Your message dated Sat, 24 Jun 2023 19:47:56 +0000
with message-id <[email protected]>
and subject line Bug#1037151: fixed in dbus 1.12.28-0+deb11u1
has caused the Debian Bug report #1037151,
regarding dbus: CVE-2023-34969: denial of service when a monitor is active and
a message from the driver cannot be delivered
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1037151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037151
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dbus
Version: 1.15.4-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Control: found -1 1.14.6-1
Control: found -1 1.12.24-0+deb11u1
If a privileged user with control over the dbus-daemon is using the
org.freedesktop.DBus.Monitoring interface to monitor message bus
traffic, then an unprivileged user with the ability to connect to the
same dbus-daemon can cause a dbus-daemon crash under some circumstances.
When done on the well-known system bus, this is a denial-of-service
vulnerability. Unfortunately, the upstream bug reporter already made
this public information. I'm in the process of releasing dbus 1.15.6,
1.14.8 and 1.12.28 to resolve this; I've also asked MITRE for a CVE ID,
but I have not received one yet.
Mitigation: This can only be done if a monitoring process such
as dbus-monitor or busctl monitor is active on the same dbus-daemon
instance, which is a privileged operation that can only be done by root
or the Unix uid of the message bus. If no monitoring process is active,
then the vulnerable code is not reached.
My guess is that the security team will not want to release DSAs for this
local denial of service, and it's more appropriate to fix in bookworm
and bullseye via their next point releases. Is that assumption correct?
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Source: dbus
Source-Version: 1.12.28-0+deb11u1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 06 Jun 2023 15:07:35 +0100
Source: dbus
Architecture: source
Version: 1.12.28-0+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1037151
Changes:
dbus (1.12.28-0+deb11u1) bullseye; urgency=medium
.
* New upstream stable release 1.12.26
- Fixes a denial of service issue that is not relevant for the way
we compile dbus in Debian
* New upstream stable release 1.12.28
- Fixes a denial of service issue if the root or messagebus user is
monitoring messages on the system bus with the Monitoring interface
(dbus-monitor, busctl monitor, gdbus monitor or similar)
(Closes: #1037151)
Checksums-Sha1:
6b3b40ffbf37138abbfd134b3dbb05ab14f4a2d4 3578 dbus_1.12.28-0+deb11u1.dsc
b367eab7a052f9079ed3c6bdfc5db95031df6ee4 2122182 dbus_1.12.28.orig.tar.gz
4b2a2fd2909cd72dddbca9202938095437484378 833 dbus_1.12.28.orig.tar.gz.asc
101580ee5ba8eacbd288c4f35eeec82606fd74fb 58556
dbus_1.12.28-0+deb11u1.debian.tar.xz
84dc28a667860fe3660f365634b4a3568df34a9a 8093
dbus_1.12.28-0+deb11u1_source.buildinfo
Checksums-Sha256:
8825b2fde7de4a5b4ac600db7cc3c7fa2c347ad0c41fc115294afa3064c2b84e 3578
dbus_1.12.28-0+deb11u1.dsc
9da1e3f2b73f75eec0a9e4509d64be43909d1f2853fe809528a0a53984d76420 2122182
dbus_1.12.28.orig.tar.gz
3f6c19d8c063459682d49d4bf74fc0d13290664ae966f612f118f4d4a73ddaab 833
dbus_1.12.28.orig.tar.gz.asc
b07222a653b330e8f81e3642209f2cb7fb1dba3f8207c755b146d657767fbb48 58556
dbus_1.12.28-0+deb11u1.debian.tar.xz
b5e1c37305ab745178eac246a6e03e87d0bc4caeaae2825f6295a7fc2b915290 8093
dbus_1.12.28-0+deb11u1_source.buildinfo
Files:
44a4e22e42bb419183b86a73550d5a60 3578 admin optional dbus_1.12.28-0+deb11u1.dsc
28d92a7a576f7feec7ddb3bb87b28b43 2122182 admin optional
dbus_1.12.28.orig.tar.gz
fdb93fff82091ad4527217ecc9b02c5b 833 admin optional
dbus_1.12.28.orig.tar.gz.asc
d1ca004b05e34caafe9ba9a5c20ca849 58556 admin optional
dbus_1.12.28-0+deb11u1.debian.tar.xz
e2de82f7b4ef232da3e2fddd0228ec82 8093 admin optional
dbus_1.12.28-0+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmSNzosACgkQ4FrhR4+B
TE/YPw/+JMUM17W8Ls3hAu5F/iw38upYZRvdoUYL2QIKo5vuWiaP7JZ/r84nPSDD
efSWFlbTr6VStIL1wCeKnDxENu5l2/Sb3auGw4dlaSMzEDPUj24XvJNtQuXUO5hF
93feXcY8A58s/DDF7H6RiinE2x4Wn6enhophIfHqX22HPVaA+28MyM7u+x+RvHA6
tnEPBL84NxQEDB5E7/TQCaL6uX7MMx+edwPPh9/rBc1erOw6HgJO+9LiiB7YKlKu
j6GBivwdUw8pFThNF5F5VGTXfwKYAdIG3GEXZ1RudKoPfeqTZr3t+mUIcidPPg1T
NV8xf9YS91BaJ0Mi5Dt3U6TUQ665XqWVXDF1EPrb3oV1ptmjNI5uPdpMpL9iMAYj
A1+PdYTUKE55htqMPb54pdhlpuSnHx4fXwL2RtbAr29aikrhwJaFq+Kd7ZIFZzD/
MEZQq5EJmRzFijkBuxKj/vMniF6EMjnPsHES6VcRO4EjRtm9ce1DHn3ID6zLG/+J
wmHI199hFzphhZnj0y/enyo78xqv1W1Rgr2P+EVi96MpFzSC9/T2K3o95Wh5jyeu
II1ZXVQ3abkBaU6AigKmS34O7SwjFA6tLXTdzTWL9rS/fkWDF8Avb4rsCki5+saN
iTza4qam9vx1FyXxVeea00xGiNZbkImanCzKFjomQSEqqYV2VIU=
=7Kyi
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
