#3993: dbus-1.10.12
 Reporter:  bdubbs@…     |       Owner:  lfs-book@…
     Type:  enhancement  |      Status:  new
 Priority:  high         |   Milestone:  7.11
Component:  Book         |     Version:  SVN
 Severity:  normal       |  Resolution:
 Keywords:               |
Changes (by Samuel):

 * priority:  normal => high
 * type:  task => enhancement

Old description:

> New point version.

New description:

 New point version.

 Security fixes:

 • Do not treat ActivationFailure message received from root-owned
   systemd name as a format string. In principle this is a security
   vulnerability, but we do not believe it is exploitable in practice,
   because only privileged processes can own the
   org.freedesktop.systemd1 bus name, and systemd does not appear to
   send activation failures that contain "%".

   Please note that this probably *was* exploitable in dbus versions
   older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at
   the time was only thought to be a denial of service vulnerability
   (CVE-2015-0245). If you are still running one of those versions,
   patch or upgrade immediately.

   (fd.o #98157, Simon McVittie)



 It has come to my attention through the BLFS ticket #8424 that there is a
 security flaw in the versions before.

Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/3993#comment:1>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to