This bug was fixed in the package dbus - 1.14.4-1ubuntu1
---
dbus (1.14.4-1ubuntu1) lunar; urgency=medium
* Merge from Debian unstable (LP: #1999258). Remaining changes:
- Add aa-get-connection-apparmor-security-context.patch: This is not
intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.
- Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit.
- Rework ubuntu/dont-stop-dbus.patch to actually make dbus.service _and_
dbus.socket to not be part of the shutdown transaction. And yet make it
possible to still stop/kill/restart dbus.service if one really wants to,
because it is stuck and stopped responding to any commands. This allows
allows to restart dbus.service with needrestart. However a finalrd hook
might still be needed, to kill dbus-daemon for good, once we pivot off
rootfs.
- Rework d/p/ubuntu/dont-stop-dbus.patch to avoid a deadlock during boot
- debian/dbus.postinst, debian/rules: Don't start D-Bus on package
installation, as that doesn't work any more with dont-stop-dbus.patch.
Instead, start dbus.socket in postinst, which will then start D-Bus on
demand after package installation.
- Prevent dbus from being restarted on upgrade
- git configuration changes for Ubuntu (d/gbp.conf, d/.gitignore)
- d/control: Add M-A: foreign to the new dbus-{session,system}-bus-common
packages to permit the resolver to use them to satisfy i386 dependencies
* Removed patches obsoleted/merged by upstream:
- Make autopkgtests cross-test-friendly.
- SECURITY UPDATE: Assertion failure in dbus-marshal-validate
- debian/patches/CVE-2022-42010.patch: Check brackets in signature nest
correctly
- CVE-2022-42010
- SECURITY UPDATE: Out-of-bound access in dbus-marshal-validate
- debian/patches/CVE-2022-42011.patch: Validate length of arrays of
fixed-length items
- CVE-2022-42011
- SECURITY UPDATE: Out-of-bound access in dbus-marshal-byteswap
- debian/patches/CVE-2022-42012.patch: Byte-swap Unix fd indexes if
needed
- CVE-2022-42012
* d/p/u/concrete-dbus-socket.patch: Add the "real" path used by the apparmor
autopkgtest to the apparmor profile in the test
-- Dave Jones Fri, 09 Dec 2022 15:00:27
+
** Changed in: dbus (Ubuntu)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-42010
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-42011
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-42012
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1999258
Title:
Please merge dbus 1.14.4-1 from Debian unstable.
Status in dbus package in Ubuntu:
Fix Released
Bug description:
Please merge dbus 1.14.4-1 from Debian unstable.
Updated changelog and diff against Debian unstable to be attached
below.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1999258/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
