Hello community,
here is the log from the commit of package dbus-1 for openSUSE:Factory checked
in at 2014-11-26 10:35:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dbus-1 (Old)
and /work/SRC/openSUSE:Factory/.dbus-1.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dbus-1"
Changes:
--------
--- /work/SRC/openSUSE:Factory/dbus-1/dbus-1-x11.changes 2014-11-13
09:16:35.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.dbus-1.new/dbus-1-x11.changes 2014-11-26
10:35:34.000000000 +0100
@@ -1,0 +2,25 @@
+Tue Nov 25 07:43:12 UTC 2014 - fst...@suse.com
+
+- Update to 1.8.12:
+ * Fixes:
+ - Partially revert the CVE-2014-3639 patch by increasing the
+ default authentication timeout on the system bus from 5
+ seconds back to 30 seconds, since this has been reported to
+ cause boot regressions for some users, mostly with parallel
+ boot (systemd) on slower hardware.
+ On fast systems where local users are considered particularly
+ hostile, administrators can return to the 5 second timeout
+ (or any other value in milliseconds) by saving this as
+ /etc/dbus-1/system-local.conf:
+ <busconfig>
+ <limit name="auth_timeout">5000</limit>
+ </busconfig>
+ (fdo#86431, Simon McVittie)
+ - Add a message in syslog/the Journal when the auth_timeout is
+ exceeded (fdo#86431, Simon McVittie)
+ - Send back an AccessDenied error if the addressed recipient is
+ not allowed to receive a message (and in builds with
+ assertions enabled, don't assert under the same conditions).
+ (fdo#86194, Jacek Bukarewicz)
+
+-------------------------------------------------------------------
dbus-1.changes: same change
Old:
----
dbus-1.8.10.tar.gz
New:
----
dbus-1.8.12.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dbus-1-x11.spec ++++++
--- /var/tmp/diff_new_pack.8Uwnnf/_old 2014-11-26 10:35:35.000000000 +0100
+++ /var/tmp/diff_new_pack.8Uwnnf/_new 2014-11-26 10:35:35.000000000 +0100
@@ -27,7 +27,7 @@
%define _unitdir %{_libexecdir}/systemd/system
%endif
Name: dbus-1-x11
-Version: 1.8.10
+Version: 1.8.12
Release: 0
Summary: D-Bus Message Bus System
License: GPL-2.0+ or AFL-2.1
dbus-1.spec: same change
++++++ dbus-1.8.10.tar.gz -> dbus-1.8.12.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbus-1.8.10/HACKING new/dbus-1.8.12/HACKING
--- old/dbus-1.8.10/HACKING 2014-11-04 15:51:05.000000000 +0100
+++ new/dbus-1.8.12/HACKING 2014-11-14 20:06:38.000000000 +0100
@@ -11,6 +11,11 @@
Security
===
+If you find a security vulnerability that is not known to the public,
+please report it privately to dbus-secur...@lists.freedesktop.org
+or by reporting a freedesktop.org bug that is marked as
+restricted to the "D-BUS security group".
+
Most of D-Bus is security sensitive. Guidelines related to that:
- avoid memcpy(), sprintf(), strlen(), snprintf, strlcat(),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbus-1.8.10/NEWS new/dbus-1.8.12/NEWS
--- old/dbus-1.8.10/NEWS 2014-11-06 16:39:02.000000000 +0100
+++ new/dbus-1.8.12/NEWS 2014-11-24 14:01:19.000000000 +0100
@@ -1,3 +1,32 @@
+D-Bus 1.8.12 (2014-11-24)
+==
+
+The “days of fuchsia passed” release.
+
+Fixes:
+
+• Partially revert the CVE-2014-3639 patch by increasing the default
+ authentication timeout on the system bus from 5 seconds back to 30
+ seconds, since this has been reported to cause boot regressions for
+ some users, mostly with parallel boot (systemd) on slower hardware.
+
+ On fast systems where local users are considered particularly hostile,
+ administrators can return to the 5 second timeout (or any other value
+ in milliseconds) by saving this as /etc/dbus-1/system-local.conf:
+
+ <busconfig>
+ <limit name="auth_timeout">5000</limit>
+ </busconfig>
+
+ (fd.o #86431, Simon McVittie)
+
+• Add a message in syslog/the Journal when the auth_timeout is exceeded
+ (fd.o #86431, Simon McVittie)
+
+• Send back an AccessDenied error if the addressed recipient is not allowed
+ to receive a message (and in builds with assertions enabled, don't
+ assert under the same conditions). (fd.o #86194, Jacek Bukarewicz)
+
D-Bus 1.8.10 (2014-11-10)
==
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbus-1.8.10/README new/dbus-1.8.12/README
--- old/dbus-1.8.10/README 2014-11-04 15:51:05.000000000 +0100
+++ new/dbus-1.8.12/README 2014-11-14 20:13:23.000000000 +0100
@@ -29,6 +29,25 @@
only by accident; so you should evaluate carefully whether D-Bus makes
sense for your project.
+Security
+==
+
+If you find a security vulnerability that is not known to the public,
+please report it privately to dbus-secur...@lists.freedesktop.org
+or by reporting a freedesktop.org bug that is marked as
+restricted to the "D-BUS security group" (you might need to "Show
+Advanced Fields" to have that option).
+
+On Unix systems, the system bus (dbus-daemon --system) is designed
+to be a security boundary between users with different privileges.
+
+On Unix systems, the session bus (dbus-daemon --session) is designed
+to be used by a single user, and only accessible by that user.
+
+We do not currently consider D-Bus on Windows to be security-supported,
+and we do not recommend allowing untrusted users to access Windows
+D-Bus via TCP.
+
Note: low-level API vs. high-level binding APIs
===
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbus-1.8.10/bus/bus.c new/dbus-1.8.12/bus/bus.c
--- old/dbus-1.8.10/bus/bus.c 2014-11-06 16:30:51.000000000 +0100
+++ new/dbus-1.8.12/bus/bus.c 2014-11-14 19:39:10.000000000 +0100
@@ -1660,7 +1660,7 @@
complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
"Rejected receive message", toggles,
message, sender, proposed_recipient, requested_reply,
- (addressed_recipient == proposed_recipient), NULL);
+ (addressed_recipient == proposed_recipient), error);
_dbus_verbose ("security policy disallowing message due to recipient
policy\n");
return FALSE;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbus-1.8.10/bus/config-parser.c
new/dbus-1.8.12/bus/config-parser.c
--- old/dbus-1.8.10/bus/config-parser.c 2014-11-04 15:51:05.000000000 +0100
+++ new/dbus-1.8.12/bus/config-parser.c 2014-11-22 11:49:21.000000000 +0100
@@ -438,7 +438,7 @@
* and legitimate auth will fail. If interactive auth (ask user for
* password) is allowed, then potentially it has to be quite long.
*/
- parser->limits.auth_timeout = 5000; /* 5 seconds */
+ parser->limits.auth_timeout = 30000; /* 30 seconds */
/* Do not allow a fd to stay forever in dbus-daemon
* https://bugs.freedesktop.org/show_bug.cgi?id=80559
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbus-1.8.10/bus/connection.c
new/dbus-1.8.12/bus/connection.c
--- old/dbus-1.8.10/bus/connection.c 2014-11-04 15:51:05.000000000 +0100
+++ new/dbus-1.8.12/bus/connection.c 2014-11-22 11:49:21.000000000 +0100
@@ -860,6 +860,14 @@
if (elapsed >= (double) auth_timeout)
{
+ /* Unfortunately, we can't identify the connection: it doesn't
+ * have a unique name yet, we don't know its uid/pid yet,
+ * and so on. */
+ bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO,
+ "Connection has not authenticated soon enough, closing it "
+ "(auth_timeout=%dms, elapsed: %.0fms)",
+ auth_timeout, elapsed);
+
_dbus_verbose ("Timing out authentication for connection %p\n",
connection);
dbus_connection_close (connection);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbus-1.8.10/configure new/dbus-1.8.12/configure
--- old/dbus-1.8.10/configure 2014-11-06 16:40:18.000000000 +0100
+++ new/dbus-1.8.12/configure 2014-11-24 14:02:03.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for dbus 1.8.10.
+# Generated by GNU Autoconf 2.69 for dbus 1.8.12.
#
# Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>.
#
@@ -591,8 +591,8 @@
# Identity of this package.
PACKAGE_NAME='dbus'
PACKAGE_TARNAME='dbus'
-PACKAGE_VERSION='1.8.10'
-PACKAGE_STRING='dbus 1.8.10'
+PACKAGE_VERSION='1.8.12'
+PACKAGE_STRING='dbus 1.8.12'
PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
PACKAGE_URL=''
@@ -1513,7 +1513,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures dbus 1.8.10 to adapt to many kinds of systems.
+\`configure' configures dbus 1.8.12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1587,7 +1587,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of dbus 1.8.10:";;
+ short | recursive ) echo "Configuration of dbus 1.8.12:";;
esac
cat <<\_ACEOF
@@ -1784,7 +1784,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-dbus configure 1.8.10
+dbus configure 1.8.12
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2503,7 +2503,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by dbus $as_me 1.8.10, which was
+It was created by dbus $as_me 1.8.12, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3446,7 +3446,7 @@
# Define the identity of the package.
PACKAGE='dbus'
- VERSION='1.8.10'
+ VERSION='1.8.12'
cat >>confdefs.h <<_ACEOF
@@ -3746,7 +3746,7 @@
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=8
+LT_REVISION=9
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
@@ -3759,8 +3759,8 @@
DBUS_MAJOR_VERSION=1
DBUS_MINOR_VERSION=8
-DBUS_MICRO_VERSION=10
-DBUS_VERSION=1.8.10
+DBUS_MICRO_VERSION=12
+DBUS_VERSION=1.8.12
@@ -23428,7 +23428,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by dbus $as_me 1.8.10, which was
+This file was extended by dbus $as_me 1.8.12, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -23494,7 +23494,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-dbus config.status 1.8.10
+dbus config.status 1.8.12
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbus-1.8.10/configure.ac new/dbus-1.8.12/configure.ac
--- old/dbus-1.8.10/configure.ac 2014-11-06 16:34:45.000000000 +0100
+++ new/dbus-1.8.12/configure.ac 2014-11-24 14:01:26.000000000 +0100
@@ -3,7 +3,7 @@
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [8])
-m4_define([dbus_micro_version], [10])
+m4_define([dbus_micro_version], [12])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -37,7 +37,7 @@
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=8
+LT_REVISION=9
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbus-1.8.10/ltmain.sh new/dbus-1.8.12/ltmain.sh
--- old/dbus-1.8.10/ltmain.sh 2014-09-12 16:53:14.000000000 +0200
+++ new/dbus-1.8.12/ltmain.sh 2014-11-14 19:43:30.000000000 +0100
@@ -70,7 +70,7 @@
# compiler: $LTCC
# compiler flags: $LTCFLAGS
# linker: $LD (gnu? $with_gnu_ld)
-# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.10
+# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.11
# automake: $automake_version
# autoconf: $autoconf_version
#
@@ -80,7 +80,7 @@
PROGRAM=libtool
PACKAGE=libtool
-VERSION="2.4.2 Debian-2.4.2-1.10"
+VERSION="2.4.2 Debian-2.4.2-1.11"
TIMESTAMP=""
package_revision=1.3337
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
