Hi Miloslav, regarding CVE-2013-4288, do youd which versions of polkit are affected by this issue? Since the changelog talks about deprecating racy APIs, does that mean, polkit clients need to be updated as well for the fix to be effective? Given that, do you have a list of vulnerable/affected packages?
Thanks Michael 2013/9/18 Miloslav Trmač <m...@redhat.com>: > Hello, > polkit-0.112 is available at > http://www.freedesktop.org/software/polkit/releases/polkit-0.112.tar.gz > http://www.freedesktop.org/software/polkit/releases/polkit-0.112.tar.gz.sign > > -------------- > polkit 0.112 > -------------- > > NOTE: This release is an important security update, see below. > > WARNING WARNING WARNING: This is a prerelease on the road to polkit > 1.0. Public API might change and certain parts of the code still needs > some security review. Use at your own risk. > > This is polkit 0.112. > > Highlights: > This release fixes CVE-2013-4288: Race condition with process subjects that > do > not have securely determined uid. > > pkcheck(1) now supports a new format for the --process argument; all > applications need to use the new format to avoid a race condition (or use > --system-bus-name to identify the process instead). > > Similarly, applications using the API should always use > polkit_unix_process_new_for_owner(). polkit_unix_process_new() and > polkit_unix_process_new_full() are unsafe and have been deprecated. > > Thanks to Sebastian Krahmer of the SUSE Security Team for reporting this > issue. > > Build requirements > > glib, gobject, gio >= 2.30 > mozjs185 or mozjs-17.0 > gobject-introspection >= 0.6.2 (optional) > pam (optional) > ConsoleKit OR systemd > > Changes since polkit 0.111: > > Colin Walters (2): > polkitunixprocess: Deprecate racy APIs > pkcheck: Support --process=pid,start-time,uid syntax too > > Miloslav Trmač (1): > Post-release version bump to 0.112 > > Tomas Bzatek (1): > Use GOnce for interface type registration > > Tomas Chvatal (2): > Add czech translation po file to distribution. > Update the czech once more with newest pot file. > > Thanks to our contributors. > > Colin Walters and Miloslav Trmač, > September 18, 2013 > _______________________________________________ > polkit-devel mailing list > polkit-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/polkit-devel -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? _______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/polkit-devel
