexandra N. Kossovsky OKTET Labs (http://www.oktetlabs.ru/) Phones: +7(921)956-42-86(mobile) +7(812)783-21-91(office) e-mail: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
