#4470: dbus-1.12.14 (CVE-2019-12749)
--------------------+-----------------------
Reporter: renodr | Owner: renodr
Type: task | Status: assigned
Priority: high | Milestone: 8.5
Component: Book | Version: SVN
Severity: normal | Resolution:
Keywords: |
--------------------+-----------------------
Changes (by renodr):
* priority: normal => high
Comment:
Now 1.12.16, containing a fix for CVE-2019-12749
{{{
bus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.
This is a stable-branch security fix release. Upgrading is recommended,
unless you are following the older security-fix-only stable branch 1.10.x.
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.16.tar.gz>
<http://dbus.freedesktop.org/releases/dbus/dbus-1.12.16.tar.gz.asc>
git tag: dbus-1.12.16
The “tree cat” release.
Security fixes:
• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
authentication for identities that differ from the user running the
DBusServer. Previously, a local attacker could manipulate symbolic
links in their own home directory to bypass authentication and connect
to a DBusServer with elevated privileges. The standard system and
session dbus-daemons in their default configuration were immune to this
attack because they did not allow DBUS_COOKIE_SHA1, but third-party
users of DBusServer such as Upstart could be vulnerable.
Thanks to Joe Vennix of Apple Information Security.
(dbus#269, Simon McVittie)
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4470#comment:2>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
